draft-ietf-mile-rfc5070-bis-26.txt   rfc7970.txt 
MILE Working Group R. Danyliw Internet Engineering Task Force (IETF) R. Danyliw
Internet-Draft CERT Request for Comments: 7970 CERT
Obsoletes: 5070, 6685 (if approved) October 5, 2016 Obsoletes: 5070, 6685 November 2016
Intended status: Standards Track Category: Standards Track
Expires: April 8, 2017 ISSN: 2070-1721
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format Version 2
draft-ietf-mile-rfc5070-bis-26
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for security incident reports and indicators data representation for security incident reports and indicators
commonly exchanged by operational security teams for mitigation and commonly exchanged by operational security teams for mitigation and
watch and warning. This document describes an updated information watch and warning. This document describes an updated information
model for the IODEF and provides an associated data model specified model for the IODEF and provides an associated data model specified
with XML Schema. This new information and data model obsoletes with the XML schema. This new information and data model obsoletes
Request for Comment (RFC) 5070 and 6685. RFCs 5070 and 6685.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on April 8, 2017. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7970.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 3, line 10
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 6 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 7
1.4. Changelog . . . . . . . . . . . . . . . . . . . . . . . . 7 1.4. Changes from RFC 5070 . . . . . . . . . . . . . . . . . . 7
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10
2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10
2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 10 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 11
2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11
2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11
2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 11 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 12
2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 11 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 12
2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12
2.13. Uniform Resource Locator strings . . . . . . . . . . . . 12 2.13. Uniform Resource Locator Strings . . . . . . . . . . . . 12
2.14. Identifiers and Identifier References . . . . . . . . . . 12 2.14. Identifiers and Identifier References . . . . . . . . . . 12
2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 12 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 13
2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 13 2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 14
2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 14 2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 15
3. The IODEF Information Model . . . . . . . . . . . . . . . . . 17 3. The IODEF Information Model . . . . . . . . . . . . . . . . . 18
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 17 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 18
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 18 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 20
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 22 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 23
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 22 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 23
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 23 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 25
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 24 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 25
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 25 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 26
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 25 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 27
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 27 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 28
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 28 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 29
3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 29 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 30
3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 32 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 34
3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 33 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 35
3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 34 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 36
3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 35 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 37
3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 36 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 38
3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 38 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 40
3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 39 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 41
3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 40 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 42
3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 41
3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 43 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 43
3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 45 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 45
3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 47 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 48
3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 49 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 50
3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 50 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 52
3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 51 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 53
3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 52 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 54
3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 54 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 54
3.14.1. Relating the Incident and EventData Classes . . . . 56 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 57
3.14.2. Recursive Definition of EventData . . . . . . . . . 56 3.14.1. Relating the Incident and EventData Classes . . . . 59
3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 57 3.14.2. Recursive Definition of EventData . . . . . . . . . 59
3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 60 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 60
3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 61 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 63
3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 64 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 64
3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 65 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 67
3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 66 3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 68
3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 70 3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 69
3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 72 3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 73
3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 74 3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 75
3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 75 3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 77
3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 75 3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 78
3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 77 3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 79
3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 78 3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 80
3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 78 3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 81
3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 80 3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 82
3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 81 3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 83
3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 82 3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 84
3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 84 3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 85
3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 85 3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 87
3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 86 3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 88
3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 86 3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 89
3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 87 3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 90
3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 88 3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 90
3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 89 3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 91
3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 92
3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 94
3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 92 3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 95
3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 93 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 95
3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 96
3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 96 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 96
3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 99
3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 97 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 100
3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 103 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 101
3.29.5. Expressions with IndicatorExpression . . . . . . . . 105 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 106
3.29.6. ObservableReference Class . . . . . . . . . . . . . 106 3.29.5. Expressions with IndicatorExpression . . . . . . . . 108
3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 107 3.29.6. ObservableReference Class . . . . . . . . . . . . . 110
3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 108 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 110
4. Processing Considerations . . . . . . . . . . . . . . . . . . 108 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 111
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 109
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 109 4. Processing Considerations . . . . . . . . . . . . . . . . . . 112
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 109 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 112
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 110 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 112
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 111 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 112
5.1. Extending the Enumerated Values of Attributes . . . . . . 111 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 113
5.1.1. Private Extension of Enumerated Values . . . . . . . 111 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 114
5.1.2. Public Extension of Enumerated Values . . . . . . . . 112 5.1. Extending the Enumerated Values of Attributes . . . . . . 114
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 112 5.1.1. Private Extension of Enumerated Values . . . . . . . 114
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 114 5.1.2. Public Extension of Enumerated Values . . . . . . . . 115
6. Internationalization Issues . . . . . . . . . . . . . . . . . 115 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 115
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 116 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 117
7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 116 6. Internationalization Issues . . . . . . . . . . . . . . . . . 118
7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 116 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 119
8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 118 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 119
9. Security Considerations . . . . . . . . . . . . . . . . . . . 157 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 120
9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 157 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 121
9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 158 9. Security Considerations . . . . . . . . . . . . . . . . . . . 161
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 159 9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 161
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 159 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 160 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 163
10.3. Expert Review of IODEF-Related XML Registry Entries . . 163 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 163
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 163 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 163
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 163 10.3. Expert Review of IODEF-Related XML Registry Entries . . 166
12.1. Normative References . . . . . . . . . . . . . . . . . . 163 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 167
12.2. Informative References . . . . . . . . . . . . . . . . . 166 11.1. Normative References . . . . . . . . . . . . . . . . . . 167
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 167 11.2. Informative References . . . . . . . . . . . . . . . . . 170
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 171
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 172
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a filter attack traffic, contacting a remote site to take down a
botnet, or sharing watch-lists of known malicious indicators in a botnet, or sharing watch lists of known malicious indicators in a
consortium. consortium.
The Incident Object Description Exchange Format (IODEF) is a format The Incident Object Description Exchange Format (IODEF) is a format
for representing computer security information commonly exchanged for representing computer security information commonly exchanged
between Computer Security Incident Response Teams (CSIRTs) or other between Computer Security Incident Response Teams (CSIRTs) or other
operational security teams. It provides an XML representation for operational security teams. It provides an XML representation for
conveying: conveying:
o indicators to characterize a threat; o indicators to characterize a threat;
o security incident reports to document attacks against an o security incident reports to document attacks against an
organization; organization;
o response activity taken or that could be taken in response to an o response activity taken or that could be taken in response to an
incident; and incident; and
o meta-data so that these various classes of information can be o metadata so that these various classes of information can be
exchanged among parties. exchanged among parties.
The purpose of the IODEF is to enhance the operational capabilities The purpose of the IODEF is to enhance the operational capabilities
of CSIRTs. Adoption of the IODEF will improve the ability of a CSIRT of CSIRTs. Adoption of the IODEF will improve the ability of a CSIRT
to resolve security incidents; understand threats; and coordinate to resolve security incidents; understand threats; and coordinate
response activities and proactive mitigations by simplifying response activities and proactive mitigations by simplifying
collaboration and data sharing with its partners. This structured collaboration and data sharing with its partners. This structured
format provided by the IODEF allows for: format provided by the IODEF allows for:
o machine-to-machine exchange of incident and indicator data; o machine-to-machine exchange of incident and indicator data;
o automated processing of this data whereby allowing more rapid o automated processing of this data whereby allowing more rapid
execution of appropriate courses of action; and execution of appropriate courses of action; and
o the development of an ecosystem of interoperable tools enabling o the development of an ecosystem of interoperable tools enabling
security operations. security operations.
Sharing and coordinating with other organizations is not strictly a Sharing and coordinating with other organizations is not strictly a
technical problem. There are numerous procedural, cultural, legal technical problem. There are numerous procedural, cultural, legal,
and trust-related barriers to overcome. The IODEF does not attempt and trust-related barriers to overcome. The IODEF does not attempt
to address them directly. However, operational implementations of to address them directly. However, operational implementations of
the IODEF will need to consider these challenges. the IODEF will need to consider these challenges.
Section 1 provides the background for the IODEF. Sections 3 and 8 Section 1 provides the background for the IODEF. Sections 3 and 8
specify the IODEF information and data model respectively. The data specify the IODEF information and data model, respectively. The data
types used in this document are described in Section 2. Processing types used in this document are described in Section 2. Processing
considerations, extending the specification, internationalization and considerations, extending the specification, internationalization,
security issues are covered in Sections 4, 5, 6 and 9 respectively. and security issues are covered in Sections 4, 5, 6, and 9,
Examples are listed in Section 7. respectively. Examples are listed in Section 7.
1.1. Terminology 1.1. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
1.2. Notations 1.2. Notations
The IODEF is specified as an Extensible Markup Language (XML) The IODEF is specified as an Extensible Markup Language (XML)
[W3C.XML] Schema [W3C.SCHEMA]. The normative IODEF data model is [W3C.XML] schema [W3C.SCHEMA]. The normative IODEF data model is
found in the XML schema in Section 8. To aid in the understanding of found in the XML schema in Section 8. To aid in the understanding of
the data elements, Section 3 also depicts the underlying information the data elements, Section 3 also depicts the underlying information
model using Unified Modeling Language (UML). This abstract model using Unified Modeling Language (UML). This abstract
presentation of the IODEF is not normative. presentation of the IODEF is not normative.
For clarity in this document, the term "XML document" will be used For clarity in this document, the term "XML document" will be used
when referring generically to any instance of an XML document. The when referring generically to any instance of an XML document. The
term "IODEF document" will be used to refer to an XML document term "IODEF document" will be used to refer to an XML document
conforming to the IODEF specification. The terms "schema" will be conforming to the IODEF specification. The terms "schema" will be
used to refer to Section 8 of this document. The terms "data model" used to refer to Section 8 of this document. The terms "data model"
and "schema" will be used interchangeably. The terms "class" and and "schema" will be used interchangeably. The terms "class" and
"element" will be used to reference either the corresponding data "element" will be used to reference either the corresponding data
element in the UML-based information or XML Schema-based data models, element in the UML-based information or XML schema-based data models,
respectively. respectively.
1.3. About the IODEF Data Model 1.3. About the IODEF Data Model
A number of considerations were made in the design of the IODEF data A number of considerations were made in the design of the IODEF data
model. model.
o The data model found in this document is an evolution of the one o The data model found in this document is an evolution of the one
previously specified in [RFC5070]. New fields were added to previously specified in [RFC5070]. New fields were added to
represent additional information. [RFC5070] was developed represent additional information. [RFC5070] was developed
primarily to represent incident reports. This document builds primarily to represent incident reports. This document builds
upon it by adding support for indicators and revising it to upon it by adding support for indicators and revising it to
reflect the current challenges faced by CSIRTs. An attempt was reflect the current challenges faced by CSIRTs. An attempt was
made to preserve backward compatibility but this was not possible made to preserve backward compatibility, but this was not possible
in all cases. See Section 4.4. This document obsoletes in all cases. See Section 4.4. This document obsoletes
[RFC5070]. [RFC5070].
o The IODEF is a transport format. Therefore, the data model may o The IODEF is a transport format. Therefore, the data model may
not be the optimal archival or in-memory processing format. not be the optimal archival or in-memory processing format.
o The IODEF is intended to be a framework to convey only commonly o The IODEF is intended to be a framework to convey only commonly
exchanged information. It ensures that there are mechanisms for exchanged information. It ensures that there are mechanisms for
extensibility to support organization-specific information and extensibility to support organization-specific information and
techniques to reference information kept outside of the data techniques to reference information kept outside of the data
skipping to change at page 7, line 23 skipping to change at page 7, line 48
o Not all commonly exchanged information has a well-defined format o Not all commonly exchanged information has a well-defined format
or taxonomy. The IODEF attempts to strike a balance between or taxonomy. The IODEF attempts to strike a balance between
enforcing sufficient structure to allow automated processing and enforcing sufficient structure to allow automated processing and
supporting free-form content that enables maximum flexibility. supporting free-form content that enables maximum flexibility.
o The IODEF fits into a broader ecosystem of standards and o The IODEF fits into a broader ecosystem of standards and
conventions. An attempt was made to harmonize the data model with conventions. An attempt was made to harmonize the data model with
this context. this context.
1.4. Changelog 1.4. Changes from RFC 5070
A detailed list of additions made to the [RFC5070] data model are A detailed list of additions made to the data model in [RFC5070] are
enumerated in this section. See Section 4.4 for a list of enumerated in this section. See Section 4.4 for a list of
incompatible changes. incompatible changes.
o Updated the data types (Section 2) to improve o Updated the data types (Section 2) to improve
internationalization, clarify ambiguity, and ensure consistency in internationalization, clarify ambiguity, and ensure consistency in
extensions. extensions.
o Added the observable-id attribute (Section 3.3.2) and o Added the observable-id attribute (Section 3.3.2) and
IndicatorData (Section 3.28) class (Section 3.28) to represent IndicatorData class (Section 3.28) to represent indicators.
indicators.
o Added the private-enum-name and -id attributes to the IODEF- o Added the private-enum-name and private-enum-id attributes to the
Document class (Section 3.1) to disambiguate private extensions. IODEF-Document class (Section 3.1) to disambiguate private
extensions.
o Updated the Incident class (Section 3.2) to represent additional o Updated the Incident class (Section 3.2) to represent additional
timing and workflow information. timing and workflow information.
o Added the ThreatActor (Section 3.7) and Campaign (Section 3.8) o Added the ThreatActor (Section 3.7) and Campaign (Section 3.8)
classes to represent attack attribution information. classes to represent attack attribution information.
o Updated the Contact class (Section 3.9) and its children to o Updated the Contact class (Section 3.9) and its children to
improve internationalization and represent additional information improve internationalization and represent additional information
about an entity. about an entity.
skipping to change at page 8, line 15 skipping to change at page 8, line 39
o Added the Discovery class (Section 3.10) to describe how an o Added the Discovery class (Section 3.10) to describe how an
incident was discovered. incident was discovered.
o Updated the Assessment class (Section 3.12) to enable more o Updated the Assessment class (Section 3.12) to enable more
descriptive characterizations of the impact of an incident. descriptive characterizations of the impact of an incident.
o Updated the HistoryItem (Section 3.13.1) and Expectation o Updated the HistoryItem (Section 3.13.1) and Expectation
(Section 3.15) classes to support a reference to a course of (Section 3.15) classes to support a reference to a course of
action. action.
o Updated the EventData class (Section 3.14) with additional meta- o Updated the EventData class (Section 3.14) with additional
data added to the Incident class. metadata added to the Incident class.
o Updated the System (Section 3.17) class with additional meta-data. o Updated the System class (Section 3.17) with additional metadata.
o Updated the Counter class (Section 3.18.3) to support additional o Updated the Counter class (Section 3.18.3) to support additional
rate metrics. rate metrics.
o Added the DomainData (Section 3.19), EmailData (Section 3.21), o Added DomainData (Section 3.19), EmailData (Section 3.21),
WindowsRegistryKeysModified (Section 3.23), CertificateData WindowsRegistryKeysModified (Section 3.23), CertificateData
(Section 3.24) and FileData (Section 3.25) to improve the (Section 3.24), and FileData (Section 3.25) classes to improve the
description of an incident and support this data as indicators. description of an incident and support this data as indicators.
o Added the SignatureData (Section 3.27) and HashData classes o Added the SignatureData (Section 3.27) and HashData (Section 3.26)
(Section 3.26) to represent digital signatures and hashes. classes to represent digital signatures and hashes.
o Added support for public enumerated attribute extensions using o Added support for public enumerated attribute extensions using
IANA registries (Section 5.1.2). IANA registries (Section 5.1.2).
o Updated numerous enumerated attributes for completeness. o Updated numerous enumerated attributes for completeness.
2. IODEF Data Types 2. IODEF Data Types
The IODEF uses a number of simple and complex types. This section The IODEF uses a number of simple and complex types. This section
describes these data types. describes these data types.
2.1. Integers 2.1. Integers
An integer is represented in the information model by the INTEGER An integer is represented in the information model by the INTEGER
data type. Integer data MUST be encoded in Base 10. data type. Integer data MUST be encoded in Base 10.
The INTEGER data type is implemented in the data model as a The INTEGER data type is implemented in the data model as an
"xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES]. "xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES].
2.2. Real Numbers 2.2. Real Numbers
A real (floating-point) number is represented in the information A real (floating-point) number is represented in the information
model by the REAL data type. Real data MUST be encoded in Base 10. model by the REAL data type. Real data MUST be encoded in Base 10.
The REAL data type is implemented in the data model as a "xs:float" The REAL data type is implemented in the data model as an "xs:float"
type per Section 3.2.4 of [W3C.SCHEMA.DTYPES]. type per Section 3.2.4 of [W3C.SCHEMA.DTYPES].
2.3. Characters and Strings 2.3. Characters and Strings
A single character is represented in the information model by the A single character is represented in the information model by the
CHARACTER data type. A string is represented by the STRING data CHARACTER data type. A string is represented by the STRING data
type. Special characters MUST be encoded using entity references. type. Special characters MUST be encoded using entity references.
See Section 4.1. See Section 4.1.
The CHARACTER and STRING data types are implemented in the data model The CHARACTER and STRING data types are implemented in the data model
as a "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES]. as an "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
2.4. Multilingual Strings 2.4. Multilingual Strings
A string that needs to be represented in a human-readable language A string that needs to be represented in a human-readable language
different than the default encoding of the document is represented in different than the default encoding of the document is represented in
the information model by the ML_STRING data type. the information model by the ML_STRING data type.
The ML_STRING data type is implemented in the data model as the The ML_STRING data type is implemented in the data model as the
"iodef:MLStringType" type. This type extends the "xs:string" to "iodef:MLStringType" type. This type extends the "xs:string" to
include two attributes. include two attributes.
skipping to change at page 10, line 25 skipping to change at page 10, line 46
in the translation-id attribute. The language of a given class is in the translation-id attribute. The language of a given class is
set by the xml:lang attribute. See Section 6 for more details on set by the xml:lang attribute. See Section 6 for more details on
representing translations of free-form text. representing translations of free-form text.
2.5. Binary Strings 2.5. Binary Strings
Binary octets can be represented with two encodings. Binary octets can be represented with two encodings.
2.5.1. Base64 Bytes 2.5.1. Base64 Bytes
A binary octet encoded with Base64 is represented in the information A binary octet encoded with base64 is represented in the information
model by the BYTE data type. A sequence of these octets is of the model by the BYTE data type. A sequence of these octets is of the
BYTE[] data type. BYTE[] data type.
The BYTE and BYTE[] data types are implemented in the data model as a The BYTE and BYTE[] data types are implemented in the data model as
"xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES]. an "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES].
2.5.2. Hexadecimal Bytes 2.5.2. Hexadecimal Bytes
A binary octet encoded as a character tuple consistent of two A binary octet encoded as a character tuple consistent of two
hexadecimal digits is represented in the information model by the hexadecimal digits is represented in the information model by the
HEXBIN data type. A sequence of these octets is of the HEXBIN[] data HEXBIN data type. A sequence of these octets is of the HEXBIN[] data
type. type.
The HEXBIN and HEXBIN[] data types are implemented in the data model The HEXBIN and HEXBIN[] data types are implemented in the data model
as a "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES]. as an "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES].
2.6. Enumerated Types 2.6. Enumerated Types
An enumerated type is represented in the information model by the An enumerated type is represented in the information model by the
ENUM data type. It is an ordered list of acceptable string values. ENUM data type. It is an ordered list of acceptable string values.
Each value has a representative keyword. Within the data model, the Each value has a representative keyword. Within the data model, the
enumerated type keywords are used as attribute values. enumerated type keywords are used as attribute values.
The ENUM data type is implemented in the data model as values of a The ENUM data type is implemented in the data model as values of an
"xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES]. "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES].
2.7. Date-Time String 2.7. Date-Time String
A date-time strings that describes a particular instant in time is A date-time string that describes a particular instant in time is
represented in the information model by the DATETIME data type. represented in the information model by the DATETIME data type.
Ranges are not supported. Ranges are not supported.
The DATETIME data type is implemented in the data model as a The DATETIME data type is implemented in the data model as an
"xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES]. "xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES].
2.8. Timezone String 2.8. Timezone String
A timezone offset from UTC is represented in the information model by A timezone offset from UTC is represented in the information model by
the TIMEZONE data type. It is formatted according to the following the TIMEZONE data type. It is formatted according to the following
regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
The TIMEZONE data type is implemented in the data model as an The TIMEZONE data type is implemented in the data model as an
"iodef:TimezoneType" type. "iodef:TimezoneType" type.
skipping to change at page 11, line 51 skipping to change at page 12, line 24
The POSTAL data type is implemented in the data model as an The POSTAL data type is implemented in the data model as an
"iodef:MLStringType" type. "iodef:MLStringType" type.
2.11. Telephone Number 2.11. Telephone Number
A telephone number is represented in the information model by the A telephone number is represented in the information model by the
PHONE data type. The format of the PHONE data type is documented in PHONE data type. The format of the PHONE data type is documented in
[E.164]. [E.164].
The PHONE data type is implemented in the data model as a "xs:string" The PHONE data type is implemented in the data model as an
type per Section 3.2.1 of [W3C.SCHEMA.DTYPES]. "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
2.12. Email String 2.12. Email String
An email address is represented in the information model by the EMAIL An email address is represented in the information model by the EMAIL
data type. The format of the EMAIL data type is documented in data type. The format of the EMAIL data type is documented in
Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531]. Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531].
The EMAIL data type is implemented in the data model as a "xs:string" The EMAIL data type is implemented in the data model as an
type per Section 3.2.1 of [W3C.SCHEMA.DTYPES]. "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
2.13. Uniform Resource Locator strings 2.13. Uniform Resource Locator Strings
A uniform resource locator (URL) is represented in the information A uniform resource locator (URL) is represented in the information
model by the URL data type. The format of the URL data type is model by the URL data type. The format of the URL data type is
documented in [RFC3986]. documented in [RFC3986].
The URL data type is implemented as a "xs:anyURI" type per The URL data type is implemented as an "xs:anyURI" type per
Section 3.2.17 of [W3C.SCHEMA.DTYPES]. Section 3.2.17 of [W3C.SCHEMA.DTYPES].
2.14. Identifiers and Identifier References 2.14. Identifiers and Identifier References
An identifier unique to the IODEF document is represented in the An identifier unique to the IODEF document is represented in the
information model by the ID data type. A reference to this information model by the ID data type. A reference to this
identifier is represented by the IDREF data type. identifier is represented by the IDREF data type.
The ID and IDREF data types are implemented in the model as "xs:ID" The ID and IDREF data types are implemented in the model as "xs:ID"
and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of
[W3C.SCHEMA.DTYPES]. [W3C.SCHEMA.DTYPES].
2.15. Software 2.15. Software
A particular version of software is represented in the information A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by model by the SOFTWARE data type. This software can be described by
using a reference, a URL or with free-form text. using a reference, a URL, or with free-form text.
The SOFTWARE data type is implemented in the data model as the The SOFTWARE data type is implemented in the data model as the
"iodef:SoftwareType" type. "iodef:SoftwareType" type.
