idnits 2.17.1
draft-ietf-mile-rfc5070-bis-17.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
== There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
in the document. If these are example addresses, they should be changed.
-- The draft header indicates that this document obsoletes RFC5070, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== The document seems to lack the recommended RFC 2119 boilerplate, even if
it appears to use RFC 2119 keywords.
(The document does seem to have the reference to RFC 2119 which the
ID-Checklist requires).
== Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please
use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
mean).
Found 'MUST not' in this paragraph:
Invalid algebraic expressions while valid XML, MUST not be
specified.
== The document seems to contain a disclaimer for pre-RFC5378 work, but was
first submitted on or after 10 November 2008. The disclaimer is usually
necessary only for documents that revise or obsolete older RFCs, and that
take significant amounts of text from those RFCs. If you can contact all
authors of the source material and they are willing to grant the BCP78
rights to the IETF Trust, you can and should remove the disclaimer.
Otherwise, the disclaimer is needed and you can ignore this comment.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (March 20, 2016) is 2953 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: '0-9' is mentioned on line 7075, but not defined
== Missing Reference: '0-4' is mentioned on line 7075, but not defined
== Missing Reference: '0-5' is mentioned on line 7075, but not defined
== Missing Reference: 'O1' is mentioned on line 4800, but not defined
== Missing Reference: 'O2' is mentioned on line 4801, but not defined
== Missing Reference: 'O3' is mentioned on line 4790, but not defined
-- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX'
-- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217'
** Downref: Normative reference to an Informational RFC: RFC 2781
-- Obsolete informational reference (is this intentional?): RFC 5070
(Obsoleted by RFC 7970)
-- Obsolete informational reference (is this intentional?): RFC 5226
(Obsoleted by RFC 8126)
Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 6 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 MILE Working Group R. Danyliw
3 Internet-Draft CERT
4 Obsoletes: 5070 (if approved) March 20, 2016
5 Intended status: Standards Track
6 Expires: September 21, 2016
8 The Incident Object Description Exchange Format v2
9 draft-ietf-mile-rfc5070-bis-17
11 Abstract
13 The Incident Object Description Exchange Format (IODEF) defines a
14 data representation for security incident reports and cyber
15 indicators commonly exchanged by operational security teams for
16 mitigation and watch and warning. This document describes the
17 information model for the IODEF and provides an associated data model
18 specified with XML Schema.
20 Status of This Memo
22 This Internet-Draft is submitted in full conformance with the
23 provisions of BCP 78 and BCP 79.
25 Internet-Drafts are working documents of the Internet Engineering
26 Task Force (IETF). Note that other groups may also distribute
27 working documents as Internet-Drafts. The list of current Internet-
28 Drafts is at http://datatracker.ietf.org/drafts/current/.
30 Internet-Drafts are draft documents valid for a maximum of six months
31 and may be updated, replaced, or obsoleted by other documents at any
32 time. It is inappropriate to use Internet-Drafts as reference
33 material or to cite them other than as "work in progress."
35 This Internet-Draft will expire on September 21, 2016.
37 Copyright Notice
39 Copyright (c) 2016 IETF Trust and the persons identified as the
40 document authors. All rights reserved.
42 This document is subject to BCP 78 and the IETF Trust's Legal
43 Provisions Relating to IETF Documents
44 (http://trustee.ietf.org/license-info) in effect on the date of
45 publication of this document. Please review these documents
46 carefully, as they describe your rights and restrictions with respect
47 to this document. Code Components extracted from this document must
48 include Simplified BSD License text as described in Section 4.e of
49 the Trust Legal Provisions and are provided without warranty as
50 described in the Simplified BSD License.
52 This document may contain material from IETF Documents or IETF
53 Contributions published or made publicly available before November
54 10, 2008. The person(s) controlling the copyright in some of this
55 material may not have granted the IETF Trust the right to allow
56 modifications of such material outside the IETF Standards Process.
57 Without obtaining an adequate license from the person(s) controlling
58 the copyright in such materials, this document may not be modified
59 outside the IETF Standards Process, and derivative works of it may
60 not be created outside the IETF Standards Process, except to format
61 it for publication as an RFC or to translate it into languages other
62 than English.