+--------------------+ +--------------------+
| iodef:SoftwareType | | iodef:SoftwareType |
+--------------------+ +--------------------+
| |<>--{0..1}--[ SoftwareReference ] | |<>--{0..1}--[ SoftwareReference ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
skipping to change at page 16, line 19 skipping to change at page 17, line 7
6. ntpstamp. Same as date-time. 6. ntpstamp. Same as date-time.
7. integer. The element content is of type INTEGER. 7. integer. The element content is of type INTEGER.
8. portlist. The element content is of type PORTLIST. 8. portlist. The element content is of type PORTLIST.
9. real. The element content is of type REAL. 9. real. The element content is of type REAL.
10. string. The element content is of type STRING. 10. string. The element content is of type STRING.
11. file. The element content is a base64 encoded binary file 11. file. The element content is a base64-encoded binary file
encoded as a BYTE[] type. encoded as a BYTE[] type.
12. path. The element content is a file-system path encoded as a 12. path. The element content is a file-system path encoded as a
STRING type. STRING type.
13. frame. The element content is a layer-2 frame encoded as a 13. frame. The element content is a Layer 2 frame encoded as a
HEXBIN type. HEXBIN type.
14. packet. The element content is a layer-3 packet encoded as a 14. packet. The element content is a Layer 3 packet encoded as a
HEXBIN type. HEXBIN type.
15. ipv4-packet. The element content is an IPv4 packet encoded 15. ipv4-packet. The element content is an IPv4 packet encoded
as a HEXBIN type. as a HEXBIN type.
16. ipv6-packet. The element content is an IPv6 packet encoded 16. ipv6-packet. The element content is an IPv6 packet encoded
as a HEXBIN type. as a HEXBIN type.
17. url. The element content is of type URL. 17. url. The element content is of type URL.
18. csv. The element content is a common separated value (CSV) 18. csv. The element content is a comma-separated value (CSV)
list per Section 2 of [RFC4180] encoded as a STRING type. list per Section 2 of [RFC4180] encoded as a STRING type.
19. winreg. The element content is a Windows registry key 19. winreg. The element content is a Microsoft Windows registry
encoded as a STRING type. key encoded as a STRING type.
20. xml. The element content is XML. See Section 5. 20. xml. The element content is XML. See Section 5.2.
21. ext-value. A value used to indicate that this attribute is 21. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-dtype ext-dtype
Optional. STRING. A means by which to extend the dtype Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
meaning meaning
skipping to change at page 17, line 47 skipping to change at page 18, line 37
+--------------------------+ +--------------------------+
| IODEF-Document | | IODEF-Document |
+--------------------------+ +--------------------------+
| STRING version |<>--{1..*}--[ Incident ] | STRING version |<>--{1..*}--[ Incident ]
| ENUM xml:lang |<>--{0..*}--[ AdditionalData ] | ENUM xml:lang |<>--{0..*}--[ AdditionalData ]
| STRING format-id | | STRING format-id |
| STRING private-enum-name | | STRING private-enum-name |
| STRING private-enum-id | | STRING private-enum-id |
+--------------------------+ +--------------------------+
Figure 5: IODEF-Document Class Figure 5: The IODEF-Document Class
The aggregate classes of the IODEF-Document class are: The aggregate classes of the IODEF-Document class are:
Incident Incident
One or more. The information related to a single incident. See One or more. The information related to a single incident. See
Section 3.2. Section 3.2.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The attributes of the IODEF-Document class are: The attributes of the IODEF-Document class are:
version version
Required. STRING. The IODEF specification version number to Required. STRING. The IODEF specification version number to
which this IODEF document conforms. The value of this attribute which this IODEF document conforms. The value of this attribute
MUST be "2.00" MUST be "2.00".
xml:lang xml:lang
Optional. ENUM. A language identifier per Section 2.12 of Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The [W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
format-id format-id
Optional. STRING. A free-form string to convey processing Optional. STRING. A free-form string to convey processing
instructions to the recipient of the document. Its semantics must instructions to the recipient of the document. Its semantics must
be negotiated out-of-band. be negotiated out of band.
private-enum-name private-enum-name
Optional. STRING. A globally unique identifier for the CSIRT Optional. STRING. A globally unique identifier for the CSIRT
generating the document to deconflict private extensions used in generating the document to deconflict private extensions used in
the document. The fully qualified domain name associated with the the document. The fully qualified domain name (FQDN) associated
CSIRT MUST be used as the identifier. See Section 5.3. with the CSIRT MUST be used as the identifier. See Section 5.3.
private-enum-id private-enum-id
Optional. STRING. An organizationally unique identifier for an Optional. STRING. An organizationally unique identifier for an
extension used in the document. If this attribute is set, the extension used in the document. If this attribute is set, the
private-enum-name MUST also be set. See Section 5.3. private-enum-name MUST also be set. See Section 5.3.
3.2. Incident Class 3.2. Incident Class
The Incident class describes commonly exchanged information when The Incident class describes commonly exchanged information when
reporting or sharing derived analysis from security incidents. reporting or sharing derived analysis from security incidents.
skipping to change at page 21, line 6 skipping to change at page 22, line 12
Zero or one. A log of significant events or actions that occurred Zero or one. A log of significant events or actions that occurred
during the course of handling the incident. See Section 3.13. during the course of handling the incident. See Section 3.13.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The attributes of the Incident class are: The attributes of the Incident class are:
purpose purpose
Required. ENUM. The purpose attribute represents describes the Required. ENUM. The purpose attribute describes the rationale
rational for document the information in this class. It is for documenting the information in this class. It is closely
closely related to the Expectation class (Section 3.15). These related to the Expectation class (Section 3.15). These values are
values are maintained in the "Incident-purpose" IANA registry per maintained in the "Incident-purpose" IANA registry per
Section 10.2. This attribute is defined as an enumerated list: Section 10.2. This attribute is defined as an enumerated list:
1. traceback. The Incident was sent for trace-back purposes. 1. traceback. The incident was sent for trace-back purposes.
2. mitigation. The Incident was sent to request aid in 2. mitigation. The incident was sent to request aid in
mitigating the described activity. mitigating the described activity.
3. reporting. The Incident was sent to comply with reporting 3. reporting. The incident was sent to comply with reporting
requirements. requirements.
4. watch. The Incident was sent to convey indicators that should 4. watch. The incident was sent to convey indicators that should
be monitored. be monitored.
5. other. The Incident was sent for purposes specified in the 5. other. The incident was sent for purposes specified in the
Expectation class. Expectation class.
6. ext-value. A value used to indicate that this attribute is 6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-purpose ext-purpose
Optional. STRING. A means by which to extend the purpose Optional. STRING. A means by which to extend the purpose
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
status status
Optional. ENUM. The status attribute conveys the state in a Optional. ENUM. The status attribute conveys the state in a
workflow where the incident is currently found. These values are workflow where the incident is currently found. These values are
maintained in the "Incident-status" IANA registry per maintained in the "Incident-status" IANA registry per
Section 10.2. This attribute is defined as an enumerated list: Section 10.2. This attribute is defined as an enumerated list:
1. new. The Incident is newly reported and has not been 1. new. The incident is newly reported, and no action has been
actioned. taken.
2. in-progress. The contents of this Incident are under 2. in-progress. The incident is under investigation.
investigation.
3. forwarded. The Incident has been forwarded to another party 3. forwarded. The incident has been forwarded to another party
for handling. for handling.
4. resolved. The investigation into the activity in this 4. resolved. The investigation into the activity in this
Incident has concluded. incident has concluded.
5. future. The described activity has not yet been detected. 5. future. The described activity has not yet been detected.
6. ext-value. A value used to indicate that this attribute is 6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-status ext-status
Optional. STRING. A means by which to extend the status Optional. STRING. A means by which to extend the status
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 22, line 45 skipping to change at page 23, line 50
The restriction attribute indicates the disclosure guidelines to The restriction attribute indicates the disclosure guidelines to
which the sender expects the recipient to adhere for the information which the sender expects the recipient to adhere for the information
represented in this class and its children. This guideline provides represented in this class and its children. This guideline provides
no security since there are no technical means to ensure that the no security since there are no technical means to ensure that the
recipient of the document handles the information as the sender recipient of the document handles the information as the sender
requested. requested.
The value of this attribute is logically inherited by the children of The value of this attribute is logically inherited by the children of
this class. That is to say, the disclosure rules applied to this this class. That is to say, the disclosure rules applied to this
class, also apply to its children. class also apply to its children.
It is possible to set a granular disclosure policy, since all of the It is possible to set a granular disclosure policy, since all of the
high-level classes (i.e., children of the Incident class) have a high-level classes (i.e., children of the Incident class) have a
restriction attribute. Therefore, a child can override the restriction attribute. Therefore, a child can override the
guidelines of a parent class, be it to restrict or relax the guidelines of a parent class, be it to restrict or relax the
disclosure rules (e.g., a child has a weaker policy than an ancestor; disclosure rules (e.g., a child has a weaker policy than an ancestor;
or an ancestor has a weak policy, and the children selectively apply or an ancestor has a weak policy, and the children selectively apply
more rigid controls). The implicit value of the restriction more rigid controls). The implicit value of the restriction
attribute for a class that did not specify one can be found in the attribute for a class that did not specify one can be found in the
closest ancestor that did specify a value. closest ancestor that did specify a value.
skipping to change at page 25, line 41 skipping to change at page 27, line 8
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.6. RelatedActivity Class 3.6. RelatedActivity Class
The RelatedActivity class relates the information described in the The RelatedActivity class relates the information described in the
rest of the document to previously observed incidents or activity; rest of the document to previously observed incidents or activity and
and allows attribution to a specific actor or campaign. allows attribution to a specific actor or campaign.
+------------------------+ +------------------------+
| RelatedActivity | | RelatedActivity |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ IncidentID ] | ENUM restriction |<>--{0..*}--[ IncidentID ]
| STRING ext-restriction |<>--{0..*}--[ URL ] | STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ ThreatActor ] | |<>--{0..*}--[ ThreatActor ]
| |<>--{0..*}--[ Campaign ] | |<>--{0..*}--[ Campaign ]
| |<>--{0..*}--[ IndicatorID ] | |<>--{0..*}--[ IndicatorID ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 9: RelatedActivity Class Figure 9: The RelatedActivity Class
The aggregate classes of the RelatedActivity class are: The aggregate classes of the RelatedActivity class are:
IncidentID IncidentID
Zero or more. The tracking number of a related incident. See Zero or more. The tracking number of a related incident. See
Section 3.4. Section 3.4.
URL URL
Zero or more. URL. A URL to activity related to this incident. Zero or more. URL. A URL to activity related to this incident.
skipping to change at page 27, line 7 skipping to change at page 28, line 15
Description Description
Zero or more. ML_STRING. A description of how these Zero or more. ML_STRING. A description of how these
relationships were derived. relationships were derived.
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
The RelatedActivity class MUST have at least one instance of any of The RelatedActivity class MUST have at least one instance of any of
the following child classes: IncidentID, URL, ThreatActor, Campaign, the following child classes: IncidentID, URL, ThreatActor, Campaign,
Description or AdditionalData. Description, or AdditionalData.
The attributes of the RelatedActivity class are: The attributes of the RelatedActivity class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 27, line 31 skipping to change at page 28, line 39
+------------------------+ +------------------------+
| ThreatActor | | ThreatActor |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ ThreatActorID ] | ENUM restriction |<>--{0..*}--[ ThreatActorID ]
| STRING ext-restriction |<>--{0..*}--[ URL ] | STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 10: ThreatActor Class Figure 10: The ThreatActor Class
The aggregate classes of the ThreatActor class are: The aggregate classes of the ThreatActor class are:
ThreatActorID ThreatActorID
Zero or more. STRING. An identifier for the threat actor. Zero or more. STRING. An identifier for the threat actor.
URL URL
Zero or more. URL. A URL to a reference describing the threat Zero or more. URL. A URL to a reference describing the threat
actor. actor.
skipping to change at page 28, line 25 skipping to change at page 29, line 34
+------------------------+ +------------------------+
| Campaign | | Campaign |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ CampaignID ] | ENUM restriction |<>--{0..*}--[ CampaignID ]
| STRING ext-restriction |<>--{0..*}--[ URL ] | STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 11: Campaign Class Figure 11: The Campaign Class
The aggregate classes of the Campaign class are: The aggregate classes of the Campaign class are:
CampaignID CampaignID
Zero or more. STRING. An identifier for the campaign. Zero or more. STRING. An identifier for the campaign.
URL URL
Zero or more. URL. A URL to a reference describing the campaign. Zero or more. URL. A URL to a reference describing the campaign.
Description Description
skipping to change at page 29, line 15 skipping to change at page 30, line 24
3.9. Contact Class 3.9. Contact Class
The Contact class describes contact information for organizations and The Contact class describes contact information for organizations and
personnel involved in the incident. This class allows for the naming personnel involved in the incident. This class allows for the naming
of the involved party, specifying contact information for them, and of the involved party, specifying contact information for them, and
identifying their role in the incident. identifying their role in the incident.
People and organizations are treated interchangeably as contacts; one People and organizations are treated interchangeably as contacts; one
can be associated with the other using the recursive definition of can be associated with the other using the recursive definition of
the class (the Contact class is aggregated into the Contact class). the class (the Contact class is aggregated into the Contact class).
The 'type' attribute disambiguates the type of contact information The type attribute disambiguates the type of contact information
being provided. being provided.
The recursive definition of Contact provides a way to relate The recursive definition of Contact provides a way to relate
information without requiring the explicit use of identifiers or information without requiring the explicit use of identifiers or
duplication of data. A complete point of contact is derived by a duplication of data. A complete point of contact is derived by a
particular traversal from the root Contact class to the leaf Contact particular traversal from the root Contact class to the leaf Contact
class. Each child Contact class logically inherits contact class. Each child Contact class logically inherits contact
information from its ancestors. information from its ancestors.
+------------------------+ +------------------------+
skipping to change at page 30, line 49 skipping to change at page 32, line 12
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the Contact class. of the Contact class.
The attributes of the Contact class are: The attributes of the Contact class are:
role role
Required. ENUM. Indicates the role the contact fulfills. These Required. ENUM. Indicates the role the contact fulfills. These
values are maintained in the "Contact-role" IANA registry per values are maintained in the "Contact-role" IANA registry per
Section 10.2. Section 10.2.
1. creator. The entity that generate the document. 1. creator. The entity that generates the document.
2. reporter. The entity that reported the information. 2. reporter. The entity that reported the information.
3. admin. An administrative contact or business owner for an 3. admin. An administrative contact or business owner for an
asset or organization. asset or organization.
4. tech. An entity responsible for the day-to-day management of 4. tech. An entity responsible for the day-to-day management of
technical issues for an asset or organization. technical issues for an asset or organization.
5. provider. An external hosting provider for an asset. 5. provider. An external hosting provider for an asset.
6. user. An end-user of an asset or part of an organization. 6. user. An end-user of an asset or part of an organization.
7. billing. An entity responsible for billing issues for an 7. billing. An entity responsible for billing issues for an
asset or organization. asset or organization.
8. legal. An entity responsible for legal issue related to an 8. legal. An entity responsible for legal issues related to an
asset or organization. asset or organization.
9. irt. An entity responsible for handling security issues for 9. irt. An entity responsible for handling security issues for
an asset or organization. an asset or organization.
10. abuse. An entity responsible for handling abuse originating 10. abuse. An entity responsible for handling abuse originating
from an asset or organization. from an asset or organization.
11. cc. An entity that is to be kept informed about the events 11. cc. An entity that is to be kept informed about the events
related to an asset or organization. related to an asset or organization.
12. cc-irt. A CSIRT or information sharing organization 12. cc-irt. A CSIRT or information-sharing organization
coordinating activity related to an asset or organization. coordinating activity related to an asset or organization.
13. leo. A law enforcement organization supporting the 13. leo. A law enforcement organization supporting the
investigation of activity affecting an asset or organization. investigation of activity affecting an asset or organization.
14. vendor. The vendor that produces an asset. 14. vendor. The vendor that produces an asset.
15. vendor-support. A vendor that provides services. 15. vendor-support. A vendor that provides services.
16. victim. A victim in the incident. 16. victim. A victim in the incident.
skipping to change at page 33, line 14 skipping to change at page 34, line 36
Required. ENUM. The database to which the handle belongs. These Required. ENUM. The database to which the handle belongs. These
values are maintained in the "RegistryHandle-registry" IANA values are maintained in the "RegistryHandle-registry" IANA
registry per Section 10.2. The possible values are: registry per Section 10.2. The possible values are:
1. internic. Internet Network Information Center 1. internic. Internet Network Information Center
2. apnic. Asia Pacific Network Information Center 2. apnic. Asia Pacific Network Information Center
3. arin. American Registry for Internet Numbers 3. arin. American Registry for Internet Numbers
4. lacnic. Latin-American and Caribbean IP Address Registry 4. lacnic. Latin American and Caribbean Internet Addresses
Registry
5. ripe. Reseaux IP Europeens 5. ripe. Reseaux IP Europeens
6. afrinic. African Internet Numbers Registry 6. afrinic. African Network Information Center
7. local. A database local to the CSIRT 7. local. A database local to the CSIRT
8. ext-value. A value used to indicate that this attribute is 8. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-registry ext-registry
Optional. STRING. A means by which to extend the registry Optional. STRING. A means by which to extend the registry
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.9.2. PostalAddress Class 3.9.2. PostalAddress Class
The PostalAddress class specifies an postal address and associated The PostalAddress class specifies a postal address and associated
annotation. annotation.
+--------------------+ +--------------------+
| PostalAddress | | PostalAddress |
+--------------------+ +--------------------+
| ENUM type |<>----------[ PAddress ] | ENUM type |<>----------[ PAddress ]
| STRING ext-type |<>--{0..*}--[ Description ] | STRING ext-type |<>--{0..*}--[ Description ]
+--------------------+ +--------------------+
Figure 14: The PostalAddress Class Figure 14: The PostalAddress Class
skipping to change at page 35, line 5 skipping to change at page 36, line 34
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
email address. email address.
The attributes of the Email class are: The attributes of the Email class are:
type type
Optional. ENUM. Categorizes the type of email address described Optional. ENUM. Categorizes the type of email address described
in the EmailTo class. These values are maintained in the "Email- in the EmailTo class. These values are maintained in the "Email-
type" IANA registry per Section 10.2. type" IANA registry per Section 10.2.
1. direct. A email address of an individual. 1. direct. An email address of an individual.
2. hotline. A email address regularly monitored for operational 2. hotline. An email address regularly monitored for operational
purposes. purposes.
3. ext-value. A value used to indicate that this attribute is 3. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
skipping to change at page 37, line 5 skipping to change at page 38, line 42
that detected the incident. See Section 3.10.1. that detected the incident. See Section 3.10.1.
The attributes of the Discovery class are: The attributes of the Discovery class are:
source source
Optional. ENUM. Categorizes the techniques used to discover the Optional. ENUM. Categorizes the techniques used to discover the
incident. These values are partially derived from Table 3-1 of incident. These values are partially derived from Table 3-1 of
[NIST800.61rev2]. These values are maintained in the "Discovery- [NIST800.61rev2]. These values are maintained in the "Discovery-
source" IANA registry per Section 10.2. source" IANA registry per Section 10.2.
1. nidps. Network Intrusion Detection or Prevention system. 1. nidps. Network Intrusion Detection or Prevention System.
2. hips. Host-based Intrusion Prevention system. 2. hips. Host-based Intrusion Prevention System.
3. siem. Security Information and Event Management System. 3. siem. Security Information and Event Management System.
4. av. Antivirus or and antispam software. 4. av. Antivirus or antispam software.
5. third-party-monitoring. Contracted third-party monitoring 5. third-party-monitoring. Contracted third-party monitoring
service. service.
6. incident. The activity was discovered while investigating an 6. incident. The activity was discovered while investigating an
unrelated incident. unrelated incident.
7. os-log. Operating system logs. 7. os-log. Operating system logs.
8. application-log. Application logs. 8. application-log. Application logs.
skipping to change at page 37, line 35 skipping to change at page 39, line 24
10. network-flow. Network flow analysis. 10. network-flow. Network flow analysis.
11. passive-dns. Passive DNS analysis. 11. passive-dns. Passive DNS analysis.
12. investigation. Manual investigation initiated based on 12. investigation. Manual investigation initiated based on
notification of a new vulnerability or exploit. notification of a new vulnerability or exploit.
13. audit. Security audit. 13. audit. Security audit.
14. internal-notification. A party within the organization 14. internal-notification. A party within the organization
reported the activity reported the activity.
15. external-notification. A party outside of the organization 15. external-notification. A party outside of the organization
reported the activity. reported the activity.
16. leo. A law enforcement organization notified the victim 16. leo. A law enforcement organization notified the victim
organization. organization.
17. partner. A customer or business partner reported the 17. partner. A customer or business partner reported the
activity to the victim organization. activity to the victim organization.
skipping to change at page 38, line 23 skipping to change at page 40, line 12
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.10.1. DetectionPattern Class 3.10.1. DetectionPattern Class
The DetectionPattern class describes a configuration or signature The DetectionPattern class describes a configuration or signature
that can be used by an IDS/IPS, SIEM, anti-virus, end-point that can be used by an Intrusion Detection System (IDS) / Intrusion
protection, network analysis, malware analysis, or host forensics Prevention System (IPS), SIEM, antivirus, endpoint protection,
tool to identify a particular phenomenon. This class requires the network analysis, malware analysis, or host forensics tool to
identify a particular phenomenon. This class requires the
identification of the target application and allows the configuration identification of the target application and allows the configuration
to be described in either free-form or machine readable form. to be described in either free form or machine-readable form.
+------------------------+ +------------------------+
| DetectionPattern | | DetectionPattern |
+------------------------+ +------------------------+
| ENUM restriction |<>----------[ Application ] | ENUM restriction |<>----------[ Application ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..*}--[ DetectionConfiguration ] | ID observable-id |<>--{0..*}--[ DetectionConfiguration ]
+------------------------+ +------------------------+
Figure 18: The DetectionPattern Class Figure 18: The DetectionPattern Class
The aggregate classes of the DetectionPattern class are: The aggregate classes of the DetectionPattern class are:
Application Application
One. SOFTWARE. The application for which the One. SOFTWARE. The application for which the
DetectionConfiguration or Description is being provided. DetectionConfiguration or Description is being provided.
Description Description
Zero or more. ML_STRING. A free-form text description of how to Zero or more. ML_STRING. A free-form text description of how to
use the Application or provided DetectionConfiguration. use the information provided in the Application or
DetectionConfiguration classes.
DetectionConfiguration DetectionConfiguration
Zero or more. STRING. A machine consumable configuration to find Zero or more. STRING. A machine-consumable configuration to find
a pattern of activity. a pattern of activity.
Either an instance of the Description or DetectionConfiguration class An instance of either the Description or DetectionConfiguration class
MUST be present. MUST be present.
The attributes of the DetectionPattern class are: The attributes of the DetectionPattern class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.11. Method Class 3.11. Method Class
The Method class describes the tactics, techniques, procedures or The Method class describes the tactics, techniques, procedures, or
weakness used by the threat actor in an incident. This class weakness used by the threat actor in an incident. This class
consists of both a list of references describing the attack methods consists of both a list of references describing the attack methods
and weaknesses and a free-form text description. and weaknesses and a free-form text description.
+------------------------+ +------------------------+
| Method | | Method |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ Reference ] | ENUM restriction |<>--{0..*}--[ Reference ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ sci:AttackPattern ] | |<>--{0..*}--[ sci:AttackPattern ]
skipping to change at page 39, line 51 skipping to change at page 41, line 43
Reference Reference
Zero or more. A reference to a vulnerability, malware sample, Zero or more. A reference to a vulnerability, malware sample,
advisory, or analysis of an attack technique. See Section 3.11.1. advisory, or analysis of an attack technique. See Section 3.11.1.
Description Description
Zero or more. ML_STRING. A free-form text description of Zero or more. ML_STRING. A free-form text description of
techniques, tactics, or procedures used by the threat actor. techniques, tactics, or procedures used by the threat actor.
sci:AttackPattern sci:AttackPattern
Zero or more. A reference to an pattern of attack or exploitation Zero or more. A reference to a pattern of attack or exploitation
per [RFC7203] per [RFC7203].
sci:Vulnerability sci:Vulnerability
Zero or more. A reference to a vulnerability per [RFC7203] Zero or more. A reference to a vulnerability per [RFC7203].
sci:Weakness sci:Weakness
Zero or more. A reference to the exploited weakness per [RFC7203] Zero or more. A reference to the exploited weakness per
[RFC7203].
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
An instance of one of these child MUST be present. An instance of one of these children MUST be present.
The attributes of the Method class are: The attributes of the Method class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.11.1. Reference Class 3.11.1. Reference Class
The Reference class is an external reference to relevant information The Reference class is an external reference to relevant information
such a vulnerability, IDS alert, malware sample, advisory, or attack such as a vulnerability, IDS alert, malware sample, advisory, or
technique. attack technique.
+-------------------------+ +-------------------------+
| Reference | | Reference |
+-------------------------+ +-------------------------+
| ID observable-id |<>--{0..1}--[ enum:ReferenceName ] | ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+-------------------------+ +-------------------------+
Figure 20: The Reference Class Figure 20: The Reference Class
skipping to change at page 41, line 33 skipping to change at page 43, line 31
| ID observable-id |<>--{0..*}--[ TimeImpact ] | ID observable-id |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ IntendedImpact ] | |<>--{0..*}--[ IntendedImpact ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
| |<>--{0..*}--[ MitigatingFactor ] | |<>--{0..*}--[ MitigatingFactor ]
| |<>--{0..*}--[ Cause ] | |<>--{0..*}--[ Cause ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 21: Assessment Class Figure 21: The Assessment Class
The aggregate classes of the Assessment class are: The aggregate classes of the Assessment class are:
IncidentCategory IncidentCategory
Zero or more. ML_STRING. A free-form text description Zero or more. ML_STRING. A free-form text description
categorizing the type of Incident. categorizing the type of incident.
SystemImpact SystemImpact
Zero or more. A technical characterization of the impact of the Zero or more. A technical characterization of the impact of the
incident activity on the victim's enterprise. See Section 3.12.1. incident activity on the victim's enterprise. See Section 3.12.1.
BusinessImpact BusinessImpact
Zero or more. Impact of the incident activity on the business Zero or more. Impact of the incident activity on the business
functions of the victim organization. See Section 3.12.2. functions of the victim organization. See Section 3.12.2.
TimeImpact TimeImpact
skipping to change at page 42, line 12 skipping to change at page 44, line 12
to the incident activity as a function of time. See to the incident activity as a function of time. See
Section 3.12.3. Section 3.12.3.
MonetaryImpact MonetaryImpact
Zero or more. The financial loss due to the incident activity. Zero or more. The financial loss due to the incident activity.
See Section 3.12.4. See Section 3.12.4.
IntendedImpact IntendedImpact
Zero or more. The intended outcome to the victim sought by the Zero or more. The intended outcome to the victim sought by the
threat actor. Defined identically to the BusinessImpact defined threat actor. Defined identically to the BusinessImpact defined
in Section 3.12.2, but describes intent rather than the realized in Section 3.12.2 but describes intent rather than the realized
impact. impact.
Counter Counter
Zero or more. A counter with which to summarize the magnitude of Zero or more. A counter with which to summarize the magnitude of
the activity. See Section 3.18.3. the activity. See Section 3.18.3.
MitigatingFactor MitigatingFactor
Zero or more. ML_STRING. A description of a mitigating factor Zero or more. ML_STRING. A description of a mitigating factor
relative to the impact on the victim organization. relative to the impact on the victim organization.
skipping to change at page 42, line 35 skipping to change at page 44, line 35
the impact. the impact.
Confidence Confidence
Zero or one. An estimate of confidence in the impact assessment. Zero or one. An estimate of confidence in the impact assessment.
See Section 3.12.5. See Section 3.12.5.
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
A least one instance of the possible five impact classes (i.e., At least one instance of the possible five impact classes (i.e.,
SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact, or
IntendedImpact) MUST be present. IntendedImpact) MUST be present.
The attributes of the Assessment class are: The attributes of the Assessment class are:
occurrence occurrence
Optional. ENUM. Specifies whether the assessment is describing Optional. ENUM. Specifies whether the assessment is describing
actual or potential outcomes. actual or potential outcomes.
1. actual. This assessment describes activity that has occurred. 1. actual. This assessment describes activity that has occurred.
skipping to change at page 43, line 26 skipping to change at page 45, line 26
+-----------------------+ +-----------------------+
| SystemImpact | | SystemImpact |
+-----------------------+ +-----------------------+
| ENUM severity |<>--{0..*}--[ Description ] | ENUM severity |<>--{0..*}--[ Description ]
| ENUM completion | | ENUM completion |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
+-----------------------+ +-----------------------+
Figure 22: SystemImpact Class Figure 22: The SystemImpact Class
The aggregate class of the SystemImpact class is: The aggregate class of the SystemImpact class is:
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
impact to the system. impact to the system.
The attributes of the SystemImpact class are: The attributes of the SystemImpact class are:
severity severity
skipping to change at page 45, line 38 skipping to change at page 48, line 8
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
3.12.2. BusinessImpact Class 3.12.2. BusinessImpact Class
The BusinessImpact class describes and characterizes the degree to The BusinessImpact class describes and characterizes the degree to
which the function of the organization was impacted by the Incident. which the function of the organization was impacted by the incident.
+-------------------------+ +-------------------------+
| BusinessImpact | | BusinessImpact |
+-------------------------+ +-------------------------+
| ENUM severity |<>--{0..*}--[ Description ] | ENUM severity |<>--{0..*}--[ Description ]
| STRING ext-severity | | STRING ext-severity |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
+-------------------------+ +-------------------------+
Figure 23: BusinessImpact Class Figure 23: The BusinessImpact Class
The aggregate class of the BusinessImpact class is: The aggregate class of the BusinessImpact class is:
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
impact to the organization. impact to the organization.
The attributes of the BusinessImpact class are: The attributes of the BusinessImpact class are:
severity severity
skipping to change at page 48, line 17 skipping to change at page 50, line 27
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| ENUM metric | | ENUM metric |
| STRING ext-metric | | STRING ext-metric |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 24: TimeImpact Class Figure 24: The TimeImpact Class
The content of the class is of type REAL and specifies an amount of The content of the class is of type REAL and specifies an amount of
time. The duration attribute provides units for this content; and time. The duration attribute provides units for this content, and
the metric attribute explains what this content is measuring. the metric attribute explains what this content is measuring.
The attributes of the TimeImpact class are: The attributes of the TimeImpact class are:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
metric metric
Required. ENUM. Defines the meaning of the value in the element Required. ENUM. Defines the meaning of the value in the element
content. These values are maintained in the "TimeImpact-metric" content. These values are maintained in the "TimeImpact-metric"
IANA registry per Section 10.2. IANA registry per Section 10.2.
1. labor. Total staff-time to recovery from the activity (e.g., 1. labor. Total staff time to recovery from the activity (e.g.,
2 employees working 4 hours each would be 8 hours). 2 employees working 4 hours each would be 8 hours).
2. elapsed. Elapsed time from the beginning of the recovery to 2. elapsed. Elapsed time from the beginning of the recovery to
its completion (i.e., wall-clock time). its completion (i.e., wall-clock time).
3. downtime. Duration of time for which some provided service(s) 3. downtime. Duration of time for which some provided service(s)
was not available. was not available.
4. ext-value. A value used to indicate that this attribute is 4. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
skipping to change at page 50, line 14 skipping to change at page 52, line 22
+------------------+ +------------------+
| MonetaryImpact | | MonetaryImpact |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| STRING currency | | STRING currency |
+------------------+ +------------------+
Figure 25: MonetaryImpact Class Figure 25: The MonetaryImpact Class
The content of the class is of type REAL and specifies a quantity of The content of the class is of type REAL and specifies a quantity of
money. The currency attribute defines the currently of this value. money. The currency attribute defines the currency of this value.
The attributes of the MonetaryImpact class are: The attributes of the MonetaryImpact class are:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
currency currency
Optional. STRING. Defines the currency in which the value in the Optional. STRING. Defines the currency in which the value in the
element content is expressed. The permitted values are defined in element content is expressed. The permitted values are defined in
"Codes for the representation of currencies and funds" of "Codes for the representation of currencies" [ISO4217]. There is
[ISO4217]. There is no default value. no default value.
3.12.5. Confidence Class 3.12.5. Confidence Class
The Confidence class represents an estimate of the validity and The Confidence class represents an estimate of the validity and
accuracy of data expressed in the document. This estimate can be accuracy of data expressed in the document. This estimate can be
expressed as a category or a numeric calculation. expressed as a category or a numeric calculation.
+-------------------+ +-------------------+
| Confidence | | Confidence |
+-------------------+ +-------------------+
| REAL | | REAL |
| | | |
| ENUM rating | | ENUM rating |
| STRING ext-rating | | STRING ext-rating |
+-------------------+ +-------------------+
Figure 26: Confidence Class Figure 26: The Confidence Class
The content of the class is of type REAL and specifies a numerical The content of the class is of type REAL and specifies a numerical
assessment in the confidence of the data when the value of the rating assessment in the confidence of the data when the value of the rating
attribute is "numeric". Otherwise, this element MUST be empty. attribute is "numeric". Otherwise, this element MUST be empty.
The attributes of the Confidence class are: The attributes of the Confidence class are:
rating rating
Required. ENUM. A qualitative assessment of confidence. These Required. ENUM. A qualitative assessment of confidence. These
values are maintained in the "Confidence-rating" IANA registry per values are maintained in the "Confidence-rating" IANA registry per
Section 10.2 Section 10.2
1. low. Low confidence. 1. low. Low confidence.
2. medium. Medium confidence. 2. medium. Medium confidence.
3. high. High confidence. 3. high. High confidence.
4. numeric. The element content contains a number that conveys 4. numeric. The element content contains a number that conveys
the confidence of the data. The semantics of this number the confidence of the data. The semantics of this number is
outside the scope of this specification. outside the scope of this specification.
5. unknown. The confidence rating value is not known. 5. unknown. The confidence rating value is not known.
6. ext-value. A value used to indicate that this attribute is 6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-rating ext-rating
Optional. STRING. A means by which to extend the rating Optional. STRING. A means by which to extend the rating
skipping to change at page 52, line 51 skipping to change at page 55, line 16
| HistoryItem | | HistoryItem |
+-------------------------+ +-------------------------+
| ENUM action |<>----------[ DateTime ] | ENUM action |<>----------[ DateTime ]
| STRING ext-action |<>--{0..1}--[ IncidentID ] | STRING ext-action |<>--{0..1}--[ IncidentID ]
| ENUM restriction |<>--{0..1}--[ Contact ] | ENUM restriction |<>--{0..1}--[ Contact ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..*}--[ DefinedCOA ] | ID observable-id |<>--{0..*}--[ DefinedCOA ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 28: HistoryItem Class Figure 28: The HistoryItem Class
The aggregate classes of the HistoryItem class are: The aggregate classes of the HistoryItem class are:
DateTime DateTime
One. DATETIME. A timestamp of this entry in the history log. One. DATETIME. A timestamp of this entry in the history log.
IncidentID IncidentID
Zero or One. In a history log created by multiple parties, the Zero or one. In a history log created by multiple parties, the
IncidentID provides a mechanism to specify which CSIRT created a IncidentID provides a mechanism to specify which CSIRT created a
particular entry and references this organization's tracking particular entry and references this organization's tracking
number. When a single organization is maintaining the log, this number. When a single organization is maintaining the log, this
class can be ignored. See Section 3.4. class can be ignored. See Section 3.4.
Contact Contact
Zero or One. Provides contact information for the entity that Zero or one. Provides contact information for the entity that
performed the action documented in this class. See Section 3.9. performed the action documented in this class. See Section 3.9.
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
action or event. action or event.
DefinedCOA DefinedCOA
Zero or more. STRING. An identifier meaningful to the sender and Zero or more. STRING. An identifier meaningful to the sender and
recipient of this document that references a course of action recipient of this document that references a course of action
(COA). This class MUST be present if the action attribute is set (COA). This class MUST be present if the action attribute is set
skipping to change at page 53, line 41 skipping to change at page 56, line 11
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
The attributes of the HistoryItem class are: The attributes of the HistoryItem class are:
action action
Required. ENUM. Classifies a performed action or occurrence Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed have been instigated either through a previously conveyed
expectation or internal investigation. This attribute is expectation or through an internal investigation, this attribute
identical to the action attribute of the Expectation class. The is identical to the action attribute of the Expectation class.
difference is only one of tense. When an action is in this class, The difference is only one of tense. When an action is in this
it has been completed. See Section 3.15. class, it has been completed. See Section 3.15.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
skipping to change at page 56, line 26 skipping to change at page 59, line 18
3.14.1. Relating the Incident and EventData Classes 3.14.1. Relating the Incident and EventData Classes
There is substantial overlap in the child classes aggregated in the There is substantial overlap in the child classes aggregated in the
Incident and EventData classes. Nevertheless, the semantics of these Incident and EventData classes. Nevertheless, the semantics of these
classes are quite different. The Incident class provides summary classes are quite different. The Incident class provides summary
information about the entire incident, while the EventData class information about the entire incident, while the EventData class
provides information about the individual events comprising the provides information about the individual events comprising the
incident. In the common case, the EventData class will provide more incident. In the common case, the EventData class will provide more
specific information for the general description provided in the specific information for the general description provided in the
Incident class. However, in the case where the summarized Incident class. However, in the case where the summarized
information in the Incident class conflicts the detailed information information in the Incident class conflicts with the detailed
in an EventData class the more specific EventData class MUST information in an EventData class, the more specific EventData class
supersede the more generic information provided in Incident class. MUST supersede the more generic information provided in the Incident
class.
3.14.2. Recursive Definition of EventData 3.14.2. Recursive Definition of EventData
The EventData class is container for the properties of an event in an The EventData class is a container for the properties of an event in
incident. These properties include: the hosts involved, impact of an incident. These properties include: the hosts involved, impact of
the incident activity on the hosts, forensic logs, etc. The the incident activity on the hosts, forensic logs, etc. The
recursive definition of EventData allows for the grouping of related recursive definition of EventData allows for the grouping of related
information with common properties. This approach eliminates the information with common properties. This approach eliminates the
need for explicit identifiers to relate information or duplicate it. need for explicit identifiers to relate information or duplicate it.
Instead, the relative depth (nesting) of a class is used to group Instead, the relative depth (nesting) of a class is used to group
(relate) information. (relate) information.
For example, consider a case where two hosts experience different For example, consider a case where two hosts experience different
impacts during an incident. However, these two hosts have common impacts during an incident. However, these two hosts have common
contact information. A depiction of how this situation would be contact information. A depiction of how this situation would be
skipping to change at page 58, line 12 skipping to change at page 61, line 17
the action performed. A timestamp that is earlier than the the action performed. A timestamp that is earlier than the
ReportTime specified in the Incident class denotes that the sender ReportTime specified in the Incident class denotes that the sender
would like the action performed as soon as possible. The absence would like the action performed as soon as possible. The absence
of this element indicates no expectations of when the recipient of this element indicates no expectations of when the recipient
would like the action performed. would like the action performed.
EndTime EndTime
Zero or one. DATETIME. The time by which the sender expects the Zero or one. DATETIME. The time by which the sender expects the
recipient to complete the action. If the recipient cannot recipient to complete the action. If the recipient cannot
complete the action before EndTime, the recipient MUST NOT carry complete the action before EndTime, the recipient MUST NOT carry
out the action. Because of transit delays and clock drift the out the action. Because of transit delays and clock drift, the
sender MUST be prepared for the recipient to have carried out the sender MUST be prepared for the recipient to have carried out the
action, even if it completes past EndTime. action, even if it completes past EndTime.
Contact Contact
Zero or one. The entity expected to perform the action. See Zero or one. The entity expected to perform the action. See
Section 3.9. Section 3.9.
The attributes of the Expectation class are: The attributes of the Expectation class are:
action action
skipping to change at page 58, line 38 skipping to change at page 61, line 43
information. information.
2. contact-source-site. Contact the site(s) identified as the 2. contact-source-site. Contact the site(s) identified as the
source of the activity. source of the activity.
3. contact-target-site. Contact the site(s) identified as the 3. contact-target-site. Contact the site(s) identified as the
target of the activity. target of the activity.
4. contact-sender. Contact the originator of the document. 4. contact-sender. Contact the originator of the document.
5. investigate. Investigate the systems(s) listed in the event. 5. investigate. Investigate the system(s) listed in the event.
6. block-host. Block traffic from the machine(s) listed as 6. block-host. Block traffic from the machine(s) listed as
sources the event. sources in the event.
7. block-network. Block traffic from the network(s) lists as 7. block-network. Block traffic from the network(s) lists as
sources in the event. sources in the event.
8. block-port. Block the port listed as sources in the event. 8. block-port. Block the port listed as sources in the event.
9. rate-limit-host. Rate-limit the traffic from the machine(s) 9. rate-limit-host. Rate-limit the traffic from the machine(s)
listed as sources in the event. listed as sources in the event.
10. rate-limit-network. Rate-limit the traffic from the 10. rate-limit-network. Rate-limit the traffic from the
skipping to change at page 59, line 23 skipping to change at page 62, line 26
13. honeypot. Redirect traffic from systems listed in the event 13. honeypot. Redirect traffic from systems listed in the event
to a honeypot for further analysis. to a honeypot for further analysis.
14. upgrade-software. Upgrade or patch the software or firmware 14. upgrade-software. Upgrade or patch the software or firmware
on an asset listed in the event. on an asset listed in the event.
15. rebuild-asset. Reinstall the operating system or 15. rebuild-asset. Reinstall the operating system or
applications on an asset listed in the event. applications on an asset listed in the event.
16. harden-asset. Change the configuration an asset listed in 16. harden-asset. Change the configuration of an asset listed in
the event to reduce the attack surface. the event to reduce the attack surface.
17. remediate-other. Remediate the activity in a way other than 17. remediate-other. Remediate the activity in a way other than
by rate limiting or blocking. by rate-limiting or blocking.
18. status-triage. Confirm receipt and begin triaging the 18. status-triage. Confirm receipt and begin triaging the
incident. incident.
19. status-new-info. Notify the sender when new information is 19. status-new-info. Notify the sender when new information is
received for this incident. received for this incident.
20. watch-and-report. Watch for the described activity or 20. watch-and-report. Watch for the described activity or
indicators; and notify the sender when seen. indicators, and notify the sender when seen.
21. training. Train user to identify or mitigate the described 21. training. Train user to identify or mitigate the described
threat. threat.
22. defined-coa. Perform a predefined course of action (COA). 22. defined-coa. Perform a predefined course of action (COA).
The COA is named in the DefinedCOA class. The COA is named in the DefinedCOA class.
23. other. Perform a custom action described in the Description 23. other. Perform a custom action described in the Description
class. class.
skipping to change at page 60, line 32 skipping to change at page 63, line 34
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.16. Flow Class 3.16. Flow Class
The Flow class describes the systems and networks involved in the The Flow class describes the systems and networks involved in the
incident; and the relationships between them. incident and the relationships between them.
+------------------+ +------------------+
| Flow | | Flow |
+------------------+ +------------------+
| |<>--{1..*}--[ System ] | |<>--{1..*}--[ System ]
+------------------+ +------------------+
Figure 32: The Flow Class Figure 32: The Flow Class
The aggregate class of the Flow class is: The aggregate class of the Flow class is:
skipping to change at page 62, line 26 skipping to change at page 65, line 28
category" IANA registry per Section 10.2. category" IANA registry per Section 10.2.
1. source. The System was the source of the event. 1. source. The System was the source of the event.
2. target. The System was the target of the event. 2. target. The System was the target of the event.
3. intermediate. The System was an intermediary in the event. 3. intermediate. The System was an intermediary in the event.
4. sensor. The System was a sensor monitoring the event. 4. sensor. The System was a sensor monitoring the event.
5. infrastructure. The System was an infrastructure node of 5. infrastructure. The System was an infrastructure node of the
IODEF document exchange. IODEF document exchange.
6. ext-value. A value used to indicate that this attribute is 6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 63, line 26 skipping to change at page 66, line 26
2. no. The System is a physical device. 2. no. The System is a physical device.
3. unknown. It is not known if the System is virtual. 3. unknown. It is not known if the System is virtual.
ownership ownership
Optional. ENUM. Describes the ownership of this System relative Optional. ENUM. Describes the ownership of this System relative
to the victim in the incident. These values are maintained in the to the victim in the incident. These values are maintained in the
"System-ownership" IANA registry per Section 10.2. "System-ownership" IANA registry per Section 10.2.
1. organization. Corporate or enterprise-owned. 1. organization. Corporate or enterprise owned.
2. personal. Personally-owned by an employee or affiliate of the 2. personal. Personally owned by an employee or affiliate of the
corporation or enterprise. corporation or enterprise.
3. partner. Owned by a partner of the corporation or enterprise. 3. partner. Owned by a partner of the corporation or enterprise.
4. customer. Owned by a customer of the corporation or 4. customer. Owned by a customer of the corporation or
enterprise. enterprise.
5. no-relationship. Owned by an entity that has no known 5. no-relationship. Owned by an entity that has no known
relationship with victim organization. relationship with the victim organization.
6. unknown. Ownership is unknown. 6. unknown. Ownership is unknown.
7. ext-value. A value used to indicate that this attribute is 7. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-ownership ext-ownership
Optional. STRING. A means by which to extend the ownership Optional. STRING. A means by which to extend the ownership
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 64, line 12 skipping to change at page 67, line 14
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.18. Node Class 3.18. Node Class
The Node class identifies a system, asset or network; and its The Node class identifies a system, asset, or network and its
location. location.