64 Table of Contents
66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
67 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
68 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
69 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 6
70 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 7
71 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 7
72 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 7
73 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 7
74 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 7
75 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 8
76 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 8
77 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 9
78 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9
79 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 9
80 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 9
81 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 9
82 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 10
83 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 10
84 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 10
85 2.13. Uniform Resource Locator strings . . . . . . . . . . . . 10
86 2.14. Identifiers and Identifier References . . . . . . . . . . 10
87 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 11
88 2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 11
89 2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 13
90 3. The IODEF Information Model . . . . . . . . . . . . . . . . . 16
91 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 16
92 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 17
93 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 21
94 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 21
95 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 22
96 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 23
97 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 24
98 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 24
99 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 26
100 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 27
101 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 28
102 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 31
103 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 32
104 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 33
105 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 34
106 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 35
107 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 37
108 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 38
109 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 39
110 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 40
111 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 42
112 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 44
113 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 46
114 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 48
115 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 49
116 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 50
117 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 51
118 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 53
119 3.14.1. Relating the Incident and EventData Classes . . . . 55
120 3.14.2. Recursive Definition of EventData . . . . . . . . . 55
121 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 56
122 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 59
123 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 60
124 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 63
125 3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 64
126 3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 65
127 3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 68
128 3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 71
129 3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 73
130 3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 74
131 3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 74
132 3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 76
133 3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 77
134 3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 77
135 3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 79
136 3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 80
137 3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 81
138 3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 83
139 3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 84
140 3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 85
141 3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 85
142 3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 86
143 3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 87
144 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 88
145 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 90
146 3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 90
147 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 91
148 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 92
149 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 92
150 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 95
151 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 95
152 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 96
153 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 102
154 3.29.5. Expressions with IndicatorExpression . . . . . . . . 103
155 3.29.6. ObservableReference Class . . . . . . . . . . . . . 105
156 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 105
157 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 106
158 4. Processing Considerations . . . . . . . . . . . . . . . . . . 107
159 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 107
160 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 107
161 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 108
162 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 108
163 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 109
164 5.1. Extending the Enumerated Values of Attributes . . . . . . 109
165 5.1.1. Private Extension of Enumerated Values . . . . . . . 109
166 5.1.2. Public Extension of Enumerated Values . . . . . . . . 110
167 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 110
168 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 112
169 6. Internationalization Issues . . . . . . . . . . . . . . . . . 113
170 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 114
171 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 114
172 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 115
173 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 116
174 9. Security Considerations . . . . . . . . . . . . . . . . . . . 155
175 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 156
176 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 156
177 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 156
178 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 159
179 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 159
180 12.1. Normative References . . . . . . . . . . . . . . . . . . 159
181 12.2. Informative References . . . . . . . . . . . . . . . . . 161
182 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 162
184 1. Introduction
186 Organizations require help from other parties to mitigate malicious
187 activity targeting their network and to gain insight into potential
188 threats. This coordination might entail working with an ISP to
189 filter attack traffic, contacting a remote site to take down a
190 botnet, or sharing watch-lists of known malicious indicators in a
191 consortium.
193 The Incident Object Description Exchange Format (IODEF) is a format
194 for representing computer security information commonly exchanged
195 between Computer Security Incident Response Teams (CSIRTs). It
196 provides an XML representation for conveying:
198 o cyber intelligence to characterize threats;
200 o cyber incident reports to document particular cyber security
201 events or relationships between events;
203 o cyber event mitigation activity to proactively and reactively
204 mitigate activity; and
206 o meta-data so that these various classes of information can be
207 exchanged among parties.
209 The purpose of the IODEF is to enhance the operational capabilities
210 of CSIRTs. Adoption of the IODEF will improve the ability of a CSIRT
211 to resolve security incidents; understand cyber threats; and
212 coordinate response activities and proactive mitigations by
213 simplifying collaboration and data sharing with its partners. This
214 structured format provided by the IODEF allows for:
216 o machine-to-machine exchange of incident and cyber intelligence
217 data;
219 o automated processing of this data whereby allowing more rapid
220 execution of appropriate courses of action; and
222 o the development of an ecosystem of interoperable tools enabling
223 security operations.
225 Sharing and coordinating with other organizations is not strictly a
226 technical problem. There are numerous procedural, cultural, legal
227 and trust-related barriers to overcome. The IODEF does not attempt
228 to address them directly. However, operational implementations of
229 the IODEF will need to consider these challenges.
231 Section 1 provides the background for the IODEF. Sections 3 and 8
232 specify the IODEF information and data model respectively. The data
233 types used in this document are described in Section 2. Processing
234 considerations, extending the specification, internationalization and
235 security issues are covered in Sections 4, 5, 6 and 9 respectively.
236 Examples are listed in Section 7.
238 1.1. Terminology
240 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
241 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
242 document are to be interpreted as described in [RFC2119].
244 1.2. Notations
246 The IODEF is specified as an Extensible Markup Language (XML)
247 [W3C.XML] Schema [W3C.SCHEMA]. The normative IODEF data model is
248 found in the XML schema in Section 8. To aid in the understanding of
249 the data elements, Section 3 also depicts the underlying information
250 model using Unified Modeling Language (UML). This abstract
251 presentation of the IODEF is not normative.
253 For clarity in this document, the term "XML document" will be used
254 when referring generically to any instance of an XML document. The
255 term "IODEF document" will be used to refer to an XML document
256 conforming to the IODEF specification. The terms "schema" will be
257 used to refer to Section 8 of this document. The terms "data model"
258 and "schema" will be used interchangeably. The terms "class" and
259 "element" will be used to reference either the corresponding data
260 element in the UML-based information or XML Schema-based data models,
261 respectively.
263 1.3. About the IODEF Data Model
265 A number of considerations were made in the design of the IODEF data
266 model.