+---------------+ +---------------+
| Node | | Node |
+---------------+ +---------------+
| |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ] | |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ PostalAddress ] | |<>--{0..1}--[ PostalAddress ]
| |<>--{0..*}--[ Location ] | |<>--{0..*}--[ Location ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
+---------------+ +---------------+
Figure 34: The Node Class Figure 34: The Node Class
The aggregate classes of the Node class are: The aggregate classes of the Node class are:
DomainData DomainData
Zero or more. The domain (DNS) information associated with this Zero or more. The domain (DNS) information associated with this
Node. If an Address is not provided, at least one DomainData MUST node. If an Address is not provided, at least one DomainData MUST
be specified. See Section 3.19. be specified. See Section 3.19.
Address Address
Zero or more. The hardware, network, or application address of Zero or more. The hardware, network, or application address of
the Node. If a DomainData is not provided, at least one Address the node. If a DomainData is not provided, at least one Address
MUST be specified. See Section 3.18.1. MUST be specified. See Section 3.18.1.
PostalAddress PostalAddress
Zero or one. POSTAL. The postal address of the node. Zero or one. POSTAL. The postal address of the node.
Location Location
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
physical location of the Node. This description may provide a physical location of the node. This description may provide a
more detailed description of where in the PostalAddress this Node more detailed description of where at the address specified by the
is found (e.g., room number, rack number, slot number in a PostalAddress class this node is found (e.g., room number, rack
chassis). number, or slot number in a chassis).
Counter Counter
Zero or more. A counter with which to summarizes properties of Zero or more. A counter with which to summarize properties of
this host or network. See Section 3.18.3. this host or network. See Section 3.18.3.
The Node class has no attributes. The Node class has no attributes.
3.18.1. Address Class 3.18.1. Address Class
The Address class represents a hardware (layer-2), network (layer-3), The Address class represents a hardware (Layer 2), network (Layer 3),
or application (layer-7) address. or application (Layer 7) address.
+-------------------------+ +-------------------------+
| Address | | Address |
+-------------------------+ +-------------------------+
| STRING | | STRING |
| | | |
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
skipping to change at page 65, line 43 skipping to change at page 68, line 47
value is "ipv6-addr". These values are maintained in the value is "ipv6-addr". These values are maintained in the
"Address-category" IANA registry per Section 10.2. "Address-category" IANA registry per Section 10.2.
1. asn. Autonomous System Number. 1. asn. Autonomous System Number.
2. atm. Asynchronous Transfer Mode (ATM) address. 2. atm. Asynchronous Transfer Mode (ATM) address.
3. e-mail. Email address, per the EMAIL data type. 3. e-mail. Email address, per the EMAIL data type.
4. ipv4-addr. IPv4 host address in dotted-decimal notation 4. ipv4-addr. IPv4 host address in dotted-decimal notation
(a.b.c.d). (i.e., a.b.c.d).
5. ipv4-net. IPv4 network address in dotted-decimal notation, 5. ipv4-net. IPv4 network address in dotted-decimal notation,
slash, significant bits (i.e., a.b.c.d/nn). slash, significant bits (i.e., a.b.c.d/nn).
6. ipv4-net-masked. A sanitized IPv4 address with significant 6. ipv4-net-masked. A sanitized IPv4 address with significant
bits per "ipv4-net" but with the character 'x' replacing any bits per "ipv4-net" but with the character 'x' replacing any
digit(s) in the address or prefix. digit(s) in the address or prefix.
7. ipv4-net-mask. IPv4 network address in dotted-decimal 7. ipv4-net-mask. IPv4 network address in dotted-decimal
notation, slash, network mask in dotted-decimal notation notation, slash, network mask in dotted-decimal notation
skipping to change at page 66, line 47 skipping to change at page 69, line 51
vlan-num vlan-num
Optional. INTEGER. The number of the Virtual LAN to which the Optional. INTEGER. The number of the Virtual LAN to which the
address belongs. address belongs.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.18.2. NodeRole Class 3.18.2. NodeRole Class
The NodeRole class describes the function performed by or role of a The NodeRole class describes the function performed by or role of a
particular system, asset or network. particular system, asset, or network.
+-----------------------+ +-----------------------+
| NodeRole | | NodeRole |
+-----------------------+ +-----------------------+
| ENUM category |<>--{0..*}--[ Description ] | ENUM category |<>--{0..*}--[ Description ]
| STRING ext-category | | STRING ext-category |
+-----------------------+ +-----------------------+
Figure 36: The NodeRole Class Figure 36: The NodeRole Class
skipping to change at page 68, line 33 skipping to change at page 71, line 33
22. application. Application server. 22. application. Application server.
23. database. Database server. 23. database. Database server.
24. backup. Backup server. 24. backup. Backup server.
25. dhcp. DHCP server. 25. dhcp. DHCP server.
26. assessment. Assessment server (e.g., vulnerability scanner, 26. assessment. Assessment server (e.g., vulnerability scanner,
end-point assessment). endpoint assessment).
27. source-control. Source code control server. 27. source-control. Source code control server.
28. config-management. Configuration management server. 28. config-management. Configuration management server.
29. monitoring. Security monitoring server (e.g., IDS). 29. monitoring. Security monitoring server (e.g., IDS).
30. infra. Infrastructure server (e.g., router, firewall, DHCP). 30. infra. Infrastructure server (e.g., router, firewall, DHCP).
31. infra-firewall. Firewall. 31. infra-firewall. Firewall.
skipping to change at page 70, line 32 skipping to change at page 73, line 32
| STRING meaning | | STRING meaning |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 37: The Counter Class Figure 37: The Counter Class
The content of the class is a value of type REAL whose meaning and The content of the class is a value of type REAL whose meaning and
units are determined by the type and duration attributes, units are determined by the type and duration attributes,
respectively. If the duration attribute is present, the element respectively. If the duration attribute is present, the element
content is a rather. Otherwise, it is a simple counter. content is a rate. Otherwise, it is a simple counter.
The attributes of the Counter class are: The attributes of the Counter class are:
type type
Required. ENUM. Specifies the type of counter specified in the Required. ENUM. Specifies the type of counter specified in the
element content. These values are maintained in the "Counter- element content. These values are maintained in the "Counter-
type" IANA registry per Section 10.2. type" IANA registry per Section 10.2.
1. count. The Counter class value is a counter. 1. count. The Counter class value is a counter.
skipping to change at page 71, line 14 skipping to change at page 74, line 16
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
unit unit
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
These values are maintained in the "Counter-unit" IANA registry These values are maintained in the "Counter-unit" IANA registry
per Section 10.2. per Section 10.2.
1. byte. Bytes transferred. 1. byte. Bytes transferred.
2. mbit. Megabits (Mbits) transfered. 2. mbit. Megabits (Mbits) transferred.
3. packet. Packets. 3. packet. Packets.
4. flow. Network flow records. 4. flow. Network flow records.
5. session. Sessions. 5. session. Sessions.
6. alert. Notifications generated by another system (e.g., IDS 6. alert. Notifications generated by another system (e.g., IDS
or SIM). or SIEM system).
7. message. Messages (e.g., mail messages). 7. message. Messages (e.g., mail messages).
8. event. Events. 8. event. Events.
9. host. Hosts. 9. host. Hosts.
10. site. Site. 10. site. Site.
11. organization. Organizations. 11. organization. Organizations.
skipping to change at page 71, line 49 skipping to change at page 75, line 7
ext-unit ext-unit
Optional. STRING. A means by which to extend the unit attribute. Optional. STRING. A means by which to extend the unit attribute.
See Section 5.1.1. See Section 5.1.1.
meaning meaning
Optional. STRING. A free-form text description of the metric Optional. STRING. A free-form text description of the metric
represented by the Counter. represented by the Counter.
duration duration
Optional. ENUM. If present, the Counter class represents a rate. Optional. ENUM. If present, the Counter class represents a rate.
This attribute specifies unit of time over which the rate whose This attribute specifies a unit of time over which the rate whose
units are specified in the unit attribute is being conveyed. This units are specified in the unit attribute is being conveyed. This
attribute is the the denominator of the rate (where the unit attribute is the denominator of the rate (where the unit attribute
attribute specified the nominator). The possible values of this specified the nominator). The possible values of this attribute
attribute are defined in the duration attribute of Section 3.12.3 are defined in the duration attribute of Section 3.12.3
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.19. DomainData Class 3.19. DomainData Class
The DomainData class describes a domain name and meta-data associated The DomainData class describes a domain name and metadata associated
with this domain. with this domain.
+--------------------------+ +--------------------------+
| DomainData | | DomainData |
+--------------------------+ +--------------------------+
| ENUM system-status |<>----------[ Name ] | ENUM system-status |<>----------[ Name ]
| STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
| ENUM domain-status |<>--{0..1}--[ RegistrationDate ] | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
| STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
| ID observable-id |<>--{0..*}--[ RelatedDNS ] | ID observable-id |<>--{0..*}--[ RelatedDNS ]
skipping to change at page 72, line 40 skipping to change at page 75, line 46
The aggregate classes of the DomainData class are: The aggregate classes of the DomainData class are:
Name Name
One. STRING. The domain name of a system. One. STRING. The domain name of a system.
DateDomainWasChecked DateDomainWasChecked
Zero or one. DATETIME. A timestamp of when the domain listed in Zero or one. DATETIME. A timestamp of when the domain listed in
the Name class was resolved. the Name class was resolved.
RegistrationDate RegistrationDate
Zero or one. DATETIME. A timestamp of when domain listed in Name Zero or one. DATETIME. A timestamp of when domain listed in the
class was registered. Name class was registered.
ExpirationDate ExpirationDate
Zero or one. DATETIME. A timestamp of when the domain listed in Zero or one. DATETIME. A timestamp of when the domain listed in
Name class is set to expire. the Name class is set to expire.
RelatedDNS RelatedDNS
Zero or more. EXTENSION. Additional DNS records associated with Zero or more. EXTENSION. Additional DNS records associated with
this domain. this domain.
Nameservers Nameservers
Zero or more. The name servers identified for the domain listed Zero or more. The nameservers identified for the domain listed in
in Name class. See Section 3.19.1. the Name class. See Section 3.19.1.
DomainContacts DomainContacts
Zero or one. Contact information for the domain listed in Name Zero or one. Contact information for the domain listed in the
class supplied by the registrar or through a whois query. Name class supplied by the registrar or through a whois query.
The attributes of the DomainData class are: The attributes of the DomainData class are:
system-status system-status
Required. ENUM. Assesses the domain's involvement in the event. Required. ENUM. Assesses the domain's involvement in the event.
These values are maintained in the "DomainData-system-status" IANA These values are maintained in the "DomainData-system-status" IANA
registry per Section 10.2. registry per Section 10.2.
1. spoofed. This domain was spoofed. 1. spoofed. This domain was spoofed.
skipping to change at page 73, line 42 skipping to change at page 76, line 48
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-system-status ext-system-status
Optional. STRING. A means by which to extend the system-status Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
domain-status domain-status
Required. ENUM. Categorizes the registry status of the domain at Required. ENUM. Categorizes the registry status of the domain at
the time the document was generated. These values and their the time the document was generated. These values and their
associated descriptions are derived from Section 3.2.2 of associated descriptions are derived from Section 3.2.2 of
[RFC3982]. These values are maintained in the "DomainData-domain- [RFC3982]. These values are maintained in the
status" IANA registry per Section 10.2. "DomainData-domain-status" IANA registry per Section 10.2.
1. reservedDelegation. The domain is permanently inactive. 1. reservedDelegation. The domain is permanently inactive.
2. assignedAndActive. The domain is in a normal state. 2. assignedAndActive. The domain is in a normal state.
3. assignedAndInactive. The domain has an assigned registration 3. assignedAndInactive. The domain has an assigned
but the delegation is inactive. registration, but the delegation is inactive.
4. assignedAndOnHold. The domain is in dispute. 4. assignedAndOnHold. The domain is in dispute.
5. revoked. The domain is in the process of being purged from 5. revoked. The domain is in the process of being purged from
the database. the database.
6. transferPending. The domain is pending a change in 6. transferPending. The domain is pending a change in
authority. authority.
7. registryLock. The domain is on hold by the registry. 7. registryLock. The domain is on hold by the registry.
8. registrarLock. Same as "registryLock". 8. registrarLock. Same as "registryLock".
9. other. The domain has a known status but it is not one of 9. other. The domain has a known status, but it is not one of
the redefined enumerated values. the redefined enumerated values.
10. unknown. The domain has an unknown status. 10. unknown. The domain has an unknown status.
11. ext-value. A value used to indicate that this attribute is 11. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-domain-status ext-domain-status
Optional. STRING. A means by which to extend the domain-status Optional. STRING. A means by which to extend the domain-status
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.19.1. Nameservers Class 3.19.1. Nameservers Class
The Nameservers class describes the name servers associated with a The Nameservers class describes the nameservers associated with a
given domain. given domain.
+--------------------+ +--------------------+
| Nameservers | | Nameservers |
+--------------------+ +--------------------+
| |<>----------[ Server ] | |<>----------[ Server ]
| |<>--{1..*}--[ Address ] | |<>--{1..*}--[ Address ]
+--------------------+ +--------------------+
Figure 39: The Nameservers Class Figure 39: The Nameservers Class
The aggregate classes of the Nameservers class are: The aggregate classes of the Nameservers class are:
Server Server
One. STRING. The domain name of the name server. One. STRING. The domain name of the nameserver.
Address Address
One or more. The address of the name server. The value of the One or more. The address of the nameserver. The value of the
category attribute MUST be either "ipv4-addr" or "ipv6-addr". See category attribute MUST be either "ipv4-addr" or "ipv6-addr". See
Section 3.18.1. Section 3.18.1.
The Nameservers class has no attributes. The Nameservers class has no attributes.
3.19.2. DomainContacts Class 3.19.2. DomainContacts Class
The DomainContacts class describes the contact information for a The DomainContacts class describes the contact information for a
given domain provided either by the registrar or through a whois given domain provided either by the registrar or through a whois
query. query.
This contact information can be explicitly described through a This contact information can be explicitly described through a
Contact class or a reference can be provided to a domain with Contact class, or a reference can be provided to a domain with
identical contact information. Either a single SameDomainContact identical contact information. Either a single SameDomainContact or
MUST be present or one or more Contact classes. one or more Contact classes MUST be present.
+--------------------+ +--------------------+
| DomainContacts | | DomainContacts |
+--------------------+ +--------------------+
| |<>--{0..1}--[ SameDomainContact ] | |<>--{0..1}--[ SameDomainContact ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
+--------------------+ +--------------------+
Figure 40: The DomainContacts Class Figure 40: The DomainContacts Class
skipping to change at page 75, line 48 skipping to change at page 79, line 8
Contact Contact
One or more. Contact information for the domain. See One or more. Contact information for the domain. See
Section 3.9. Section 3.9.
The DomainContacts class has no attributes. The DomainContacts class has no attributes.
3.20. Service Class 3.20. Service Class
The Service class describes a network service. The service is The Service class describes a network service. The service is
described by protocol, port, protocol header field and application described by a protocol, port, protocol header field, and application
providing or using the service. providing or using the service.
+-------------------------+ +-------------------------+
| Service | | Service |
+-------------------------+ +-------------------------+
| INTEGER ip-protocol |<>--{0..1}--[ ServiceName ] | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
| ID observable-id |<>--{0..1}--[ Port ] | ID observable-id |<>--{0..1}--[ Port ]
| |<>--{0..1}--[ Portlist ] | |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
skipping to change at page 76, line 33 skipping to change at page 79, line 39
ServiceName ServiceName
Zero or one. A protocol name. Zero or one. A protocol name.
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers. Zero or one. PORTLIST. A list of port numbers.
ProtoCode ProtoCode
Zero or one. INTEGER. A transport layer (layer 4) protocol- Zero or one. INTEGER. A transport-layer (Layer 4) protocol-
specific code field (e.g., ICMP code field). specific code field (e.g., ICMP code field).
ProtoType ProtoType
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport-layer (Layer 4) protocol-
specific type field (e.g., ICMP type field). specific type field (e.g., ICMP type field).
ProtoField ProtoField
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport-layer (Layer 4) protocol-
specific flag field (e.g., TCP flag field). specific flag field (e.g., TCP flag field).
ApplicationHeader ApplicationHeader
Zero or one. A protocol header. See Section 3.20.2. Zero or one. A protocol header. See Section 3.20.2.
EmailData EmailData
Zero or one. Headers associated with an email message. See Zero or one. Headers associated with an email message. See
Section 3.21. Section 3.21.
Application Application
Zero or one. SOFTWARE. The application acting as either the Zero or one. SOFTWARE. The application acting as either the
client or server for the service. client or the server for the service.
At least one of these classes MUST be present. At least one of these classes MUST be present.
When a given System classes with category="source" and another with When a given System class with category="source" and another with
category="target" are aggregated into a single Flow class, and each category="target" are aggregated into a single Flow class, and each
of these System classes has a Service and Portlist class, an implicit of these System classes has a Service and Portlist class, an implicit
relationship between these Portlists exists. If N ports are listed relationship between these Portlists exists. If N ports are listed
for a System@category="source", and M ports are listed for for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to System@category="target", the number of ports in N must be equal to
M. Likewise, the ports MUST be listed in an identical sequence such M. Likewise, the ports MUST be listed in an identical sequence such
that the n-th port in the source corresponds to the n-th port of the that the n-th port in the source corresponds to the n-th port of the
target. If N is greater than 1, a given instance of a Flow class target. If N is greater than 1, a given instance of a Flow class
MUST only have a single instance of a System@category="source" and MUST only have a single instance of a System@category="source" and
System@category="target". System@category="target".
The attributes of the Service class are: The attributes of the Service class are:
ip-protocol ip-protocol
Optional. INTEGER. The IANA assigned IP protocol number per Optional. INTEGER. The IANA-assigned IP protocol number per
[IANA.Protocols] The attribute MUST be set if a Port, Portlist, [IANA.Protocols]. The attribute MUST be set if a Port, Portlist,
ProtoCode, ProtoType, ProtoField class is present. ProtoCode, ProtoType, or ProtoField class is present.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.20.1. ServiceName Class 3.20.1. ServiceName Class
The ServiceName class identifies an application protocol. It can be The ServiceName class identifies an application protocol. It can be
described by referencing an IANA registered protocol, a URL or with described by referencing an IANA-registered protocol, by referencing
free-form text. a URL, or with free-form text.
+--------------------+ +--------------------+
| ServiceName | | ServiceName |
+--------------------+ +--------------------+
| |<>--{0..1}--[ IANAService ] | |<>--{0..1}--[ IANAService ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+--------------------+ +--------------------+
Figure 42: The ServiceName Class Figure 42: The ServiceName Class
The aggregate classes of the ServiceName class are: The aggregate classes of the ServiceName class are:
IANAService IANAService
Zero or one. STRING. The name of the service per the "Service Zero or one. STRING. The name of the service per the "Service
Name" field of the [IANA.Ports] registry. Name" field of the registry [IANA.Ports].
URL URL
Zero or more. URL. A URL to a resource describing the service. Zero or more. URL. A URL to a resource describing the service.
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
service. service.
At least one of these classes MUST be present. At least one of these classes MUST be present.
skipping to change at page 78, line 33 skipping to change at page 81, line 39
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ ApplicationHeaderField ] | |<>--{1..*}--[ ApplicationHeaderField ]
+--------------------------+ +--------------------------+
Figure 43: The ApplicationHeader Class Figure 43: The ApplicationHeader Class
The aggregate class of the ApplicationHeader class is: The aggregate class of the ApplicationHeader class is:
ApplicationHeaderField ApplicationHeaderField
One or more. EXTENSION. A field name and value in a protocol One or more. EXTENSION. A field name and value in a protocol
header. The 'name' attribute MUST be set to the field name. The header. The name attribute MUST be set to the field name. The
field value MUST be set in the element content. field value MUST be set in the element content.
The ApplicationHeader class has no attributes. The ApplicationHeader class has no attributes.
3.21. EmailData Class 3.21. EmailData Class
The EmailData class describes headers from an email message and The EmailData class describes headers from an email message and
cryptographic hash and signatures applied to it. cryptographic hashes and signatures applied to it.
+-------------------------+ +-------------------------+
| EmailData | | EmailData |
+-------------------------+ +-------------------------+
| ID observable-id |<>--{0..*}--[ EmailTo ] | ID observable-id |<>--{0..*}--[ EmailTo ]
| |<>--{0..1}--[ EmailFrom ] | |<>--{0..1}--[ EmailFrom ]
| |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ EmailHeaderField ]
| |<>--{0..1}--[ EmailHeaders ] | |<>--{0..1}--[ EmailHeaders ]
skipping to change at page 79, line 34 skipping to change at page 82, line 39
EmailTo EmailTo
Zero or more. EMAIL. The value of the "To:" header field Zero or more. EMAIL. The value of the "To:" header field
(Section 3.6.3 of [RFC5322]) in an email. (Section 3.6.3 of [RFC5322]) in an email.
EmailFrom EmailFrom
Zero or one. EMAIL. The value of the "From:" header field Zero or one. EMAIL. The value of the "From:" header field
(Section 3.6.2 of [RFC5322]) in an email. (Section 3.6.2 of [RFC5322]) in an email.
EmailSubject EmailSubject
Zero or one. STRING. The value of the "Subject:" header field in Zero or one. STRING. The value of the "Subject:" header field in
an email. See Section 3.6.4 of [RFC5322]. an email. See Section 3.6.5 of [RFC5322].
EmailX-Mailer EmailX-Mailer
Zero or one. STRING. The value of the "X-Mailer:" header field Zero or one. STRING. The value of the "X-Mailer:" header field
in an email. in an email.
EmailHeaderField EmailHeaderField
Zero or more. EXTENSION. The header name and value of an Zero or more. EXTENSION. The header name and value of an
arbitrary header field of the email message. The 'name' attribute arbitrary header field of the email message. The name attribute
MUST be set to header name. The header value MUST be set in the MUST be set to the header name. The header value MUST be set in
element body. The dtype attribute MUST be set to "string". the element body. The dtype attribute MUST be set to "string".
EmailHeaders EmailHeaders
Zero or one. STRING. The headers of an email message. Zero or one. STRING. The headers of an email message.
EmailBody EmailBody
Zero or one. STRING. The body of an email message. Zero or one. STRING. The body of an email message.
EmailMessage EmailMessage
Zero or one. STRING. The headers and body of an email message. Zero or one. STRING. The headers and body of an email message.
skipping to change at page 80, line 33 skipping to change at page 83, line 38
source of this data will often be the output of monitoring tools. source of this data will often be the output of monitoring tools.
These logs substantiate the activity described in the document. These logs substantiate the activity described in the document.
+------------------------+ +------------------------+
| Record | | Record |
+------------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ] | ENUM restriction |<>--{1..*}--[ RecordData ]
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 45: Record Class Figure 45: The Record Class
The aggregate classes of the Record class are: The aggregate classes of the Record class are:
RecordData RecordData
One or more. Log or audit data generated by a particular tool. One or more. Log or audit data generated by a particular tool.
Separate instances of the RecordData class SHOULD be used for each Separate instances of the RecordData class SHOULD be used for each
type of log. See Section 3.22.1. type of log. See Section 3.22.1.