268 o The data model found in this document is an evolution of the one
269 previously specified in [RFC5070]. New fields were added to
270 represent additional information. [RFC5070] was developed
271 primarily to represent incident reports. This document builds
272 upon it by adding support for cyber indicators and revising it to
273 reflect the current challenges faced by CSIRTs. An attempt was
274 made to preserve backward compatibility but this was not possible
275 in all cases. See Section 4.4.
277 o The IODEF is a transport format. Therefore, the data model may
278 not be the optimal archival or in-memory processing format.
280 o The IODEF is intended to be a framework to convey only commonly
281 exchanged information. It ensures that there are mechanisms for
282 extensibility to support organization-specific information and
283 techniques to reference information kept outside of the data
284 model.
286 o Not all commonly exchanged information has a well-defined format
287 or taxonomy. The IODEF attempts to strike a balance between
288 enforcing sufficient structure to allow automated processing and
289 supporting free-form content that enables maximum flexibility.
291 o The IODEF fits into a broader ecosystem of standards and
292 conventions. An attempt was made to harmonize the data model with
293 this context.
295 2. IODEF Data Types
297 The IODEF uses a number of simple and complex types. This section
298 describes these data types.
300 2.1. Integers
302 An integer is represented in the information model by the INTEGER
303 data type. Integer data MUST be encoded in Base 10.
305 The INTEGER data type is implemented in the data model as a
306 "xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES].
308 2.2. Real Numbers
310 A real (floating-point) number is represented in the information
311 model by the REAL data type. Real data MUST be encoded in Base 10.
313 The REAL data type is implemented in the data model as a "xs:float"
314 type per Section 3.2.4 of [W3C.SCHEMA.DTYPES].
316 2.3. Characters and Strings
318 A single character is represented in the information model by the
319 CHARACTER data type. A string is represented by the STRING data
320 type. Special characters MUST be encoded using entity references.
321 See Section 4.1.
323 The CHARACTER and STRING data types are implemented in the data model
324 as a "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
326 2.4. Multilingual Strings
328 A string that needs to be represented in a human-readable language
329 different than the default encoding of the document is represented in
330 the information model by the ML_STRING data type.
332 The ML_STRING data type is implemented in the data model as the
333 "iodef:MLStringType" type. This type extends the "xs:string" to
334 include two attributes.
336 +------------------------+
337 | iodef:MLStringType |
338 +------------------------+
339 | xs:string |
340 | |
341 | ENUM xml:lang |
342 | STRING translation-id |
343 +------------------------+
345 Figure 1: The iodef:MLStringType Type
347 The content of the class is a character string of type "xs:string"
348 whose language MAY be specified by the xml:lang attribute.
350 The attributes of the iodef:MLStringType type are:
352 xml:lang
353 Optional. ENUM. A language identifier per Section 2.12 of
354 [W3C.XML] whose values and format are described in [RFC5646]. The
355 interpretation of this code is described in Section 6.
357 translation-id
358 Optional. STRING. An identifier to relate other instances of
359 this class with the same parent as translations of this text. The
360 scope of this identifier is limited to all of the direct, peer
361 child classes of a given parent class.
363 Using this class enables representing translations of the same text
364 in multiple languages. Each translation is a distinct instance of
365 this class with a common parent. A group of classes each with a
366 translated instance of text is related by setting a common identifier
367 in the translation-id attribute. The language of a given class is
368 set by the xml:lang attribute. See Section 6 for more details on
369 representing translations of free-form text.
371 2.5. Binary Strings
373 Binary octets can be represented with two encodings.
375 2.5.1. Base64 Bytes
377 A binary octet encoded with Base64 is represented in the information
378 model by the BYTE data type. A sequence of these octets is of the
379 BYTE[] data type.
381 The BYTE and BYTE[] data types are implemented in the data model as a
382 "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES].
384 2.5.2. Hexadecimal Bytes
386 A binary octet encoded as a character tuple consistent of two
387 hexadecimal digits is represented in the information model by the
388 HEXBIN data type. A sequence of these octets is of the HEXBIN[] data
389 type.
391 The HEXBIN and HEXBIN[] data types are implemented in the data model
392 as a "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES].
394 2.6. Enumerated Types
396 An enumerated type is represented in the information model by the
397 ENUM data type. It is an ordered list of acceptable string values.
398 Each value has a representative keyword. Within the data model, the
399 enumerated type keywords are used as attribute values.
401 The ENUM data type is implemented in the data model as values of a
402 "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES].
404 2.7. Date-Time String
406 A date-time strings that describes a particular instant in time is
407 represented in the information model by the DATETIME data type.
408 Ranges are not supported.
410 The DATETIME data type is implemented in the data model as a
411 "xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES].
413 2.8. Timezone String
415 A timezone offset from UTC is represented in the information model by
416 the TIMEZONE data type. It is formatted according to the following
417 regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
419 The TIMEZONE data type is implemented in the data model as an
420 "iodef:TimezoneType" type.