The attributes of the Record class are: The attributes of the Record class are:
skipping to change at page 82, line 22 skipping to change at page 85, line 25
CertificateData CertificateData
Zero or more. The certificates that were involved in the Zero or more. The certificates that were involved in the
incident. See Section 3.24. incident. See Section 3.24.
AdditionalData AdditionalData
Zero or more. EXTENSION. An extension mechanism for data not Zero or more. EXTENSION. An extension mechanism for data not
explicitly represented in the data model. explicitly represented in the data model.
At least one of the following classes MUST be present: RecordItem, At least one of the following classes MUST be present: RecordItem,
URL, FileData, WindowsRegistryKeysModified, CertificateData or URL, FileData, WindowsRegistryKeysModified, CertificateData, or
AdditionalData. AdditionalData.
The attributes of the RecordData class are: The attributes of the RecordData class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.22.2. RecordPattern Class 3.22.2. RecordPattern Class
The RecordPattern class describes where in the log data provided or The RecordPattern class describes where in the log data provided or
referenced in RecordData class relevant information can be found. It referenced in the RecordData class relevant information can be found.
provides a way to reference subsets of information, identified by a It provides a way to reference subsets of information, identified by
pattern, in a large log file, audit trail, or forensic data. a pattern, in a large log file, audit trail, or forensic data.
+-----------------------+ +-----------------------+
| RecordPattern | | RecordPattern |
+-----------------------+ +-----------------------+
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
skipping to change at page 83, line 31 skipping to change at page 86, line 31
pattern. pattern.
The attributes of the RecordPattern class are: The attributes of the RecordPattern class are:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". These values are the element content. The default is "regex". These values are
maintained in the "RecordPattern-type" IANA registry per maintained in the "RecordPattern-type" IANA registry per
Section 10.2. Section 10.2.
1. regex. regular expression as defined by POSIX Extended 1. regex. Regular expression as defined by POSIX Extended
Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX]. Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].
2. binary. Binhex encoded binary pattern, per the HEXBIN data 2. binary. Binhex-encoded binary pattern, per the HEXBIN data
type. type.
3. xpath. XML Path (XPath) [W3C.XPATH] 3. xpath. XML Path (XPath) [W3C.XPATH].
4. ext-value. A value used to indicate that this attribute is 4. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
offset offset
skipping to change at page 84, line 41 skipping to change at page 87, line 43
| WindowsRegistryKeysModified | | WindowsRegistryKeysModified |
+-----------------------------+ +-----------------------------+
| ID observable-id |<>--{1..*}--[ Key ] | ID observable-id |<>--{1..*}--[ Key ]
+-----------------------------+ +-----------------------------+
Figure 48: The WindowsRegistryKeysModified Class Figure 48: The WindowsRegistryKeysModified Class
The aggregate classes of the WindowsRegistryKeysModified class are: The aggregate classes of the WindowsRegistryKeysModified class are:
Key Key
One or more. The Window registry key. See Section 3.23.1. One or more. The Windows registry key. See Section 3.23.1.
The attribute of the WindowsRegistryKeysModified class is: The attribute of the WindowsRegistryKeysModified class is:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.23.1. Key Class 3.23.1. Key Class
The Key class describes a Windows operating system registry key name The Key class describes a Windows operating system registry key name
and value pair, and the operation performed on it. and value pair, as well as the operation performed on it.
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ID observable-id | | ID observable-id |
+---------------------------+ +---------------------------+
Figure 49: The Key Class Figure 49: The Key Class
The aggregate classes of the Key class are: The aggregate classes of the Key class are:
KeyName KeyName
One. STRING. The name of a Windows operating system registry key One. STRING. The name of a Windows operating system registry key
(e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) (e.g., [HKEY_LOCAL_MACHINE\Software\Test\KeyName]).
KeyValue KeyValue
Zero or one. STRING. The value of the registry key identified in Zero or one. STRING. The value of the registry key identified in
the KeyName class encoded per the .reg file format [KB310516]. the KeyName class encoded per the .reg file format [KB310516].
The attributes of the Key class are: The attributes of the Key class are:
registryaction registryaction
Optional. ENUM. The type of action taken on the registry key. Optional. ENUM. The type of action taken on the registry key.
These values are maintained in the "Key-registryaction" IANA These values are maintained in the "Key-registryaction" IANA
skipping to change at page 88, line 14 skipping to change at page 91, line 19
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.25.1. File Class 3.25.1. File Class
The File class describes a file; its associated meta data; and The File class describes a file; its associated metadata; and
cryptographic hashes and signatures applied to it. cryptographic hashes and signatures applied to it.
+-----------------------+ +-----------------------+
| File | | File |
+-----------------------+ +-----------------------+
| ID observable-id |<>--{0..1}--[ FileName ] | ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ] | |<>--{0..1}--[ FileSize ]
| |<>--{0..1}--[ FileType ] | |<>--{0..1}--[ FileType ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ] | |<>--{0..1}--[ SignatureData ]
| |<>--{0..1}--[ AssociatedSoftware ] | |<>--{0..1}--[ AssociatedSoftware ]
| |<>--{0..*}--[ FileProperties ] | |<>--{0..*}--[ FileProperties ]
+-----------------------+ +-----------------------+
Figure 53: The File Class Figure 53: The File Class
The aggregate classes of the File class are: The aggregate classes of the File class are:
FileName FileName
Zero or One. STRING. The name of the file. Zero or one. STRING. The name of the file.
FileSize FileSize
Zero or One. INTEGER. The size of the file in bytes. Zero or one. INTEGER. The size of the file in bytes.
FileType FileType
Zero or One. STRING. The type of file per the IANA Media Types Zero or one. STRING. The type of file per the IANA "Media Types"
Registry [IANA.Media]. Valid values correspond to the text in the registry [IANA.Media]. Valid values correspond to the text in the
"Template" column (e.g., "application/pdf"). "Template" column (e.g., "application/pdf").
URL URL
Zero or more. URL. A URL reference to the file. Zero or more. URL. A URL reference to the file.
HashData HashData
Zero or One. Hash(es) associated with this file. See Zero or one. Hash(es) associated with this file. See
Section 3.26. Section 3.26.
SignatureData SignatureData
Zero or One. Signature(s) associated with this file. See Zero or one. Signature(s) associated with this file. See
Section 3.27. Section 3.27.
AssociatedSoftware AssociatedSoftware
Zero or One. SOFTWARE. The software application or operating Zero or one. SOFTWARE. The software application or operating
system to which this file belongs or by which it can be processed. system to which this file belongs or by which it can be processed.
FileProperties FileProperties
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model to describe properties of the file. model to describe properties of the file.
The attributes of the File class are: The attributes of the File class are:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.26. HashData Class 3.26. HashData Class
The HashData class describes different types of hashes on an given The HashData class describes different types of hashes on a given
object (e.g., file, part of a file, email). object (e.g., file, part of a file, email).
+--------------------------+ +--------------------------+
| HashData | | HashData |
+--------------------------+ +--------------------------+
| ENUM scope |<>--{0..1}--[ HashTargetID ] | ENUM scope |<>--{0..1}--[ HashTargetID ]
| |<>--{0..*}--[ Hash ] | |<>--{0..*}--[ Hash ]
| |<>--{0..*}--[ FuzzyHash ] | |<>--{0..*}--[ FuzzyHash ]
+--------------------------+ +--------------------------+
Figure 54: The HashData Class Figure 54: The HashData Class
The aggregate classes of the HashData class are: The aggregate classes of the HashData class are:
HashTargetID HashTargetID
Zero or One. STRING. An identifier that references a subset of Zero or one. STRING. An identifier that references a subset of
the object being hashed. The semantics of this identifier are the object being hashed. The semantics of this identifier are
specified by the scope attribute. specified by the scope attribute.
Hash Hash
Zero or more. The hash of an object. See Section 3.26.1. Zero or more. The hash of an object. See Section 3.26.1.
FuzzyHash FuzzyHash
Zero or more. The fuzzy hash of an object. See Section 3.26.2. Zero or more. The fuzzy hash of an object. See Section 3.26.2.
At least one instance of either Hash or FuzzyHash MUST be present. At least one instance of either Hash or FuzzyHash MUST be present.
skipping to change at page 90, line 17 skipping to change at page 93, line 21
should be applied. These values are maintained in the "HashData- should be applied. These values are maintained in the "HashData-
scope" IANA registry per Section 10.2. scope" IANA registry per Section 10.2.
1. file-contents. A hash computed over the entire contents of a 1. file-contents. A hash computed over the entire contents of a
file. file.
2. file-pe-section. A hash computed on a given section of a 2. file-pe-section. A hash computed on a given section of a
Windows Portable Executable (PE) file. If set to this value, Windows Portable Executable (PE) file. If set to this value,
the HashTargetID class MUST identify the section being hashed. the HashTargetID class MUST identify the section being hashed.
A section is identified by an ordinal number (starting at 1) A section is identified by an ordinal number (starting at 1)
corresponding to the the order in which the given section corresponding to the order in which the given section header
header was defined in the Section Table of the PE file header. was defined in the Section Table of the PE file header.
3. file-pe-iat. A hash computed on the Import Address 3. file-pe-iat. A hash computed on the Import Address
Table (IAT) of a PE file. As IAT hashes are often tool Table (IAT) of a PE file. As IAT hashes are often tool
dependent, if this value is set, the Application class of dependent, if this value is set, the Application class of
either the Hash or FuzzyHash classes MUST specify the tool either the Hash or FuzzyHash classes MUST specify the tool
used to generate the hash. used to generate the hash.
4. file-pe-resource. A hash computed on a given resource in a PE 4. file-pe-resource. A hash computed on a given resource in a PE
file. If set to this value, the HashTargetID class MUST file. If set to this value, the HashTargetID class MUST
identify the resource being hashed. A resource is identified identify the resource being hashed. A resource is identified
skipping to change at page 91, line 28 skipping to change at page 94, line 34
| |<>--{0..1}--[ ds:CanonicalizationMethod ] | |<>--{0..1}--[ ds:CanonicalizationMethod ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+----------------+ +----------------+
Figure 55: The Hash Class Figure 55: The Hash Class
The aggregate classes of the Hash class are: The aggregate classes of the Hash class are:
ds:DigestMethod ds:DigestMethod
One. The hash algorithm used to generate the hash. See One. The hash algorithm used to generate the hash. See
Section 4.3.3.5 of [W3C.XMLSIG] Section 4.3.3.5 of [W3C.XMLSIG].
ds:DigestValue ds:DigestValue
One. The computed hash value. See Section 4.3.3.6 of One. The computed hash value. See Section 4.3.3.6 of
[W3C.XMLSIG]. [W3C.XMLSIG].
ds:CanonicalizationMethod ds:CanonicalizationMethod
Zero or one. The canonicalization method used on the object being Zero or one. The canonicalization method used on the object being
hashed. See Section 4.3.1 of [W3C.XMLSIG]. hashed. See Section 4.3.1 of [W3C.XMLSIG].
Application Application
Zero or One. SOFTWARE. The application used to calculate the Zero or one. SOFTWARE. The application used to calculate the
hash. hash.
The HashData class has no attributes. The HashData class has no attributes.
3.26.2. FuzzyHash Class 3.26.2. FuzzyHash Class
The FuzzyHash class describes a fuzzy hash and the application used The FuzzyHash class describes a fuzzy hash and the application used
to generate it. to generate it.
+--------------------------+ +--------------------------+
skipping to change at page 92, line 46 skipping to change at page 96, line 8
| SignatureData | | SignatureData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ ds:Signature ] | |<>--{1..*}--[ ds:Signature ]
+--------------------------+ +--------------------------+
Figure 57: The SignatureData Class Figure 57: The SignatureData Class
The aggregate class of the SignatureData class is: The aggregate class of the SignatureData class is:
Signature Signature
One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] One or more. A given signature. See Section 4.2 of [W3C.XMLSIG].
The SignatureData class has no attributes. The SignatureData class has no attributes.
3.28. IndicatorData Class 3.28. IndicatorData Class
The IndicatorData class describes indicators and meta-data associated The IndicatorData class describes indicators and metadata associated
with them. with them.
+--------------------------+ +--------------------------+
| IndicatorData | | IndicatorData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ Indicator ] | |<>--{1..*}--[ Indicator ]
+--------------------------+ +--------------------------+
Figure 58: The IndicatorData Class Figure 58: The IndicatorData Class
skipping to change at page 93, line 29 skipping to change at page 96, line 36
Indicator Indicator
One or more. A description of an indicator. See Section 3.29. One or more. A description of an indicator. See Section 3.29.
The IndicatorData class has no attributes. The IndicatorData class has no attributes.
3.29. Indicator Class 3.29. Indicator Class
The Indicator class describes an indicator. An indicator consists of The Indicator class describes an indicator. An indicator consists of
observable features and phenomenon that aid in the forensic or observable features and phenomenon that aid in the forensic or
proactive detection of malicious activity; and associated meta-data. proactive detection of malicious activity and associated metadata.
An indicator can be described outright; by referencing or composing An indicator can be described outright by referencing or composing
previously defined indicators; or by referencing observables previously defined indicators or by referencing observables described
described in the incident report found in this document. in the incident report found in this document.
+------------------------+ +------------------------+
| Indicator | | Indicator |
+------------------------+ +------------------------+
| ENUM restriction |<>----------[ IndicatorID ] | ENUM restriction |<>----------[ IndicatorID ]
| STRING ext-restriction |<>--{0..*}--[ AlternativeIndicatorID ] | STRING ext-restriction |<>--{0..*}--[ AlternativeIndicatorID ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
skipping to change at page 94, line 30 skipping to change at page 97, line 30
| |<>--{0..*}--[ AttackPhase ] | |<>--{0..*}--[ AttackPhase ]
| |<>--{0..*}--[ Reference ] | |<>--{0..*}--[ Reference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 59: The Indicator Class Figure 59: The Indicator Class
The aggregate classes of the Indicator class are: The aggregate classes of the Indicator class are:
IndicatorID IndicatorID
One. An identifier for this indicator. See Section 3.29.1 One. An identifier for this indicator. See Section 3.29.1.
AlternativeIndicatorID AlternativeIndicatorID
Zero or more. An alternative identifier for this indicator. See Zero or more. An alternative identifier for this indicator. See
Section 3.29.2 Section 3.29.2.
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
indicator. indicator.
StartTime StartTime
Zero or one. DATETIME. A timestamp of the start of the time Zero or one. DATETIME. A timestamp of the start of the time
period during which this indicator is valid. period during which this indicator is valid.
EndTime EndTime
skipping to change at page 95, line 26 skipping to change at page 98, line 28
Zero or one. A composition of observables. See Section 3.29.4. Zero or one. A composition of observables. See Section 3.29.4.
IndicatorReference IndicatorReference
Zero or one. A reference to an indicator. See Section 3.29.7. Zero or one. A reference to an indicator. See Section 3.29.7.
NodeRole NodeRole
Zero or more. The role of the system in the attack should this Zero or more. The role of the system in the attack should this
indicator be matched to it. See Section 3.18.2. indicator be matched to it. See Section 3.18.2.
AttackPhase AttackPhase
Zero or more. The phase in an attack lifecycle during which this Zero or more. The phase in an attack life cycle during which this
indicator might be seen. See Section 3.29.8. indicator might be seen. See Section 3.29.8.
Reference Reference
Zero or more. A reference to additional information relevant to Zero or more. A reference to additional information relevant to
this indicator. See Section 3.11.1. this indicator. See Section 3.11.1.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
skipping to change at page 96, line 13 skipping to change at page 99, line 17
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.29.1. IndicatorID Class 3.29.1. IndicatorID Class
The IndicatorID class identifies an indicator with a globally unique The IndicatorID class identifies an indicator with a globally unique
identifier. The combination of the name and version attributes, and identifier. The combination of the name and version attributes and
the element content form this identifier. Indicators generated by the element content form this identifier. Indicators generated by
given CSIRT MUST NOT reuse the same value unless they are referencing given CSIRT MUST NOT reuse the same value unless they are referencing
the same indicator. the same indicator.
+------------------+ +------------------+
| IndicatorID | | IndicatorID |
+------------------+ +------------------+
| ID | | ID |
| | | |
| STRING name | | STRING name |
skipping to change at page 97, line 17 skipping to change at page 100, line 22
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{1..*}--[ IndicatorReference ] | ENUM restriction |<>--{1..*}--[ IndicatorReference ]
| STRING ext-restriction | | STRING ext-restriction |
+-------------------------+ +-------------------------+
Figure 61: The AlternativeIndicatorID Class Figure 61: The AlternativeIndicatorID Class
The aggregate class of the AlternativeIndicatorID class is: The aggregate class of the AlternativeIndicatorID class is:
IndicatorReference IndicatorReference
One or more. A reference to an indicator. See Section 3.29.7 One or more. A reference to an indicator. See Section 3.29.7.
The attributes of the AlternativeIndicatorID class are: The attributes of the AlternativeIndicatorID class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 98, line 34 skipping to change at page 101, line 40
| |<>--{0..1}--[ HistoryItem ] | |<>--{0..1}--[ HistoryItem ]
| |<>--{0..1}--[ BulkObservable ] | |<>--{0..1}--[ BulkObservable ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 62: The Observable Class Figure 62: The Observable Class
The aggregate classes of the Observable class are: The aggregate classes of the Observable class are:
System System
Zero or one. An System observable. See Section 3.17. Zero or one. A System observable. See Section 3.17.
Address Address
Zero or one. An Address observable. See Section 3.18.1. Zero or one. An Address observable. See Section 3.18.1.
DomainData DomainData
Zero or one. A DomainData observable. See Section 3.19. Zero or one. A DomainData observable. See Section 3.19.
Service Service
Zero or one. A Service observable. See Section 3.20. Zero or one. A Service observable. See Section 3.20.
EmailData EmailData
Zero or one. A EmailData observable. See Section 3.21. Zero or one. An EmailData observable. See Section 3.21.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or one. A WindowsRegistryKeysModified observable. See Zero or one. A WindowsRegistryKeysModified observable. See
Section 3.23. Section 3.23.
FileData FileData
Zero or one. A FileData observable. See Section 3.25. Zero or one. A FileData observable. See Section 3.25.
CertificateData CertificateData
Zero or one. A CertificateData observable. See Section 3.24. Zero or one. A CertificateData observable. See Section 3.24.
skipping to change at page 99, line 31 skipping to change at page 102, line 37
Expectation Expectation
Zero or one. An Expectation observable. See Section 3.15. Zero or one. An Expectation observable. See Section 3.15.
Reference Reference
Zero or one. A Reference observable. See Section 3.11.1. Zero or one. A Reference observable. See Section 3.11.1.
Assessment Assessment
Zero or one. An Assessment observable. See Section 3.12. Zero or one. An Assessment observable. See Section 3.12.
DetectionPattern DetectionPattern
Zero or one. A DetectionPattern observable. See Section 3.12. Zero or one. A DetectionPattern observable. See Section 3.10.1.
HistoryItem HistoryItem
Zero or one. A HistoryItem observable. See Section 3.13.1. Zero or one. A HistoryItem observable. See Section 3.13.1.
BulkObservable BulkObservable
Zero or one. A bulk list of observables. See Section 3.29.3.1. Zero or one. A bulk list of observables. See Section 3.29.3.1.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
skipping to change at page 100, line 10 skipping to change at page 103, line 17
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.29.3.1. BulkObservable Class 3.29.3.1. BulkObservable Class
The BulkObservable class allows the enumeration of a single type of The BulkObservable class allows the enumeration of a single type of
observables without requiring each one to be encoded individually in observable without requiring each one to be encoded individually in
multiple instances of the same class. multiple instances of the same class.
The type attribute describes the type of observable listed in the The type attribute describes the type of observable listed in the
child BulkObservableList class. The BulkObservableFormat class child BulkObservableList class. The BulkObservableFormat class
optionally provides additional meta-data. optionally provides additional metadata.
+---------------------------+ +---------------------------+
| BulkObservable | | BulkObservable |
+---------------------------+ +---------------------------+
| ENUM type |<>--{0..1}--[ BulkObservableFormat ] | ENUM type |<>--{0..1}--[ BulkObservableFormat ]
| STRING ext-type |<>----------[ BulkObservableList ] | STRING ext-type |<>----------[ BulkObservableList ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+---------------------------+ +---------------------------+
Figure 63: The BulkObservable Class Figure 63: The BulkObservable Class
The aggregate classes of the BulkObservable class are: The aggregate classes of the BulkObservable class are:
BulkObservableFormat BulkObservableFormat
Zero or one. Provides additional meta-data about the observables Zero or one. Provides additional metadata about the observables
enumerated in the BulkObservableList class. See enumerated in the BulkObservableList class. See
Section 3.29.3.1.1. Section 3.29.3.1.1.
BulkObservableList BulkObservableList
One. STRING. A list of observables, one per line. Each line is One. STRING. A list of observables, one per line. Each line is
separated with either a LF character or CR-and-LF characters. The separated with either a LF character or CR and LF characters. The
type attribute specifies which observables will be listed. type attribute specifies which observables will be listed.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The attributes of the BulkObservable class are: The attributes of the BulkObservable class are:
type type
Optional. ENUM. The type of the observable listed in the child Optional. ENUM. The type of the observable listed in the child
skipping to change at page 101, line 10 skipping to change at page 104, line 20
"BulkObservable-type" IANA registry per Section 10.2. "BulkObservable-type" IANA registry per Section 10.2.
1. asn. Autonomous System Number (per the Address@category 1. asn. Autonomous System Number (per the Address@category
attribute). attribute).
2. atm. Asynchronous Transfer Mode (ATM) address (per the 2. atm. Asynchronous Transfer Mode (ATM) address (per the
Address@category attribute). Address@category attribute).
3. e-mail. Email address (per the Address@category attribute). 3. e-mail. Email address (per the Address@category attribute).
4. ipv4-addr. IPv4 host address in dotted-decimal notation 4. ipv4-addr. IPv4 host address in dotted-decimal notation,
(e.g., 192.0.2.1) (per the Address@category attribute). e.g., 192.0.2.1 (per the Address@category attribute).
5. ipv4-net. IPv4 network address in dotted-decimal notation, 5. ipv4-net. IPv4 network address in dotted-decimal notation,
slash, significant bits (e.g., 192.0.2.0/24) (per the slash, significant bits, e.g., 192.0.2.0/24 (per the
Address@category attribute). Address@category attribute).
6. ipv4-net-mask. IPv4 network address in dotted-decimal 6. ipv4-net-mask. IPv4 network address in dotted-decimal
notation, slash, network mask in dotted-decimal notation notation, slash, network mask in dotted-decimal notation,
(i.e., 192.0.2.0/255.255.255.0) (per the Address@category i.e., 192.0.2.0/255.255.255.0 (per the Address@category
attribute). attribute).
7. ipv6-addr. IPv6 host address (e.g., 2001:DB8::3) (per the 7. ipv6-addr. IPv6 host address, e.g., 2001:DB8::3 (per the
Address@category attribute). Address@category attribute).
8. ipv6-net. IPv6 network address, slash, significant bits 8. ipv6-net. IPv6 network address, slash, significant bits,
(e.g., 2001:DB8::/32) (per the Address@category attribute). e.g., 2001:DB8::/32 (per the Address@category attribute).
9. ipv6-net-mask. IPv6 network address, slash, network mask 9. ipv6-net-mask. IPv6 network address, slash, network mask
(per the Address@category attribute). (per the Address@category attribute).
10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f) 10. mac. Media Access Control (MAC) address, i.e., a:b:c:d:e:f
(per the Address@category attribute). (per the Address@category attribute).
11. site-uri. A URL or URI for a resource (per the 11. site-uri. A URL or URI for a resource (per the
Address@category attribute). Address@category attribute).
12. domain-name. A fully qualified domain name or part of a 12. domain-name. A fully qualified domain name or part of a name
name. (e.g., fqdn.example.com, example.com). (e.g., fqdn.example.com, example.com).
13. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as 13. domain-to-ipv4. A mapping of FQDN to IPv4 address specified
a comma separated list (e.g., "fqdn.example.com, 192.0.2.1"). as a comma-separated list (e.g., "fqdn.example.com,
192.0.2.1").
14. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as 14. domain-to-ipv6. A mapping of FQDN to IPv6 address specified
a comma separated list (e.g., "fqdn.example.com, as a comma-separated list (e.g., "fqdn.example.com,
2001:DB8::3"). 2001:DB8::3").
15. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a 15. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a
timestamp (in the DATETIME format) of the resolution (e.g., timestamp (in the DATETIME format) of the resolution (e.g.,
"fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00"). "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00").
16. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a 16. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a
timestamp (in the DATETIME format) of the resolution (e.g., timestamp (in the DATETIME format) of the resolution (e.g.,
"fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00"). "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00").
17. ipv4-port. An IPv4 address, port and protocol tuple (e.g., 17. ipv4-port. An IPv4 address, port, and protocol tuple (e.g.,
192.0.2.1, 80, tcp). The protocol name corresponds to the 192.0.2.1, 80, TCP). The protocol name corresponds to the
"Keyword" column in the [IANA.Protocols] registry. "Keyword" column in the "Assigned Internet Protocol Numbers"
registry [IANA.Protocols].
18. ipv6-port. An IPv6 address, port and protocol tuple (e.g., 18. ipv6-port. An IPv6 address, port, and protocol tuple (e.g.,
2001:DB8::3, 80, tcp). The protocol name corresponds to the 2001:DB8::3, 80, TCP). The protocol name corresponds to the
"Keyword" column in the [IANA.Protocols] registry. "Keyword" column in the "Assigned Internet Protocol Numbers"
registry [IANA.Protocols].
19. windows-reg-key. A Microsoft Windows Registry key. 19. windows-reg-key. A Microsoft Windows registry key.
20. file-hash. A file hash. The format of this hash is 20. file-hash. A file hash. The format of this hash is
described in the Hash class that MUST be present in a sibling described in the Hash class that MUST be present in a sibling
BulkObservableFormat class. BulkObservableFormat class.
21. email-x-mailer. An X-Mailer field from an email. 21. email-x-mailer. An X-Mailer field from an email.
22. email-subject. An email subject line. 22. email-subject. An email subject line.
23. http-user-agent. A User Agent field from an HTTP request 23. http-user-agent. A User Agent field from an HTTP request
header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0)
Gecko/20100101 Firefox/38.0"). Gecko/20100101 Firefox/38.0").
24. http-request-uri. The Request URI from an HTTP request 24. http-request-uri. The Request URI from an HTTP request
header. header.
25. mutex. The name of a system mutex. 25. mutex. The name of a system mutex (mutual exclusion lock).
26. file-path. A file path (e.g., "/tmp/local/file", 26. file-path. A file path (e.g., "/tmp/local/file",
"c:\windows\system32\file.sys") "c:\windows\system32\file.sys").
27. user-name. A username. 27. user-name. A username.
28. ext-value. A value used to indicate that this attribute is 28. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
3.29.3.1.1. BulkObservableFormat Class 3.29.3.1.1. BulkObservableFormat Class
The ObservableFormat class specifies meta-data about the format of an The ObservableFormat class specifies metadata about the format of an
observable enumerated in a sibling BulkObservableList class. observable enumerated in a sibling BulkObservableList class.
+---------------------------+ +---------------------------+
| BulkObservableFormat | | BulkObservableFormat |
+---------------------------+ +---------------------------+
| |<>--{0..1}--[ Hash ] | |<>--{0..1}--[ Hash ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+---------------------------+ +---------------------------+
Figure 64: The BulkObservableFormat Class Figure 64: The BulkObservableFormat Class
skipping to change at page 103, line 35 skipping to change at page 106, line 43
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The BulkObservableFormat class has no attributes. The BulkObservableFormat class has no attributes.
Either Hash or AdditionalData MUST be present. Either Hash or AdditionalData MUST be present.
3.29.4. IndicatorExpression Class 3.29.4. IndicatorExpression Class
The IndicatorExpression describes an expression composed of observed The IndicatorExpression describes an expression composed of observed
phenomenon or features, or indicators. Elements of the expression phenomenon, features, or indicators. Elements of the expression can
can be described directly, reference relevant data from other parts be described directly, reference relevant data from other parts of a
of a given IODEF document, or reference previously defined given IODEF document, or reference previously defined indicators.
indicators.
All child classes of a given instance of IndicatorExpression form a All child classes of a given instance of IndicatorExpression form a
boolean algebraic expression where the operator between them is boolean algebraic expression where the operator between them is
determined by the operator attribute. determined by the operator attribute.
+--------------------------+ +--------------------------+
| IndicatorExpression | | IndicatorExpression |
+--------------------------+ +--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ] | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| STRING ext-operator |<>--{0..*}--[ Observable ] | STRING ext-operator |<>--{0..*}--[ Observable ]
skipping to change at page 105, line 16 skipping to change at page 108, line 16
4. xor. exclusive disjunction operator. 4. xor. exclusive disjunction operator.
ext-operator ext-operator
Optional. STRING. A means by which to extend the operator Optional. STRING. A means by which to extend the operator
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.29.5. Expressions with IndicatorExpression 3.29.5. Expressions with IndicatorExpression
Boolean algebraic expressions can be used to specify relationships Boolean algebraic expressions can be used to specify relationships
between observables and indicator. These expressions are constructed between observables and indicators. These expressions are
through the use of the operator attribute and parent-child constructed through the use of the operator attribute and parent-
relationships in IndicatorExpressions. These expressions should be child relationships in IndicatorExpressions. These expressions
parsed as follows: should be parsed as follows:
1. The operator specified by the operator attribute is applied 1. The operator specified by the operator attribute is applied
between each of the child elements of the immediate parent between each of the child elements of the immediate parent
IndicatorExpression element. If no operator attribute is IndicatorExpression element. If no operator attribute is
specified, it should be assumed to be the conjunction operator specified, it should be assumed to be the conjunction operator
(i.e., operator="and"). (i.e., operator="and").
2. A nested IndicatorExpression element with a parent 2. A nested IndicatorExpression element with a parent
IndicatorExpression is the equivalent of a parentheses in the IndicatorExpression is the equivalent of a parentheses in the
expression. expression.
The following four examples in Figure 66 through Figure 70 illustrate The following examples in Figures 66 through 70 illustrate these
these parsing rules: parsing rules:
1 : <IndicatorExpression> 1 : <IndicatorExpression>
2 [O1]: <Observable>..</Observable> 2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable> 3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression> 4 : </IndicatorExpression>
Equivalent expression: (O1 AND O2) Equivalent expression: (O1 AND O2)
Figure 66: Nested elements in an IndicatorExpression without an Figure 66: Nested Elements in an IndicatorExpression without an
operator attribute specified Operator Attribute Specified
1 : <IndicatorExpression operator="or"> 1 : <IndicatorExpression operator="or">
2 [O1]: <Observable>..</Observable> 2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable> 3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression> 4 : </IndicatorExpression>
Equivalent expression: (O1 OR O2) Equivalent expression: (O1 OR O2)
Figure 67: Nested elements in an IndicatorExpression with an operator Figure 67: Nested Elements in an IndicatorExpression with an Operator
attribute specified Attribute Specified
1 : <IndicatorExpression operator="or"> 1 : <IndicatorExpression operator="or">
2 : <IndicatorExpression operator="or"> 2 : <IndicatorExpression operator="or">
3 [O1]: <Observable>..</Observable> 3 [O1]: <Observable>..</Observable>
4 [O2]: <Observable>..</Observable> 4 [O2]: <Observable>..</Observable>
5 : </IndicatorExpression> 5 : </IndicatorExpression>
6 [O3]: <Observable>..</Observable> 6 [O3]: <Observable>..</Observable>
7 : </IndicatorExpression> 7 : </IndicatorExpression>
Equivalent expression: ((O1 OR O2) OR O3) Equivalent expression: ((O1 OR O2) OR O3)
Figure 68: Nested elements with a recursive IndicatorExpression with Figure 68: Nested Elements with a Recursive IndicatorExpression with
an operator attribute specified an Operator Attribute Specified
1 : <IndicatorExpression operator="not"> 1 : <IndicatorExpression operator="not">
2 : <IndicatorExpression operator="and"> 2 : <IndicatorExpression operator="and">
3 [O1]: <Observable>..</Observable> 3 [O1]: <Observable>..</Observable>
4 [O2]: <Observable>..</Observable> 4 [O2]: <Observable>..</Observable>
5 : </IndicatorExpression> 5 : </IndicatorExpression>
6 : </IndicatorExpression> 6 : </IndicatorExpression>
Equivalent expression: (NOT (O1 AND O2)) Equivalent expression: (NOT (O1 AND O2))
Figure 69: A recursive IndicatorExpression with an operator attribute Figure 69: A Recursive IndicatorExpression with an Operator Attribute
specified Specified
1 : <IndicatorExpression operator="or"> 1 : <IndicatorExpression operator="or">
2 : <IndicatorExpression> 2 : <IndicatorExpression>
3 [O1 with low confidence] : <Observable>..</Observable> 3 [O1 with low confidence] : <Observable>..</Observable>
4 : <Confidence rating="low" /> 4 : <Confidence rating="low" />
5 : </IndicatorExpression> 5 : </IndicatorExpression>
6 : <IndicatorExpression> 6 : <IndicatorExpression>
7 [O2 with high confidence]: <Observable>..</Observable> 7 [O2 with high confidence]: <Observable>..</Observable>
8 : <Confidence rating="high" /> 8 : <Confidence rating="high" />
9 : </IndicatorExpression> 9 : </IndicatorExpression>
10 : </IndicatorExpression> 10 : </IndicatorExpression>
Equivalent expression: ((O1) OR (O2)) Equivalent expression: ((O1) OR (O2))
Figure 70: Varying confidence on particular Observables Figure 70: Varying Confidence on Particular Observables
Invalid algebraic expressions while valid XML, MUST NOT be specified. Invalid algebraic expressions while valid XML MUST NOT be specified.
3.29.6. ObservableReference Class 3.29.6. ObservableReference Class
The ObservableReference describes a reference to an observable The ObservableReference describes a reference to an observable
feature or phenomenon described elsewhere in the document. feature or phenomenon described elsewhere in the document.
The ObservableReference class has no content. The ObservableReference class has no content.
+-------------------------+ +-------------------------+
| ObservableReference | | ObservableReference |
skipping to change at page 108, line 12 skipping to change at page 111, line 16
Optional. STRING. An identifier that references an IndicatorID Optional. STRING. An identifier that references an IndicatorID
not in this IODEF document. not in this IODEF document.
version version
Optional. STRING. A version number of an indicator. Optional. STRING. A version number of an indicator.
Either the uid-ref or the euid-ref attribute MUST be set. Either the uid-ref or the euid-ref attribute MUST be set.
3.29.8. AttackPhase Class 3.29.8. AttackPhase Class
The AttackPhase class describes a particular phase of an attack The AttackPhase class describes a particular phase of an attack life
lifecycle. cycle.
+------------------------+ +------------------------+
| AttackPhase | | AttackPhase |
+------------------------+ +------------------------+
| |<>--{0..*}--[ AttackPhaseID ] | |<>--{0..*}--[ AttackPhaseID ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 73: AttackPhase Class Figure 73: The AttackPhase Class
The aggregate classes of the AttackPhase class are: The aggregate classes of the AttackPhase class are:
AttackPhaseID AttackPhaseID
Zero or more. STRING. An identifier for the phase of the attack. Zero or more. STRING. An identifier for the phase of the attack.
URL URL
Zero or more. URL. A URL to a resource describing this phase of Zero or more. URL. A URL to a resource describing this phase of
the attack. the attack.
skipping to change at page 109, line 11 skipping to change at page 112, line 16
This section provides additional requirements and guidance on This section provides additional requirements and guidance on
creating and processing IODEF documents. creating and processing IODEF documents.
4.1. Encoding 4.1. Encoding
Every IODEF document MUST begin with an XML declaration and MUST Every IODEF document MUST begin with an XML declaration and MUST
specify the XML version used. The character encoding MUST also be specify the XML version used. The character encoding MUST also be
explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16 explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16
[RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD
NOT be used. The IODEF conforms to all XML data encoding conventions NOT be used. The IODEF conforms to all XML data-encoding conventions
and constraints. and constraints.
The XML declaration with UTF-8 character encoding will read as The XML declaration with UTF-8 character encoding will read as
follows: follows:
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
Certain characters have special meaning in XML and MUST not appear in Certain characters have special meaning in XML and MUST not appear in
literal form. Per Section 2.4 of [W3C.XML], these characters MUST be literal form. Per Section 2.4 of [W3C.XML], these characters MUST be
escaped with a numeric character or entity reference. escaped with a numeric character or entity reference.
skipping to change at page 109, line 42 skipping to change at page 112, line 47
version="2.00" lang="en-US" version="2.00" lang="en-US"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-2.0" ...> xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-2.0" ...>
4.3. Validation 4.3. Validation
IODEF documents MUST be well-formed XML. It is RECOMMENDED that IODEF documents MUST be well-formed XML. It is RECOMMENDED that
recipients validate the document against the schema described in recipients validate the document against the schema described in
Section 8. However, mere conformance to this schema is not Section 8. However, mere conformance to this schema is not
sufficient for a semantically valid IODEF document. The text of sufficient for a semantically valid IODEF document. The text of
Section 3 describes further formatting and constraints; some that Section 3 describes further formatting and constraints, including
cannot be conveniently encoded in the schema. These MUST also be some that cannot be conveniently encoded in the schema. These MUST
considered by an IODEF implementation. Furthermore, the enumerated also be considered by an IODEF implementation. Furthermore, the
values present in this document are a static list that will be enumerated values present in this document are a static list that
incomplete over time as select attributes can be extended by a will be incomplete over time as select attributes can be extended by
corresponding IANA registry per Section 10.2. Therefore, IODEF a corresponding IANA registry per Section 10.2. Therefore, IODEF
implementations SHOULD periodically update their schema and MAY need implementations SHOULD periodically update their schema and MAY need
to update their parsing algorithms to incorporate newly registered to update their parsing algorithms to incorporate newly registered
values. values.
4.4. Incompatibilities with v1 4.4. Incompatibilities with v1
The IODEF data model in this document makes a number of changes to The IODEF data model in this document makes a number of changes to
[RFC5070]. These changes were largely additive -- classes and [RFC5070]. These changes were largely additive -- classes and
enumerated values were added. However, some incompatibilities enumerated values were added. However, some incompatibilities
between [RFC5070] and this new specification were introduced. These between [RFC5070] and this new specification were introduced. These
skipping to change at page 110, line 25 skipping to change at page 113, line 28
o Attributes with enumerated values can now also be extended with o Attributes with enumerated values can now also be extended with
IANA registries. IANA registries.
o All iodef:MLStringType classes use xml:lang. IODEF-Document also o All iodef:MLStringType classes use xml:lang. IODEF-Document also
uses xml:lang. uses xml:lang.
o The Service@ip_protocol attribute was renamed to @ip-protocol. o The Service@ip_protocol attribute was renamed to @ip-protocol.
o The Node/NodeName class was removed in favor of representing o The Node/NodeName class was removed in favor of representing
domain names with Node/DomainData/Name class. The Node/DataTime domain names with Node/DomainData/Name class. The Node/DataTime
class was also removed so that the Node/DomainData/ class was also removed, so that the Node/DomainData/
DateDomainWasChecked class can represent the time at which the DateDomainWasChecked class can represent the time at which the
name to address resolution occurred. name-to-address resolution occurred.
o The Node/NodeRole class was moved to System/NodeRole. o The Node/NodeRole class was moved to System/NodeRole.
o The Reference class is now defined by [RFC7495]. o The Reference class is now defined by [RFC7495].
o The data previously represented in the Impact class is now in the o The data previously represented in the Impact class is now in the
SystemImpact and IncidentCategory classes. The Impact class has SystemImpact and IncidentCategory classes. The Impact class has
been removed. been removed.
o The semantics of Counter@type are now represented in Counter@unit. o The semantics of Counter@type are now represented in Counter@unit.
o The IODEF-Document@formatid attribute has been renamed to @format- o The IODEF-Document@formatid attribute has been renamed to @format-
id. id.
o Incident/ReportTime is no longer mandatory. However, o The Incident/ReportTime class is no longer required. However, the
GenerationTime is. GenerationTime class is required.
o The Fax class was removed and is now represented by a generic o The Fax class was removed and is now represented by a generic
Telephone class. Telephone class.
o The Telephone, Email and PostalAddress classes were redefined from o The Telephone, Email, and PostalAddress classes were redefined
improved internationalization. from improved internationalization.
o The "ipv6-net-mask" value was remove from category attribute of o The "ipv6-net-mask" value was removed from the category attribute
Address. of Address.
5. Extending the IODEF 5. Extending the IODEF
In order to support the dynamic nature of security operations, the In order to support the dynamic nature of security operations, the
IODEF data model will need to continue to evolve. This section IODEF data model will need to continue to evolve. This section
discusses how new data elements can be incorporated into the IODEF. discusses how new data elements can be incorporated into the IODEF.
There is support to add additional enumerated values and new classes. There is support to add additional enumerated values and new classes.
Adding additional attributes to existing classes is not supported. Adding additional attributes to existing classes is not supported.
These extension mechanisms are designed so that adding new data These extension mechanisms are designed so that adding new data
elements is possible without requiring a modifications to this elements is possible without requiring modifications to this
document. Extensions can be implemented publicly or privately. With document. Extensions can be implemented publicly or privately. With
proven value, well documented extensions can be incorporated into proven value, well-documented extensions can be incorporated into
future versions of the specification. future versions of the specification.
5.1. Extending the Enumerated Values of Attributes 5.1. Extending the Enumerated Values of Attributes
Additional enumerated values can be added to select attributes either Additional enumerated values can be added to select attributes either
through the use of specially marked attributes with the "ext-" prefix through the use of specially marked attributes with the "ext-" prefix
or through a set of corresponding IANA registries. The former or through a set of corresponding IANA registries. The former
approach allows for the extension to remain private. The latter approach allows for the extension to remain private. The latter
approach is public. approach is public.
skipping to change at page 111, line 42 skipping to change at page 114, line 48
element whose name is identical but with a prefix of "ext-". This element whose name is identical but with a prefix of "ext-". This
special attribute is referred to as the extension attribute. The special attribute is referred to as the extension attribute. The
attribute being extended is referred to as an extensible attribute. attribute being extended is referred to as an extensible attribute.
For example, an extensible attribute named "foo" will have a For example, an extensible attribute named "foo" will have a
corresponding extension attribute named "ext-foo". An element may corresponding extension attribute named "ext-foo". An element may
have many extensible attributes. have many extensible attributes.
In addition to a corresponding extension attribute, each extensible In addition to a corresponding extension attribute, each extensible
attribute has "ext-value" as one its possible enumerated values. attribute has "ext-value" as one its possible enumerated values.
Selection of this particular value in an extensible attribute signals Selection of this particular value in an extensible attribute signals
that the extension attribute contains data. Otherwise, this "ext- that the extension attribute contains data. Otherwise, this
value" value has no meaning. "ext-value" value has no meaning.
In order to add a new enumerated value to an extensible attribute, In order to add a new enumerated value to an extensible attribute,
the value of this attribute MUST be set to "ext-value", and the new the value of this attribute MUST be set to "ext-value", and the new
desired value MUST be set in the corresponding extension attribute. desired value MUST be set in the corresponding extension attribute.
For example, extending the type attribute of the SystemImpact class For example, extending the type attribute of the SystemImpact class
would look as follows: would look as follows:
<SystemImpact type="ext-value" ext-type="new-attack-type"> <SystemImpact type="ext-value" ext-type="new-attack-type">
A given extension attribute MUST NOT be set unless the corresponding A given extension attribute MUST NOT be set unless the corresponding
extensible attribute has been set to "ext-value". extensible attribute has been set to "ext-value".
5.1.2. Public Extension of Enumerated Values 5.1.2. Public Extension of Enumerated Values
The data model also supports publicly extending select enumerated The data model also supports publicly extending select enumerated
attributes. A new entry can be added by registering a new entry in attributes. A new entry can be added by registering a new entry in
the appropriate IANA registry. Section 10.2 provides a mapping the appropriate IANA registry. Section 10.2 provides a mapping
between the extensible attributes and their corresponding registry. between the extensible attributes and their corresponding registry.
Section 4.3 discusses the XML Validation implications of this type of Section 4.3 discusses the XML validation implications of this type of
extension. All extensible attributes that support private extensions extension. All extensible attributes that support private extensions
also support public extensions. also support public extensions.
5.2. Extending Classes 5.2. Extending Classes
Classes of the EXTENSION (iodef:ExtensionType) type can extend the Classes of the EXTENSION (iodef:ExtensionType) type can extend the
data model. They provide the ability to have new atomic or XML- data model. They provide the ability to have new atomic or XML-
encoded data elements in all of the top-level classes of the Incident encoded data elements in all of the top-level classes of the Incident
class and a few of the complex subordinate classes. As there are class and in a few of the complex subordinate classes. As there are
multiple instances of the extensible classes in the data model, there multiple instances of the extensible classes in the data model, there
is discretion on where to add a new data element. It is RECOMMENDED is discretion on where to add a new data element. It is RECOMMENDED
that the extension be placed in the most closely related class to the that the extension be placed in the most closely related class to the
new information. new information.
Extensions using the atomic data types (i.e., all values of the dtype Extensions using the atomic data types (i.e., all values of the dtype
attributes other than "xml") MUST: attributes other than "xml") MUST:
1. Set the element content to the desired value, and 1. Set the element content to the desired value, and
2. Set the dtype attribute to correspond to the data type of the 2. Set the dtype attribute to correspond to the data type of the
element content. element content.
The following guidelines exist for extensions using XML (i.e., The following guidelines exist for extensions using XML (i.e.,
dtype="xml"): dtype="xml"):
1. The element content of the extensible class MUST be set to the 1. The element content of the extensible class MUST be set to the
desired value and the dtype attribute MUST be set to "xml". desired value, and the dtype attribute MUST be set to "xml".