422 2.9. Port Lists
424 A list of network ports is represented in the information model by
425 the PORTLIST data type. A PORTLIST consists of a comma-separated
426 list of numbers and ranges (N-M means ports N through M, inclusive).
427 It is formatted according to the following regular expression:
429 "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example,
430 "2,5-15,30,32,40-50,55-60".
432 The PORTLIST data type is implemented in the data model as an
433 "iodef:PortlistType" type.
435 2.10. Postal Address
437 A postal address is represented in the information model by the
438 POSTAL data type. The format of the POSTAL data type is documented
439 in Section 2.23 of [RFC4519] as a free-form multi-line string
440 separated by the "$" character.
442 The POSTAL data type is implemented in the data model as an
443 "iodef:MLStringType" type.
445 2.11. Telephone Number
447 A telephone number is represented in the information model by the
448 PHONE data type. The format of the PHONE data type is documented in
449 Section 2.35 of [RFC4519].
451 The PHONE data type is implemented in the data model as a "xs:string"
452 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
454 2.12. Email String
456 An email address is represented in the information model by the EMAIL
457 data type. The format of the EMAIL data type is documented in
458 Section 3.4.1 [RFC5322].
460 The EMAIL data type is implemented in the data model as a "xs:string"
461 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
463 2.13. Uniform Resource Locator strings
465 A uniform resource locator (URL) is represented in the information
466 model by the URL data type. The format of the URL data type is
467 documented in [RFC3986].
469 The URL data type is implemented as a "xs:anyURI" type per
470 Section 3.2.17 of [W3C.SCHEMA.DTYPES].
472 2.14. Identifiers and Identifier References
474 An identifier unique to the IODEF document is represented in the
475 information model by the ID data type. A reference to this
476 identifier is represented by the IDREF data type. The acceptable
477 format of ID and IDREF is documented in Section 3.3.8 and 3.3.9 of
478 [W3C.SCHEMA.DTYPES].
480 The ID and IDREF data types are implemented in the model as "xs:ID"
481 and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of
482 [W3C.SCHEMA.DTYPES].
484 2.15. Software
486 A particular version of software is represented in the information
487 model by the SOFTWARE data type. This software can be described by
488 using a reference, a URL or with free-form text.
490 The SOFTWARE data type is implemented in the data model as the
491 "iodef:SoftwareType" type.
493 +--------------------+
494 | iodef:SoftwareType |
495 +--------------------+
496 | |<>--{0..1}--[ SoftwareReference ]
497 | |<>--{0..*}--[ URL ]
498 | |<>--{0..*}--[ Description ]
499 +--------------------+
501 Figure 2: The SoftwareType Type
503 The aggregate classes of the SoftwareType type are:
505 SoftwareReference
506 Zero or one. Reference to a software application. See
507 Section 2.15.1.
509 URL
510 Zero or more. URL. A URL to a resource describing the software.
512 Description
513 Zero or more. ML_STRING. A free-form text description of the
514 software.
516 At least one of these classes MUST be present.
518 The iodef:SoftwareType type has no attributes.
520 2.15.1. SoftwareReference Class
522 The SoftwareReference class is a reference to a particular version of
523 software.
525 +----------------------+
526 | SoftwareReference |
527 +----------------------+
528 | xs:any |
529 | |
530 | ENUM spec-name |
531 | STRING ext-spec-name |
532 | ENUM dtype |
533 | STRING enum-dtype |
534 +----------------------+
536 Figure 3: The SoftwareReference Class
538 The element content varies according to the value of the spec-name
539 attribute. It is defined in the data model as "xs:any" per
540 [W3C.SCHEMA].
542 The attributes of the SoftwareReference class are:
544 spec-name
545 Required. ENUM. Identifies the format and semantics of the
546 element body of this class. Formal standards and specifications
547 can be referenced as well as a free-form text description with a a
548 user-provided data type. These values are maintained in the
549 "SoftwareReference-spec-id" IANA registry per Section 10.2
551 1. custom. The element content is free-form and of the data type
552 specified by the dtype attribute. If this value is selected,
553 then the dtype attribute MUST be set.
555 2. cpe. The element content describes a Common Platform
556 Enumeration (CPE) entry.
558 3. swid. The element content describes a software identification
559 (SWID) tag per ISO/IEC 19770-2:2009.
561 4. ext-value. A value used to indicate that this attribute is
562 extended and the actual value is provided using the
563 corresponding ext-* attribute. See Section 5.1.1.
565 ext-spec-name
566 Optional. STRING. A means by which to extend the spec-name
567 attribute. See Section 5.1.1.
569 dtype
570 Optional. ENUM. The data type of the element content. The
571 permitted values for this attribute are shown below. The default
572 value is "string". These values are maintained in the
573 "SoftwareReference-dtype" IANA registry per Section 10.2.
575 1. bytes. The element content is of type HEXBIN.
577 2. integer. The element content is of type INTEGER.
579 3. real. The element content is of type REAL.
581 4. string. The element content is of type STRING.
583 5. xml. The element content is XML. See Section 5.2.