2. The extension schema MUST declare a separate namespace. It is 2. The extension schema MUST declare a separate namespace. It is
RECOMMENDED that these extensions have the prefix "iodef-". This RECOMMENDED that these extensions have the prefix "iodef-". This
recommendation makes readability of the document easier by recommendation makes readability of the document easier by
allowing the reader to infer which namespaces relate to IODEF by allowing the reader to infer which namespaces relate to IODEF by
inspection. inspection.
3. It is RECOMMENDED that extension schemas follow the naming 3. It is RECOMMENDED that extension schemas follow the naming
convention of the IODEF data model. This too improves the convention of the IODEF data model. This too improves the
readability of extended IODEF documents. The names of all readability of extended IODEF documents. The names of all
elements SHOULD be capitalized. For elements with composed elements SHOULD be capitalized. For elements with composed
names, a capital letter SHOULD be used for each word. Attribute names, a capital letter SHOULD be used for each word. Attribute
names SHOULD be in lower case. Attributes with composed names names SHOULD be in lowercase. Attributes with composed names
SHOULD be separated by a hyphen. SHOULD be separated by a hyphen.
4. Implementations that encounter an unrecognized element, attribute 4. Implementations that encounter an unrecognized element,
or attribute value in a supported namespace SHOULD reject the attribute, or attribute value in a supported namespace SHOULD
document as a syntax error. reject the document as a syntax error.
5. There are security and performance implications in requiring 5. There are security and performance implications in requiring
implementations to dynamically download schemas at run time. implementations to dynamically download schemas at runtime.
Therefore, implementations MUST NOT download schemas at runtime Therefore, implementations MUST NOT download schemas at runtime
unless the appropriate precautions are taken. Implementations unless the appropriate precautions are taken. Implementations
also need to contend with the potential of significant network also need to contend with the potential of significant network
and processing issues. and processing issues.
6. Some adopters of the IODEF may have private schema definitions 6. Some adopters of the IODEF may have private schema definitions
that are not publicly available. Thus implementations may that are not publicly available. Thus, implementations may
encounter IODEF documents with references to private schemas that encounter IODEF documents with references to private schemas that
may not be resolvable. Hence, IODEF document recipients MUST be may not be resolvable. Hence, IODEF document recipients MUST be
prepared for a schema definition in an IODEF document never to prepared for a schema definition in an IODEF document never to
resolve. resolve.
The following schema and XML document excerpt provide a template for The following schema and XML document excerpt provide a template for
an extension schema and its use in the IODEF document. an extension schema and its use in the IODEF document.
This example schema defines a namespace of "iodef-extension1" and a This example schema defines a namespace of "iodef-extension1" and a
single element named "newdata". single element named "newdata".
skipping to change at page 114, line 20 skipping to change at page 117, line 42
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="iodef-extension1.xsd"> xsi:schemaLocation="iodef-extension1.xsd">
<Incident purpose="reporting"> <Incident purpose="reporting">
... ...
<AdditionalData dtype="xml" meaning="xml"> <AdditionalData dtype="xml" meaning="xml">
<iodef-extension1:newdata> <iodef-extension1:newdata>
Field that could not be represented elsewhere Field that could not be represented elsewhere
</iodef-extension1:newdata> </iodef-extension1:newdata>
</AdditionalData> </AdditionalData>
</Incident> </Incident>
</IODEF-Document </IODEF-Document>
5.3. Deconflicting Private Extensions 5.3. Deconflicting Private Extensions
To disambiguate which private extension is used in an IODEF document, To disambiguate which private extension is used in an IODEF document,
the data model provides a means to identify the source of an the data model provides a means to identify the source of an
extension. Two attributes in the IODEF-Document class, private-enum- extension. Two attributes in the IODEF-Document class,
name and private-enum-id, are used to specify this attribution. Only private-enum-name and private-enum-id, are used to specify this
a single private extension can be identified in a given IODEF- attribution. Only a single private extension can be identified in a
Document. given IODEF-Document.
If an implementor has a single private extension, then only the If an implementor has a single private extension, then only the
private-enum-name attribute needs to be specified. Multiple distinct private-enum-name attribute needs to be specified. Multiple distinct
private extensions or versioning of a single extension can be private extensions or versioning of a single extension can be
attributed by also setting the corresponding private-num-id attributed by also setting the corresponding private-num-id
attribute. attribute.
The following XML excerpt demonstrates the specification of a private The following XML excerpt demonstrates the specification of a private
extension from "example.com" with an identifier of "13". extension from "example.com" with an identifier of "13".
<IODEF-Document <IODEF-Document
version="2.00" lang="en-US" version="2.00" lang="en-US"
private-enum-name="example.com" private-enum-name="example.com"
private-enum-id="13" private-enum-id="13" ...>
... ...
</IODEF-Document> </IODEF-Document>
If an unrecognized private extension is encountered in processing, If an unrecognized private extension is encountered in processing,
the recipient MAY reject the entire document as a syntax error. the recipient MAY reject the entire document as a syntax error.
6. Internationalization Issues 6. Internationalization Issues
Internationalization and localization is of specific concern to the Internationalization and localization is of specific concern to the
IODEF as it facilitates operational coordination with a diverse set IODEF as it facilitates operational coordination with a diverse set
of partners. The IODEF implements internationalization by relying on of partners. The IODEF implements internationalization by relying on
XML constructs and through explicit design choices in the data model. XML constructs and through explicit design choices in the data model.
Since the IODEF is implemented as an XML Schema, it supports Since the IODEF is implemented as an XML schema, it supports
different character encodings, such as UTF-8 and UTF-16, possible different character encodings, such as UTF-8 and UTF-16, that are
with XML. Additionally, each IODEF document MUST specify the possible with XML. Additionally, each IODEF document MUST specify
language in which its content is encoded. The language can be the language in which its content is encoded. The language can be
specified with the attribute "xml:lang" (per Section 2.12 of specified with the attribute "xml:lang" (per Section 2.12 of
[W3C.XML]) in the top-level element (i.e., IODEF-Document) and [W3C.XML]) in the top-level element (i.e., IODEF-Document) and lets
letting all other elements inherit that definition. All IODEF all other elements inherit that definition. All IODEF classes with a
classes with a free-form text definition (i.e., all those defined free-form text definition (i.e., all those defined with type
with type iodef:MLStringType) can also specify a language different iodef:MLStringType) can also specify a language different from the
from the rest of the document. rest of the document.
The data model supports multiple translations of free-form text. All The data model supports multiple translations of free-form text. All
ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality
to their parent. This allows the identical text translated into to their parent. This allows the identical text translated into
different languages to be encoded in different instances of the same different languages to be encoded in different instances of the same
class with a common parent. This design also enables the creation of class with a common parent. This design also enables the creation of
a single document containing all the translations. The IODEF a single document containing all the translations. The IODEF
implementation SHOULD extract the appropriate language relevant to implementation SHOULD extract the appropriate language relevant to
the recipient. the recipient.
Related instances of a given iodef:MLStringType class that are Related instances of a given iodef:MLStringType class that are
translations of each other are identified by a common identifier set translations of each other are identified by a common identifier set
in the translation-id attribute. The example below shows three in the translation-id attribute. The example below shows three
instances of a Description class expressed in three different instances of a Description class expressed in three different
languages. The relationship between these three instances of the languages. The relationship between these three instances of the
Description class is conveyed by the common value of "1" in the Description class is conveyed by the common value of "1" in the
translation-id attribute. translation-id attribute.
<IODEF-Document version="2.00" xml:lang="en" ... <IODEF-Document version="2.00" xml:lang="en" ...>
<Incident purpose="reporting"> <Incident purpose="reporting">
... ...
<Description translation-id="1" <Description translation-id="1"
xml:lang="en">English</Description> xml:lang="en">English</Description>
<Description translation-id="1" <Description translation-id="1"
xml:lang="de">Englisch</Description> xml:lang="de">Englisch</Description>
<Description translation-id="1" <Description translation-id="1"
xml:lang="fr">Anglais</Description> xml:lang="fr">Anglais</Description>
The IODEF balances internationalization support with the need for The IODEF balances internationalization support with the need for
interoperability. While the IODEF supports different languages, the interoperability. While the IODEF supports different languages, the
data model also relies heavily on standardized enumerated attributes data model also relies heavily on standardized enumerated attributes
that can crudely approximate the contents of the document. With this that can crudely approximate the contents of the document. With this
approach, a CSIRT should be able to make some sense of an IODEF approach, a CSIRT should be able to make some sense of an IODEF
document it receives even if the free-form text data elements are document it receives even if the free-form text data elements are
written in a language unfamiliar to the recipient. written in a language unfamiliar to the recipient.
7. Examples 7. Examples
This section provides example of IODEF documents. These examples do This section provides examples of IODEF documents. These examples do
not represent the full capabilities of the data model or the the only not represent the full capabilities of the data model or the only way
way to encode particular information. to encode particular information.
7.1. Minimal Example 7.1. Minimal Example
A document containing only the mandatory elements and attributes. A document containing only the mandatory elements and attributes.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!-- Minimum IODEF document --> <!-- Minimum IODEF document -->
<IODEF-Document version="2.00" xml:lang="en" <IODEF-Document version="2.00" xml:lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation= xsi:schemaLocation=
"http://www.iana.org/assignments/xmlregistry/schema/ "http://www.iana.org/assignments/xml-registry/schema/
iodef-2.0.xsd"> iodef-2.0.xsd">
<Incident purpose="reporting" restriction="private"> <Incident purpose="reporting" restriction="private">
<IncidentID name="csirt.example.com">492382</IncidentID> <IncidentID name="csirt.example.com">492382</IncidentID>
<GenerationTime>2015-07-18T09:00:00-05:00</GenerationTime> <GenerationTime>2015-07-18T09:00:00-05:00</GenerationTime>
<Contact type="organization" role="creator"> <Contact type="organization" role="creator">
<Email> <Email>
<EmailTo>contact@csirt.example.com</EmailTo> <EmailTo>contact@csirt.example.com</EmailTo>
</Email> </Email>
</Contact> </Contact>
<!-- Add more fields to make the document useful --> <!-- Add more fields to make the document useful -->
skipping to change at page 139, line 11 skipping to change at page 142, line 32
<xs:enumeration value="reflector"/> <xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/> <xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/> <xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/> <xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/> <xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<!-- <!--
=================================================================== ===================================================================
== Service Class == == Service class ==
=================================================================== ===================================================================
--> -->
<xs:element name="Service"> <xs:element name="Service">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:ServiceName" minOccurs="0"/> <xs:element ref="iodef:ServiceName" minOccurs="0"/>
<xs:element ref="iodef:Port" minOccurs="0"/> <xs:element ref="iodef:Port" minOccurs="0"/>
<xs:element ref="iodef:Portlist" minOccurs="0"/> <xs:element ref="iodef:Portlist" minOccurs="0"/>
<xs:element ref="iodef:ProtoType" minOccurs="0"/> <xs:element ref="iodef:ProtoType" minOccurs="0"/>
<xs:element ref="iodef:ProtoCode" minOccurs="0"/> <xs:element ref="iodef:ProtoCode" minOccurs="0"/>
skipping to change at page 145, line 25 skipping to change at page 148, line 46
<xs:simpleType name="recordpattern-offsetunit-type"> <xs:simpleType name="recordpattern-offsetunit-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/> <xs:enumeration value="line"/>
<xs:enumeration value="byte"/> <xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:element name="RecordItem" type="iodef:ExtensionType"/> <xs:element name="RecordItem" type="iodef:ExtensionType"/>
<!-- <!--
=================================================================== ===================================================================
== WindowsRegistryKeysModified Class == == WindowsRegistryKeysModified class ==
=================================================================== ===================================================================
--> -->
<xs:element name="WindowsRegistryKeysModified"> <xs:element name="WindowsRegistryKeysModified">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Key" maxOccurs="unbounded"/> <xs:element ref="iodef:Key" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Key"> <xs:element name="Key">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:KeyName"/> <xs:element ref="iodef:KeyName"/>
<xs:element ref="iodef:Value" minOccurs="0"/> <xs:element ref="iodef:Value" minOccurs="0"/>
</xs:sequence> </xs:sequence>
skipping to change at page 146, line 15 skipping to change at page 149, line 37
<xs:enumeration value="add-value"/> <xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/> <xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/> <xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/> <xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/> <xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<!-- <!--
==================================================================== ====================================================================
== FileData Class == == FileData class ==
==================================================================== ====================================================================
--> -->
<xs:element name="FileData"> <xs:element name="FileData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:File" <xs:element ref="iodef:File"
minOccurs="1" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
skipping to change at page 147, line 7 skipping to change at page 150, line 28
<xs:attribute name="observable-id" type="xs:ID" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="FileName" type="xs:string"/> <xs:element name="FileName" type="xs:string"/>
<xs:element name="FileSize" type="xs:integer"/> <xs:element name="FileSize" type="xs:integer"/>
<xs:element name="FileType" type="xs:string"/> <xs:element name="FileType" type="xs:string"/>
<xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/> <xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/>
<xs:element name="FileProperties" type="iodef:ExtensionType"/> <xs:element name="FileProperties" type="iodef:ExtensionType"/>
<!-- <!--
==================================================================== ====================================================================
== HashData Class == == HashData class ==
==================================================================== ====================================================================
--> -->
<xs:element name="HashData"> <xs:element name="HashData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:HashTargetID" minOccurs="0"/> <xs:element ref="iodef:HashTargetID" minOccurs="0"/>
<xs:element ref="iodef:Hash" <xs:element ref="iodef:Hash"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FuzzyHash" <xs:element ref="iodef:FuzzyHash"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
skipping to change at page 148, line 15 skipping to change at page 151, line 36
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/> <xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/>
<!-- <!--
=================================================================== ===================================================================
== SignatureData Class == == SignatureData class ==
=================================================================== ===================================================================
--> -->
<xs:element name="SignatureData"> <xs:element name="SignatureData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="ds:Signature" maxOccurs="unbounded"/> <xs:element ref="ds:Signature" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
=================================================================== ===================================================================
== CertificateData == == CertificateData class ==
=================================================================== ===================================================================
--> -->
<xs:element name="CertificateData"> <xs:element name="CertificateData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Certificate" maxOccurs="unbounded"/> <xs:element ref="iodef:Certificate" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
skipping to change at page 149, line 6 skipping to change at page 152, line 27
<xs:sequence> <xs:sequence>
<xs:element ref="ds:X509Data"/> <xs:element ref="ds:X509Data"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
=================================================================== ===================================================================
== IndicatorData Class == == IndicatorData class ==
=================================================================== ===================================================================
--> -->
<xs:element name="IndicatorData"> <xs:element name="IndicatorData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Indicator" <xs:element ref="iodef:Indicator"
minOccurs="1" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
skipping to change at page 153, line 23 skipping to change at page 156, line 43
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="AttackPhaseID" type="xs:string"/> <xs:element name="AttackPhaseID" type="xs:string"/>
<!-- <!--
=================================================================== ===================================================================
== Miscellaneous Classes == == Miscellaneous classes ==
=================================================================== ===================================================================
--> -->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/> <xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<xs:element name="Description" type="iodef:MLStringType"/> <xs:element name="Description" type="iodef:MLStringType"/>
<xs:element name="URL" type="xs:anyURI"/> <xs:element name="URL" type="xs:anyURI"/>
<!-- <!--
=================================================================== ===================================================================
== IODEF Data Types == == IODEF data types ==
=================================================================== ===================================================================
--> -->
<xs:simpleType name="PositiveFloatType"> <xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float"> <xs:restriction base="xs:float">
<xs:minExclusive value="0"/> <xs:minExclusive value="0"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:complexType name="MLStringType"> <xs:complexType name="MLStringType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
skipping to change at page 157, line 34 skipping to change at page 161, line 12
</xs:simpleType> </xs:simpleType>
</xs:schema> </xs:schema>
9. Security Considerations 9. Security Considerations
The IODEF data model does not directly introduce security or privacy The IODEF data model does not directly introduce security or privacy
issues. However, as the data encoded by the IODEF might be issues. However, as the data encoded by the IODEF might be
considered sensitive by the parties exchanging it or by those considered sensitive by the parties exchanging it or by those
described by it, care needs to be taken to ensure appropriate described by it, care needs to be taken to ensure appropriate
handling during the document construction, exchange, processing, handling during the document construction, exchange, processing,
archiving, subsequent retrieval and analysis. archiving, subsequent retrieval, and analysis.
9.1. Security 9.1. Security
The underlying messaging format and protocol used to exchange The underlying messaging format and protocol used to exchange
instances of the IODEF MUST provide appropriate guarantees of instances of the IODEF MUST provide appropriate guarantees of
confidentiality, integrity, and authenticity. The use of a confidentiality, integrity, and authenticity. The use of a
standardized security protocol is encouraged. The Real-time Inter- standardized security protocol is encouraged. The Real-time Inter-
network Defense (RID) protocol [RFC6545] and its associated transport network Defense (RID) protocol [RFC6545] and its associated transport
binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.
An IODEF implementation may act on the data in the document. These An IODEF implementation may act on the data in the document. These
actions might be explicitly requested in the document or the result actions might be explicitly requested in the document or the result
of analytical logic that triggered on data in the document. For this of analytical logic that triggered on data in the document. For this
reason, care must be taken by IODEF implementations to properly reason, care must be taken by IODEF implementations to properly
authenticate the sender and receiver of the document. The sender authenticate the sender and receiver of the document. The sender
needs confidence that sensitive information and timely requests for needs confidence that sensitive information and timely requests for
action are sent to the correct recipient. The recipient may action are sent to the correct recipient. The recipient may
interpret the contents of the document differently based on who sent interpret the contents of the document differently based on who sent
it; or vary actions based on the sender. While the sender of the it or vary actions based on the sender. While the sender of the
document may explicitly convey confidence in the data in a granular document may explicitly convey confidence in the data in a granular
way using the Confidence class, the recipient is free to ignore or way using the Confidence class, the recipient is free to ignore or
refine this information to make its own assessment. Ambiguous refine this information to make its own assessment. Ambiguous
Confidence elements (where it is unclear to which of a set of other Confidence elements (where it is unclear to which of a set of other
elements the Confidence element relates) in a document MUST be elements the Confidence element relates) in a document MUST be
ignored by the recipient. ignored by the recipient.
Certain classes may require out-of-band coordination to agree upon Certain classes may require out-of-band coordination to agree upon
their semantics (e.g., Confidence@rating="low" or DefinedCOA). This their semantics (e.g., Confidence@rating="low" or DefinedCOA). This
coordination MUST occur prior to operational data exchange to prevent coordination MUST occur prior to operational data exchange to prevent
skipping to change at page 158, line 47 skipping to change at page 162, line 25
Per Section 4.3, IODEF implementations will need to periodically Per Section 4.3, IODEF implementations will need to periodically
consult the IANA registries specified in Section 10.2 to discover consult the IANA registries specified in Section 10.2 to discover
newly registered enumerated attribute values. These implementations newly registered enumerated attribute values. These implementations
MUST communicate with IANA in a way that ensures the integrity of the MUST communicate with IANA in a way that ensures the integrity of the
values and the authenticity of the source. HTTPS over TLS values and the authenticity of the source. HTTPS over TLS
[RFC2818][RFC5246] provides such security. [RFC2818][RFC5246] provides such security.
9.2. Privacy 9.2. Privacy
The IODEF contains numerous fields that are identifiers which could The IODEF contains numerous fields that are identifiers that could be
be linked to an individual or organization. IODEF documents may linked to an individual or organization. IODEF documents may contain
contain sensitive information about these identified parties; and sensitive information about these identified parties; repeated
repeated document exchanges about the same and related parties may document exchanges about the same and related parties may enable the
enable the correlation of data about them. Likewise, a party may correlation of data about them. Likewise, a party may report on
report on another to a third party without their knowledge. another to a third party without their knowledge.
When creating an IODEF document, careful consideration must be given When creating an IODEF document, careful consideration must be given
to what information is shared. Personal identifiers and attributable to what information is shared. Personal identifiers and attributable
sensitive information should only be shared when necessary. sensitive information should only be shared when necessary.
When exchanging documents, transport security MUST provide document- When exchanging documents, transport security MUST provide document-
level confidentiality. XML element-level confidentiality can also be level confidentiality. XML element-level confidentiality can also be
provided by using [W3C.XMLENC]. provided by using [W3C.XMLENC].
In order to suggest data processing and handling guidelines of the In order to suggest data processing and handling guidelines of the
encoded information, the IODEF allows a document sender to convey a encoded information, the IODEF allows a document sender to convey a
privacy policy using the restriction attribute. The various privacy policy using the restriction attribute. The various
instances of this attribute allow different data elements of the instances of this attribute allow different data elements of the
document to be covered by dissimilar policies. While flexible, it document to be covered by dissimilar policies. While flexible, it
must be stressed that this approach only serves as a guideline from must be stressed that this approach only serves as a guideline from
the sender, as the recipient is free to ignore it. the sender, as the recipient is free to ignore it.
Although outside of the scope of an IODEF implementation, the Although outside of the scope of an IODEF implementation, the
contents of IODEF documents and any derived analysis should be contents of IODEF documents and any derived analysis should be
archived with at appropriate confidentiality controls. Likewise, archived with appropriate confidentiality controls. Likewise, access
access to retrieve and analyze this data should be restricted to to retrieve and analyze this data should be restricted to authorized
authorized users. users.
10. IANA Considerations 10. IANA Considerations
This document registers a namespace, an XML schema, and a number of This document registers a namespace, an XML schema, and a number of
registries that map to enumerated values defined in the data model. registries that map to enumerated values defined in the data model.
It also defines an expert review process for IODEF-related XML It also defines an Expert Review process for IODEF-related XML
registry entries. registry entries.
10.1. Namespace and Schema 10.1. Namespace and Schema
This document uses URNs to describe an XML namespace and schema This document uses URNs to describe an XML namespace and schema
conforming to a registry mechanism described in [RFC3688] conforming to a registry mechanism described in [RFC3688].
Registration for the IODEF namespace: Registration for the IODEF namespace:
o URI: urn:ietf:params:xml:ns:iodef-2.0 o URI: urn:ietf:params:xml:ns:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address" o Registrant Contact: See the author in the "Author's Address"
section of this document. section of this document.
o XML: None. Namespace URIs do not represent an XML specification. o XML: None. Namespace URIs do not represent an XML specification.
Registration for the IODEF XML schema: Registration for the IODEF XML schema:
o URI: urn:ietf:params:xml:schema:iodef-2.0 o URI: urn:ietf:params:xml:schema:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address" o Registrant Contact: See the first author of the "Author's Address"
section of this document. section of this document.
skipping to change at page 160, line 20 skipping to change at page 163, line 43
o XML: See Section 8 of this document. o XML: See Section 8 of this document.
10.2. Enumerated Value Registries 10.2. Enumerated Value Registries
This document creates 34 identically structured registries to be This document creates 34 identically structured registries to be
managed by IANA: managed by IANA:
o Name of the parent registry: "Incident Object Description Exchange o Name of the parent registry: "Incident Object Description Exchange
Format v2 (IODEF)" Format v2 (IODEF)"
o URL of the registry: http://www.iana.org/assignments/iodef2 o URL of the registry: <http://www.iana.org/assignments/iodef2>
o Namespace format: A registry entry consists of: o Namespace format: A registry entry consists of:
* Value. A value for a given IODEF attribute. It MUST conform * Value. A value for a given IODEF attribute. It MUST conform
to the formatting specified by the IODEF ENUM data type which to the formatting specified by the IODEF ENUM data type which
is implemented as an "xs:NMTOKEN" type per Section 3.3.4 of is implemented as an "xs:NMTOKEN" type per Section 3.3.4 of
[W3C.SCHEMA.DTYPES]. The value SHOULD conform to the [W3C.SCHEMA.DTYPES]. The value SHOULD conform to the
convention specified in Section 5.2. convention specified in Section 5.2.
* Description. A short description of the enumerated value. * Description. A short description of the enumerated value.
skipping to change at page 160, line 47 skipping to change at page 164, line 22
prescribed formatting. The reviewer will also ensure that the prescribed formatting. The reviewer will also ensure that the
entry is an appropriate value for the attribute per the entry is an appropriate value for the attribute per the
information model (Section 3). information model (Section 3).
The registries to be created are named in the "Registry Name" column The registries to be created are named in the "Registry Name" column
of Table 1. Each registry is initially populated with values and of Table 1. Each registry is initially populated with values and
descriptions that come from an attribute specified in the IODEF descriptions that come from an attribute specified in the IODEF
schema (Section 8) whose description is found in a sub-section of the schema (Section 8) whose description is found in a sub-section of the
information model (Section 3). The initial values for the Value and information model (Section 3). The initial values for the Value and
Description fields of a given registry are listed in the "IV (Value)" Description fields of a given registry are listed in the "IV (Value)"
and "IV (Description)" columns respectively. The "IV (Value)" points and "IV (Desc.)" columns, respectively. The "IV (Value)" points to a
to a given schema type per Section 8. Each enumerated value in the given schema type per Section 8. Each enumerated value in the schema
schema gets a corresponding entry in a given registry. The "IV gets a corresponding entry in a given registry. The "IV (Desc.)"
(Description)" points to a section in the text of this document that points to a section in the text of this document that describes each
describes each enumerated value. The initial value of the Reference enumerated value. The initial value of the Reference field of every
field of every registry entry described below should be this registry entry described below should be this document.
document.
+-------------------------+-----------------------------+-----------+
| Registry Name | IV (Value) | IV |
| | | (Desc.) |
+-------------------------+-----------------------------+-----------+
| Restriction | iodef-restriction-type | 3.3.1 |
| | | |
| Incident-purpose | incident-purpose-type | 3.2 |
| | | |
| Incident-status | incident-status-type | 3.2 |
| | | |
| Contact-role | contact-role-type | 3.9 |
| | | |
| Contact-type | contact-type-type | 3.9 |
| | | |
| RegistryHandle-registry | registryhandle-registry- | 3.9.1 |
| | type | |
| | | |
| PostalAddress-type | postaladdress-type-type | 3.9.2 |
| | | |
| Telephone-type | telephone-type-type | 3.9.4 |
| | | |
| Email-type | email-type-type | 3.9.3 |
| | | |
| Expectation-action | action-type | 3.15 |
| | | |
| Discovery-source | discovery-source-type | 3.10 |
| | | |
| SystemImpact-type | systemimpact-type-type | 3.12.1 |
| | | |
| BusinessImpact-severity | businessimpact-severity- | 3.12.2 |
| | type | |
| | | |
| BusinessImpact-type | businessimpact-type-type | 3.12.2 |
| | | |
| TimeImpact-metric | timeimpact-metric-type | 3.12.3 |
| | | |
| TimeImpact-duration | duration-type | 3.12.3 |
| | | |
| Confidence-rating | confidence-rating-type | 3.12.5 |
| | | |
| NodeRole-category | noderole-category-type | 3.18.2 |
| | | |
| System-category | system-category-type | 3.17 |
| | | |
| System-ownership | system-ownership-type | 3.17 |
| | | |
| Address-category | address-category-type | 3.18.1 |
| | | |
| Counter-type | counter-type-type | 3.18.3 |
| | | |
| Counter-unit | counter-unit-type | 3.18.3 |
| | | |
| DomainData-system- | domaindata-system-status- | 3.19 |
| status | type | |
| | | |
| DomainData-domain- | domaindata-domain-status- | 3.19 |
| status | type | |
| | | |
| RecordPattern-type | recordpattern-type-type | 3.22.2 |
| | | |
| RecordPattern- | recordpattern-offsetunit- | 3.22.2 |
| offsetunit | type | |
| | | |
| Key-registryaction | key-registryaction-type | 3.23.1 |
| | | |
| HashData-scope | hashdata-scope-type | 3.26 |
| | | |
| BulkObservable-type | bulkobservable-type-type | 3.29.3.1 |
| | | |
| IndicatorExpression- | indicatorexpression- | 3.29.4 |
| operator | operator-type | |
| | | |
| ExtensionType-dtype | dtype-type | 2.16 |
| | | |
| SoftwareReference-spec- | softwarereference-spec-id- | 2.15.1 |
| id | type | |
| | | |
| SoftwareReference-dtype | softwarereference-dtype- | 2.15.1 |
| | type | |
+-------------------------+-----------------------------+-----------+
+-----------------------+---------------------------+---------------+
| Registry Name | IV (Value) | IV |
| | | (Description) |
+-----------------------+---------------------------+---------------+
| Restriction | iodef-restriction-type | Section 3.3.1 |
| | | |
| Incident-purpose | incident-purpose-type | Section 3.2 |
| | | |
| Incident-status | incident-status-type | Section 3.2 |
| | | |
| Contact-role | contact-role-type | Section 3.9 |
| | | |
| Contact-type | contact-type-type | Section 3.9 |
| | | |
| RegistryHandle- | registryhandle-registry- | Section 3.9.1 |
| registry | type | |
| | | |
| PostalAddress-type | postaladdress-type-type | Section 3.9.2 |
| | | |
| Telephone-type | telephone-type-type | Section 3.9.4 |
| | | |
| Email-type | email-type-type | Section 3.9.3 |
| | | |
| Expectation-action | action-type | Section 3.15 |
| | | |
| Discovery-source | discovery-source-type | Section 3.10 |
| | | |
| SystemImpact-type | systemimpact-type-type | Section |
| | | 3.12.1 |
| | | |
| BusinessImpact- | businessimpact-severity- | Section |
| severity | type | 3.12.2 |
| | | |
| BusinessImpact-type | businessimpact-type-type | Section |
| | | 3.12.2 |
| | | |
| TimeImpact-metric | timeimpact-metric-type | Section |
| | | 3.12.3 |
| | | |
| TimeImpact-duration | duration-type | Section |
| | | 3.12.3 |
| | | |
| Confidence-rating | confidence-rating-type | Section |
| | | 3.12.5 |
| | | |
| NodeRole-category | noderole-category-type | Section |
| | | 3.18.2 |
| | | |
| System-category | system-category-type | Section 3.17 |
| | | |
| System-ownership | system-ownership-type | Section 3.17 |
| | | |
| Address-category | address-category-type | Section |
| | | 3.18.1 |
| | | |
| Counter-type | counter-type-type | Section |
| | | 3.18.3 |
| | | |
| Counter-unit | counter-unit-type | Section |
| | | 3.18.3 |
| | | |
| DomainData-system- | domaindata-system-status- | Section 3.19 |
| status | type | |
| | | |
| DomainData-domain- | domaindata-domain-status- | Section 3.19 |
| status | type | |
| | | |
| RecordPattern-type | recordpattern-type-type | Section |
| | | 3.22.2 |
| | | |
| RecordPattern- | recordpattern-offsetunit- | Section |
| offsetunit | type | 3.22.2 |
| | | |
| Key-registryaction | key-registryaction-type | Section |
| | | 3.23.1 |
| | | |
| HashData-scope | hashdata-scope-type | Section 3.26 |
| | | |
| BulkObservable-type | bulkobservable-type-type | Section |
| | | 3.29.3.1 |
| | | |
| IndicatorExpression- | indicatorexpression- | Section |
| operator | operator-type | 3.29.4 |
| | | |
| ExtensionType-dtype | dtype-type | Section 2.16 |
| | | |
| SoftwareReference- | softwarereference-spec- | Section |
| spec-id | id-type | 2.15.1 |
| | | |
| SoftwareReference- | softwarereference-dtype- | Section |
| dtype | type | 2.15.1 |
+-----------------------+---------------------------+---------------+
Table 1: IANA Enumerated Value Registries Table 1: IANA Enumerated Value Registries
10.3. Expert Review of IODEF-Related XML Registry Entries 10.3. Expert Review of IODEF-Related XML Registry Entries
IODEF class extensions, per Section 5.2, could register their IODEF class extensions, per Section 5.2, could register their
namespaces and schemas with the IANA XML Namespace ("ns", namespaces and schemas with the IANA XML namespace ("ns" on
http://www.iana.org/assignments/xml-registry/xml-registry.xhtml#ns) <http://www.iana.org/assignments/xml-registry/>) and schema
and Schema registries ("schema", http://www.iana.org/assignments/xml- registries ("schema" on <http://www.iana.org/assignments/
registry/xml-registry.xhtml#schema) described in [RFC3688]. In xml-registry/>) described in [RFC3688]. In addition to any reviews
addition to any reviews required by IANA, changes to the XML Schema required by IANA, changes to the XML "schema" registry for schema
registry for schema names beginning with names beginning with "urn:ietf:params:xml:schema:iodef" are subject
"urn:ietf:params:xml:schema:iodef" are subject to an additional IODEF to an additional IODEF Expert Review [RFC5226] to ensure
Expert Review [RFC5226] to ensure compatibility with IODEF and other compatibility with IODEF and other existing IODEF extensions.
existing IODEF extensions.
The IODEF expert(s) for these reviews will be designated by the IETF The IODEF expert(s) for these reviews will be designated by the IETF
Security Area Directors. Security Area Directors.
This document obsoletes [RFC6685]. This document obsoletes [RFC6685].
11. Acknowledgments 11. References
Thanks to Paul Stockler for his editorial leadership in the
transition of RFC5070bis to this document.
Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi 11.1. Normative References
Takahashi, David Waltermire and Sean Turner as the MILE working group
chairs, secretary or area directors for providing feedback and
coordination of this document.
Thanks to the following individuals (listed alphabetically) who [E.164] ITU Telecommunication Standardization Sector, "The
provided feedback during the meetings, on the mailing list or through International Public Telecommunication Numbering Plan",
implementation experience: Jerome Athias, David Black, Eric Burger, ITU-T Recommendation E.164, November 2010.
Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris
Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam
Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio
Suzuki and Nik Teague.
12. References [IANA.Media]
IANA, "Media Types",
<http://www.iana.org/assignments/media-types/>.
12.1. Normative References [IANA.Ports]
IANA, "Service Name and Transport Protocol Port Number
Registry", <http://www.iana.org/assignments/
service-names-port-numbers/>.
[W3C.XML] World Wide Web Consortium, "Extensible Markup Language [IANA.Protocols]
(XML) 1.0 (Fifth Edition)", W3C Recommendation , November IANA, "Assigned Internet Protocol Numbers",
2008, <http://www.w3.org/TR/2008/REC-xml-20081126/>. <http://www.iana.org/assignments/protocol-numbers/>.
[W3C.SCHEMA] [IEEE.POSIX]
World Wide Web Consortium, "XML XML Schema Part 1: IEEE, "Information Technology - Portable Operating System
Structures Second Edition", W3C Recommendation , October Interface (POSIX) Base Specifications, Issue 7", IEEE
2004, <http://www.w3.org/TR/xmlschema-1/>. Std 1003.1-2001, DOI 10.1109/IEEESTD.2009.5393893,
September 2009.
[W3C.SCHEMA.DTYPES] [ISO19770] International Organization for Standardization,
World Wide Web Consortium, "XML Schema Part 2: Datatypes "Information technology -- Software asset management --
Second Edition", W3C Recommendation , October 2004, Part 2: Software identification tag", ISO
<http://www.w3.org/TR/xmlschema-2/>. Standard 19770-2:2015, October 2015.
[W3C.XMLNS] [ISO4217] International Organization for Standardization, "Codes for
World Wide Web Consortium, "Namespaces in XML 1.0 (Third the representation of currencies", ISO 4217:2015, 2015.
Edition)", W3C Recommendation , December 2009,
<http://www.w3.org/TR/2009/REC-xml-names-20091208/>.
[W3C.XPATH] [NIST.CPE] Cheikes, B., Waltermire, D., and K. Scarfone, "Common
World Wide Web Consortium, "XML Path Language (XPath) Platform Enumeration: Naming Specification Version 2.3",
3.1", W3C Candidate Recommendation , December 2015, NIST Interagency Report 7695, August 2011,
<https://www.w3.org/TR/xpath-3/>. <http://csrc.nist.gov/publications/nistir/ir7695/
NISTIR-7695-CPE-Naming.pdf>.
[W3C.XMLSIG] [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
World Wide Web Consortium, "XML Signature Syntax and Requirement Levels", BCP 14, RFC 2119,
Processing 2.0", W3C Recommendation , June 2008, DOI 10.17487/RFC2119, March 1997,
<http://www.w3.org/TR/xmldsig-core/>. <http://www.rfc-editor.org/info/rfc2119>.
[IEEE.POSIX] [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
Institute of Electrical and Electronics Engineers, 10646", RFC 2781, DOI 10.17487/RFC2781, February 2000,
"Information Technology - Portable Operating System <http://www.rfc-editor.org/info/rfc2781>.
Interface (POSIX) - Part 1: Base Definitions",
IEEE 1003.1, June 2001.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
Requirement Levels", RFC 2119, March 1997. 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC5646] Philips, A. and M. Davis, "Tags for Identifying of [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
Languages", RFC 5646, September 2009. DOI 10.17487/RFC3688, January 2004,
<http://www.rfc-editor.org/info/rfc3688>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 3986, Resource Identifier (URI): Generic Syntax", STD 66,
January 2005`. RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>.
[RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
June 2006. Architecture", RFC 4291, DOI 10.17487/RFC4291, February
2006, <http://www.rfc-editor.org/info/rfc4291>.
[RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access Protocol
2008. (LDAP): Schema for User Applications", RFC 4519,
DOI 10.17487/RFC4519, June 2006,
<http://www.rfc-editor.org/info/rfc4519>.
[RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
Email", RFC 6531, February 2012. DOI 10.17487/RFC5322, October 2008,
<http://www.rfc-editor.org/info/rfc5322>.
[RFC7495] Montville, A. and D. Black, "IODEF Enumeration Reference [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying
Format", RFC 7495, January 2015. Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646,
September 2009, <http://www.rfc-editor.org/info/rfc5646>.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
Address Text Representation", RFC 5952,
DOI 10.17487/RFC5952, August 2010,
<http://www.rfc-editor.org/info/rfc5952>.
[RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized
Email", RFC 6531, DOI 10.17487/RFC6531, February 2012,
<http://www.rfc-editor.org/info/rfc6531>.
[RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
Incident Object Description Exchange Format (IODEF) Incident Object Description Exchange Format (IODEF)
Extension for Structured Cybersecurity Information", Extension for Structured Cybersecurity Information",
RFC 7203, April 2014. RFC 7203, DOI 10.17487/RFC7203, April 2014,
<http://www.rfc-editor.org/info/rfc7203>.
[ISO4217] International Organization for Standardization,
"International Standard: Codes for the representation of
currencies and funds, ISO 4217:2001", ISO 4217:2001,
August 2001.
[RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January [RFC7495] Montville, A. and D. Black, "Enumeration Reference Format
2004. for the Incident Object Description Exchange Format
(IODEF)", RFC 7495, DOI 10.17487/RFC7495, March 2015,
<http://www.rfc-editor.org/info/rfc7495>.
[IANA.Ports] [W3C.SCHEMA]
Internet Assigned Numbers Authority, "Service Name and Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn,
Transport Protocol Port Number Registry", January 2014, "XML Schema Part 1: Structures Second Edition", W3C
<http://www.iana.org/assignments/service-names-port- Recommendation REC-xmlschema-1-20041028, October 2004,
numbers/service-names-port-numbers.txt>. <http://www.w3.org/TR/xmlschema-1/>.
[IANA.Protocols] [W3C.SCHEMA.DTYPES]
Internet Assigned Numbers Authority, "Assigned Internet Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes
Protocol Numbers", January 2014, Second Edition", W3C Recommendation REC-xmlschema-
<http://www.iana.org/assignments/protocol-numbers/ 2-20041028, October 2004,
protocol-numbers.txt>. <http://www.w3.org/TR/xmlschema-2/>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [W3C.XML] Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and
10646", RFC 3629, November 2003. F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth
Edition)", W3C Recommendation REC-xml-20081126, November
2008, <http://www.w3.org/TR/2008/REC-xml-20081126/>.
[RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO [W3C.XMLNS]
10646", RFC 2781, February 2000. Bray, T., Hollander, D., Layman, A., Tobin, R., and H.
Thompson, "Namespaces in XML 1.0 (Third Edition)", W3C
Recommendation REC-xml-names-20091208, December 2009,
<http://www.w3.org/TR/2009/REC-xml-names-20091208/>.
[IANA.Media] [W3C.XMLSIG]
Internet Assigned Numbers Authority, "Media Types", March Eastlake, D., Reagle, J., Solo, D., Hirsch, F., and T.
2015, <http://www.iana.org/assignments/media-types/ Roessler, "XML Signature Syntax and Processing (Second
media-types.xhtml>. Edition)", W3C Recommendation REC-xmldsig-core-20080610,
June 2008, <http://www.w3.org/TR/xmldsig-core/>.
[NIST.CPE] [W3C.XPATH]
The National Institute of Standards and Technology, Robie, J., Dyck, M., and J. Spiegel, "XML Path Language
"Common Platform Enumeration", 2014, (XPath) 3.1", W3C Candidate Recommendation CR-xpath-
<http://scap.nist.gov/specifications/cpe/>. 31-20151217, December 2015,
<https://www.w3.org/TR/xpath-3/>.
[ISO19770] 11.2. Informative References
International Organization for Standardization,
"Information technology -- Software asset management --
Part 2: Software identification tag, ISO/IEC
19770-2:2015", ISO 19770-2:2015, October 2015.
[E.164] ITU Telecommunication Standardization Sector, "The [KB310516] Microsoft Corporation, "How to add, modify, or delete
International Public Telecommunication Numbering Plan", registry subkeys and values by using a .reg file",
ITU-T Recommendation E.164 (02/05), February 2005. September 2013,
<https://support.microsoft.com/en-us/kb/310516>.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 [NIST800.61rev2]
Address Text Representation", RFC 5952, August 2010. National Institute of Standards and Technology, "Computer
Security Incident Handling Guide", NIST Special
Publication 800-61, Revision 2, August 2012,
<http://dx.doi.org/10.6028/NIST.SP.800-61r2>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
Architecture", RFC 4291, February 2006. DOI 10.17487/RFC2818, May 2000,
<http://www.rfc-editor.org/info/rfc2818>.
12.2. Informative References [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
Type for the Internet Registry Information Service
(IRIS)", RFC 3982, DOI 10.17487/RFC3982, January 2005,
<http://www.rfc-editor.org/info/rfc3982>.
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-
Object Description Exchange Format", RFC 5070, December Separated Values (CSV) Files", RFC 4180,
2007. DOI 10.17487/RFC4180, October 2005,
<http://www.rfc-editor.org/info/rfc4180>.
[RFC6685] Trammell, B., "Expert Review for Incident Object [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
Description Exchange Format (IODEF) Extensions in IANA XML Object Description Exchange Format", RFC 5070,
Registry", RFC 6685, July 2012. DOI 10.17487/RFC5070, December 2007,
<http://www.rfc-editor.org/info/rfc5070>.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
RFC 6545, April 2012. IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
Defense (RID) Messages over HTTP/TLS", RFC 6546, April (TLS) Protocol Version 1.2", RFC 5246,
2012. DOI 10.17487/RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>.
[RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
Class for Reporting Phishing", RFC 5901, July 2010. Class for Reporting Phishing", RFC 5901,
DOI 10.17487/RFC5901, July 2010,
[NIST800.61rev2] <http://www.rfc-editor.org/info/rfc5901>.
Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
"NIST Special Publication 800-61 Revision 2: Computer
Security Incident Handling Guide", January 2012,
<http://csrc.nist.gov/publications/nistpubs/800-61rev2/
SP800-61rev2.pdf>.
[RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
Type for the Internet Registry Information Service
(IRIS)", RFC 3982, January 2005.
[KB310516] [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
Microsoft Corporation, "How to add, modify, or delete RFC 6545, DOI 10.17487/RFC6545, April 2012,
registry subkeys and values by using a registration <http://www.rfc-editor.org/info/rfc6545>.
entries (.reg) file", December 2007.
[RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- [RFC6546] Trammell, B., "Transport of Real-time Inter-network
Separated Values (CSV) File", RFC 4180, October 2005. Defense (RID) Messages over HTTP/TLS", RFC 6546,
DOI 10.17487/RFC6546, April 2012,
<http://www.rfc-editor.org/info/rfc6546>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC6685] Trammell, B., "Expert Review for Incident Object
IANA Considerations Section in RFCs", RFC 5226, May 2008. Description Exchange Format (IODEF) Extensions in IANA XML
Registry", RFC 6685, DOI 10.17487/RFC6685, July 2012,
<http://www.rfc-editor.org/info/rfc6685>.
[W3C.XMLENC] [W3C.XMLENC]
World Wide Web Consortium, "XML Encryption Syntax and Eastlake, D., Reagle, J., Solo, D., Hirsch, F., Nystrom,
Processing Version 1.1", W3C Recommendation , April 2013, M., Roessler, T., and K. Yiu, "XML Encryption Syntax and
Processing Version 1.1", W3C Recommendation REC-xmldsig-
core1-20130411, April 2013,
<https://www.w3.org/TR/xmlenc-core1/>. <https://www.w3.org/TR/xmlenc-core1/>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. Acknowledgments
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security Thanks to Paul Stoecker for his editorial leadership in the
(TLS) Protocol Version 1.2", RFC 5246, August 2008. transition of an early draft to the current document.
Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi
Takahashi, David Waltermire, and Sean Turner (as the MILE working
group chairs, secretary, and area directors) for providing feedback
and coordination of this document.
Thanks to the following individuals (listed alphabetically) who
provided feedback during the meetings, on the mailing list, or
through implementation experience: Jerome Athias, David Black, Eric
Burger, Toma Cejka, Patrick Curry, John Field, Christopher
Harrington, Chris Inacio, Panos Kampanakis, David Misell, Daisuke
Miyamoto, Adam Montville, Robert Moskowitz, Lagadec Philippe, Tony
Rutkowski, Mio Suzuki, and Nik Teague.
Author's Address Author's Address
Roman Danyliw Roman Danyliw
CERT - Carnegie Mellon University CERT
Software Engineering Institute
Carnegie Mellon University
4500 Fifth Avenue 4500 Fifth Avenue
Pittsburgh, PA Pittsburgh, PA
USA United States of America
EMail: rdd@cert.org Email: rdd@cert.org
 End of changes. 317 change blocks. 
739 lines changed or deleted 766 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/