585 6. ext-value. A value used to indicate that this attribute is
586 extended and the actual value is provided using the
587 corresponding ext-* attribute. See Section 5.1.1.
589 ext-dtype
590 Optional. STRING. A means by which to extend the dtype
591 attribute. See Section 5.1.1.
593 2.16. Extension
595 Information not otherwise represented in the IODEF can be added using
596 the EXTENSION data type. This data type is a generic extension
597 mechanism.
599 The EXTENSION data type is implemented in the data model as the
600 "iodef:ExtensionType" type.
602 The data type of an EXTENSION is described by the dtype attribute.
603 For simple information, atomic data types (e.g., integers, strings)
604 are supported. Their semantics are further described by the meaning
605 and formatid attributes. Encapsulating XML documents conforming to
606 another schema is also supported. A detailed discussion of extending
607 the schema can be found in Section 5. Additional coordination may be
608 required to ensure that a recipient of a document using this type can
609 parse and process it.
611 +------------------------+
612 | iodef:ExtensionType |
613 +------------------------+
614 | xs:any |
615 | |
616 | STRING name |
617 | ENUM dtype |
618 | STRING ext-dtype |
619 | STRING meaning |
620 | STRING formatid |
621 | ENUM restriction |
622 | STRING ext-restriction |
623 | ID observable-id |
624 +------------------------+
626 Figure 4: The iodef:ExtensionType Type
628 The element content of this type is the extension being added to the
629 data model. This content is defined in the data model as "xs:any"
630 per [W3C.SCHEMA].
632 The attributes of the iodef:ExtensionType type are:
634 name
635 Optional. STRING. A free-form name of the field or data element.
637 dtype
638 Required. ENUM. The data type of the element content. The
639 default value is "string". These values are maintained in the
640 "ExtensionType-dtype" IANA registry per Section 10.2.
642 1. boolean. The element content is of type BOOLEAN.
644 2. byte. The element content is of type BYTE.
646 3. bytes. The element content is of type HEXBIN.
648 4. character. The element content is of type CHARACTER.
650 5. date-time. The element content is of type DATETIME.
652 6. ntpstamp. Same as date-time.
654 7. integer. The element content is of type INTEGER.
656 8. portlist. The element content is of type PORTLIST.
658 9. real. The element content is of type REAL.
660 10. string. The element content is of type STRING.
662 11. file. The element content is a base64 encoded binary file
663 encoded as a BYTE[] type.
665 12. path. The element content is a file-system path encoded as a
666 STRING type.
668 13. frame. The element content is a layer-2 frame encoded as a
669 HEXBIN type.
671 14. packet. The element content is a layer-3 packet encoded as a
672 HEXBIN type.
674 15. ipv4-packet. The element content is an IPv4 packet encoded
675 as a HEXBIN type.
677 16. ipv6-packet. The element content is an IPv6 packet encoded
678 as a HEXBIN type.
680 17. url. The element content is of type URL.
682 18. csv. The element content is a common separated value (CSV)
683 list per Section 2 of [RFC4180] encoded as a STRING type.
685 19. winreg. The element content is a Windows registry key
686 encoded as a STRING type.
688 20. xml. The element content is XML. See Section 5.
690 21. ext-value. A value used to indicate that this attribute is
691 extended and the actual value is provided using the
692 corresponding ext-* attribute. See Section 5.1.1.
694 ext-dtype
695 Optional. STRING. A means by which to extend the dtype
696 attribute. See Section 5.1.1.
698 meaning
699 Optional. STRING. A free-form text description of the element
700 content.
702 formatid
703 Optional. STRING. An identifier referencing the format or
704 semantics of the element content.
706 restriction
707 Optional. ENUM. See Section 3.3.1.
709 ext-restriction
710 Optional. STRING. A means by which to extend the restriction
711 attribute. See Section 5.1.1.
713 observable-id
714 Optional. ID. See Section 3.3.2.
716 3. The IODEF Information Model
718 The specifics of the IODEF information model are discussed in this
719 section. Each class and its relationships with the other classes is
720 described. When necessary, clarifications are made about translating
721 this information model to the schema in Section 8.
723 3.1. IODEF-Document Class
725 The IODEF-Document class is the top level class in the IODEF data
726 model. All IODEF documents are an instance of this class.
728 +--------------------------+
729 | IODEF-Document |
730 +--------------------------+
731 | STRING version |<>--{1..*}--[ Incident ]
732 | ENUM xml:lang |<>--{0..*}--[ AdditionalData ]
733 | STRING format-id |
734 | STRING private-enum-name |
735 | STRING private-enum-id |
736 +--------------------------+
738 Figure 5: IODEF-Document Class
740 The aggregate classes of the IODEF-Document class are:
742 Incident
743 One or more. The information related to a single incident. See
744 Section 3.2.
746 AdditionalData
747 Zero or more. EXTENSION. Mechanism by which to extend the data
748 model.
750 The attributes of the IODEF-Document class are:
752 version
753 Required. STRING. The IODEF specification version number to
754 which this IODEF document conforms. The value of this attribute
755 MUST be "2.00"
757 xml:lang
758 Optional. ENUM. A language identifier per Section 2.12 of
759 [W3C.XML] whose values and form are described in [RFC5646]. The
760 interpretation of this code is described in Section 6.
762 format-id
763 Optional. STRING. A free-form string to convey processing
764 instructions to the recipient of the document. Its semantics must
765 be negotiated out-of-band.
767 private-enum-name
768 Optional. STRING. A globally unique identifier for the CSIRT
769 generating the document to deconflict private extensions used in
770 the document. The fully qualified domain name associated with the
771 CSIRT MUST be used as the identifier. See Section 5.3.
773 private-enum-id
774 Optional. STRING. An organizationally unique identifier for an
775 extension used in the document. If this attribute is set, the
776 private-enum-name MUST also be set. See Section 5.3.
778 3.2. Incident Class
780 The Incident class describes commonly exchanged information when
781 reporting or sharing derived analysis from security incidents.
783 +-------------------------+
784 | Incident |
785 +-------------------------+
786 | ENUM purpose |<>----------[ IncidentID ]
787 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
788 | ENUM status |<>--{0..*}--[ RelatedActivity ]
789 | STRING ext-status |<>--{0..1}--[ DetectTime ]
790 | ENUM xml:lang |<>--{0..1}--[ StartTime ]
791 | ENUM restriction |<>--{0..1}--[ EndTime ]
792 | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ]
793 | ID observable-id |<>--{0..1}--[ ReportTime ]
794 | |<>----------[ GenerationTime ]
795 | |<>--{0..*}--[ Description ]
796 | |<>--{0..*} [ Discovery ]
797 | |<>--{0..*}--[ Assessment ]
798 | |<>--{0..*}--[ Method ]
799 | |<>--{1..*}--[ Contact ]
800 | |<>--{0..*}--[ EventData ]
801 | |<>--{0..1}--[ IndicatorData ]
802 | |<>--{0..1}--[ History ]
803 | |<>--{0..*}--[ AdditionalData ]
804 +-------------------------+
806 Figure 6: The Incident Class
808 The aggregate classes of the Incident class are:
810 IncidentID
811 One. An incident tracking number assigned to this incident by the
812 CSIRT that generated the IODEF document. See Section 3.4.
814 AlternativeID
815 Zero or one. The incident tracking numbers used by other CSIRTs
816 to refer to the incident described in the document. See
817 Section 3.5.
819 RelatedActivity
820 Zero or more. Related activity and attribution of this activity.
821 See Section 3.6.
823 DetectTime
824 Zero or one. DATETIME. The time the incident was first detected.
826 StartTime
827 Zero or one. DATETIME. The time the incident started.
829 EndTime
830 Zero or one. DATETIME. The time the incident ended.
832 RecoveryTime
833 Zero or one. DATETIME. The time the site recovered from the
834 incident.
836 ReportTime
837 Zero or one. DATETIME. The time the incident was reported.
839 GenerationTime
840 One. DATETIME. The time the content in this Incident class was
841 generated.
843 Description
844 Zero or more. ML_STRING. A free-form text description of the
845 incident.
847 Discovery
848 Zero or more. The means by which this incident was detected. See
849 Section 3.10.
851 Assessment
852 Zero or more. A characterization of the impact of the incident.
853 See Section 3.12.
855 Method
856 Zero or more. The techniques used by the threat actor in the
857 incident. See Section 3.11.
859 Contact
860 One or more. Contact information for the parties involved in the
861 incident. See Section 3.9.
863 EventData
864 Zero or more. Description of the events comprising the incident.
865 See Section 3.14.
867 IndicatorData
868 Zero or one. Indicators from the analysis of an incident. See
869 Section 3.28.
871 History
872 Zero or one. A log of significant events or actions that occurred
873 during the course of handling the incident. See Section 3.13.
875 AdditionalData
876 Zero or more. EXTENSION. Mechanism by which to extend the data
877 model.
879 The attributes of the Incident class are:
881 purpose
882 Required. ENUM. The purpose attribute represents describes the
883 rational for document the information in this class. It is
884 closely related to the Expectation class (Section 3.15). These
885 values are maintained in the "Incident-purpose" IANA registry per
886 Section 10.2. This attribute is defined as an enumerated list:
888 1. traceback. The Incident was sent for trace-back purposes.
890 2. mitigation. The Incident was sent to request aid in
891 mitigating the described activity.
893 3. reporting. The Incident was sent to comply with reporting
894 requirements.
896 4. watch. The Incident was sent to convey indicators that should
897 be monitored.
899 5. other. The Incident was sent for purposes specified in the
900 Expectation class.
902 6. ext-value. A value used to indicate that this attribute is
903 extended and the actual value is provided using the
904 corresponding ext-* attribute. See Section 5.1.1.
906 ext-purpose
907 Optional. STRING. A means by which to extend the purpose
908 attribute. See Section 5.1.1.
910 status
911 Optional. ENUM. The status attribute conveys the state in a
912 workflow where the incident is currently found. These values are
913 maintained in the "Incident-status" IANA registry per
914 Section 10.2. This attribute is defined as an enumerated list:
916 1. new. The Incident is newly reported and has not been
917 actioned.
919 2. in-progress. The contents of this Incident are under
920 investigation.
922 3. forwarded. The Incident has been forwarded to another party
923 for handling.
925 4. resolved. The investigation into the activity in this
926 Incident has concluded.
928 5. future. The described activity has not yet been detected.
930 6. ext-value. A value used to indicate that this attribute is
931 extended and the actual value is provided using the
932 corresponding ext-* attribute. See Section 5.1.1.
934 ext-status
935 Optional. STRING. A means by which to extend the status
936 attribute. See Section 5.1.1.
938 xml:lang
939 Optional. ENUM. A language identifier per Section 2.12 of
940 [W3C.XML] whose values and form are described in [RFC5646]. The
941 interpretation of this code is described in Section 6.
943 restriction
944 Optional. ENUM. See Section 3.3.1. The default value is
945 "private".
947 ext-restriction
948 Optional. STRING. A means by which to extend the restriction
949 attribute. See Section 5.1.1.
951 observable-id
952 Optional. ID. See Section 3.3.2.
954 3.3. Common Attributes
956 There are a number of recurring attributes used in the information
957 model. They are documented in this section.
959 3.3.1. restriction Attribute
961 The restriction attribute indicates the disclosure guidelines to
962 which the sender expects the recipient to adhere for the information
963 represented in this class and its children. This guideline provides
964 no security since there are no technical means to ensure that the
965 recipient of the document handles the information as the sender
966 requested.
968 The value of this attribute is logically inherited by the children of
969 this class. That is to say, the disclosure rules applied to this
970 class, also apply to its children.
972 It is possible to set a granular disclosure policy, since all of the
973 high-level classes (i.e., children of the Incident class) have a
974 restriction attribute. Therefore, a child can override the
975 guidelines of a parent class, be it to restrict or relax the
976 disclosure rules (e.g., a child has a weaker policy than an ancestor;
977 or an ancestor has a weak policy, and the children selectively apply
978 more rigid controls). The implicit value of the restriction
979 attribute for a class that did not specify one can be found in the
980 closest ancestor that did specify a value.
982 This attribute is defined as an enumerated value with a default value
983 of "private". Note that the default value of the restriction
984 attribute is only defined in the context of the Incident class. In
985 other classes where this attribute is used, no default is specified.
987 These values are maintained in the "Restriction" IANA registry per
988 Section 10.2.
990 1. public. The information can be freely distributed without
991 restriction.
993 2. partner. The information may be shared within a closed
994 community of peers, partners, or affected parties, but cannot be
995 openly published.
997 3. need-to-know. The information may be shared only within the
998 organization with individuals that have a need to know.
1000 4. private. The information may not be shared.
1002 5. default. The information can be shared according to an
1003 information disclosure policy pre-arranged by the communicating
1004 parties.
1006 6. white. Same as 'public'.
1008 7. green. Same as 'partner'.
1010 8. amber. Same as 'need-to-know'.
1012 9. red. Same as 'private'.
1014 10. ext-value. A value used to indicate that this attribute is
1015 extended and the actual value is provided using the
1016 corresponding ext-* attribute. See Section 5.1.1.
1018 3.3.2. observable-id Attribute
1020 The observable-id attribute tags information in the document as an
1021 observable so that it can be referenced later in the description of
1022 an indicator. The value of this attribute is a unique identifier in
1023 the scope of the document. It is used by the ObservableReference
1024 class to enumerate observables when defining an indicator with the
1025 IndicatorData class.
1027 3.4. IncidentID Class
1029 The IncidentID class represents a tracking number that is unique in
1030 the context of the CSIRT. It serves as an identifier for an incident
1031 or a document identifier when sharing indicators. This identifier
1032 would serve as an index into a CSIRT's incident handling or knowledge
1033 management system.
1035 The combination of the name attribute and the string in the element
1036 content MUST be a globally unique identifier describing the activity.
1037 Documents generated by a given CSIRT MUST NOT reuse the same value
1038 unless they are referencing the same incident.
1040 +------------------------+
1041 | IncidentID |
1042 +------------------------+
1043 | STRING |
1044 | |
1045 | STRING name |
1046 | STRING instance |
1047 | ENUM restriction |
1048 | STRING ext-restriction |
1049 +------------------------+
1051 Figure 7: The IncidentID Class
1053 The content of the class is an incident identifier of type STRING.
1055 The attributes of the IncidentID class are:
1057 name
1058 Required. STRING. An identifier describing the CSIRT that
1059 created the document. In order to have a globally unique CSIRT
1060 name, the fully qualified domain name associated with the CSIRT
1061 MUST be used.
1063 instance
1064 Optional. STRING. An identifier referencing a subset of the
1065 named incident.
1067 restriction
1068 Optional. ENUM. See Section 3.3.1.
1070 ext-restriction
1071 Optional. STRING. A means by which to extend the restriction
1072 attribute. See Section 5.1.1.
1074 3.5. AlternativeID Class
1076 The AlternativeID class lists the tracking numbers used by CSIRTs,
1077 other than the one generating the document, to refer to the identical
1078 activity described in the IODEF document. A tracking number listed
1079 as an AlternativeID references the same incident detected by another
1080 CSIRT. The tracking numbers of the CSIRT that generated the IODEF
1081 document must never be considered an AlternativeID.
1083 +------------------------+
1084 | AlternativeID |
1085 +------------------------+
1086 | ENUM restriction |<>--{1..*}--[ IncidentID ]
1087 | STRING ext-restriction |
1088 +------------------------+
1090 Figure 8: The AlternativeID Class
1092 The aggregate class of the AlternativeID class is:
1094 IncidentID
1095 One or more. The tracking number of another CSIRT. See
1096 Section 3.4.
1098 The attributes of the AlternativeID class are:
1100 restriction
1101 Optional. ENUM. See Section 3.3.1.
1103 ext-restriction
1104 Optional. STRING. A means by which to extend the restriction
1105 attribute. See Section 5.1.1.
1107 3.6. RelatedActivity Class
1109 The RelatedActivity class relates the information described in the
1110 rest of the document to previously observed incidents or activity;
1111 and allows attribution to a specific actor or campaign.
1113 +------------------------+
1114 | RelatedActivity |
1115 +------------------------+
1116 | ENUM restriction |<>--{0..*}--[ IncidentID ]
1117 | STRING ext-restriction |<>--{0..*}--[ URL ]
1118 | |<>--{0..*}--[ ThreatActor ]
1119 | |<>--{0..*}--[ Campaign ]
1120 | |<>--{0..*}--[ IndicatorID ]
1121 | |<>--{0..1}--[ Confidence ]
1122 | |<>--{0..*}--[ Description ]
1123 | |<>--{0..*}--[ AdditionalData ]
1124 +------------------------+
1126 Figure 9: RelatedActivity Class
1128 The aggregate classes of the RelatedActivity class are:
1130 IncidentID
1131 Zero or more. The tracking number of a related incident. See
1132 Section 3.4.
1134 URL
1135 Zero or more. URL. A URL to activity related to this incident.
1137 ThreatActor
1138 Zero or more. The threat actor to whom the incident activity is
1139 attributed. See Section 3.7.
1141 Campaign
1142 Zero or more. The campaign of a given threat actor to whom the
1143 described activity is attributed. See Section 3.8.
1145 IndicatorID
1146 Zero or more. A reference to a related indicator. See
1147 Section 3.4.
1149 Confidence
1150 Zero or one. An estimate of the confidence in attributing this
1151 RelatedActivity to the events described in the document. See
1152 Section 3.12.5.
1154 Description
1155 Zero or more. ML_STRING. A description of how these
1156 relationships were derived.
1158 AdditionalData
1159 Zero or more. EXTENSION. A mechanism by which to extend the data
1160 model.
1162 The RelatedActivity class MUST have at least one instance of any of
1163 the following child classes: IncidentID, URL, ThreatActor, Campaign,
1164 Description or AdditionalData.
1166 The attributes of the RelatedActivity class are:
1168 restriction
1169 Optional. ENUM. See Section 3.3.1.
1171 ext-restriction
1172 Optional. STRING. A means by which to extend the restriction
1173 attribute. See Section 5.1.1.
1175 3.7. ThreatActor Class
1177 The ThreatActor class describes a threat actor.
1179 +------------------------+
1180 | ThreatActor |
1181 +------------------------+
1182 | ENUM restriction |<>--{0..*}--[ ThreatActorID ]
1183 | STRING ext-restriction |<>--{0..*}--[ URL ]
1184 | |<>--{0..*}--[ Description ]
1185 | |<>--{0..*}--[ AdditionalData ]
1186 +------------------------+
1188 Figure 10: ThreatActor Class
1190 The aggregate classes of the ThreatActor class are:
1192 ThreatActorID
1193 Zero or more. STRING. An identifier for the threat actor.
1195 URL
1196 Zero or more. URL. A URL to a reference describing the threat
1197 actor.
1199 Description
1200 Zero or more. ML_STRING. A description of the threat actor.
1202 AdditionalData
1203 Zero or more. EXTENSION. A mechanism by which to extend the data
1204 model.
1206 The ThreatActor class MUST have at least one instance of a child
1207 class.
1209 The attributes of the ThreatActor class are:
1211 restriction
1212 Optional. ENUM. See Section 3.3.1.
1214 ext-restriction
1215 Optional. STRING. A means by which to extend the restriction
1216 attribute. See Section 5.1.1.
1218 3.8. Campaign Class
1220 The Campaign class describes a campaign of attacks by a threat actor.
1222 +------------------------+
1223 | Campaign |
1224 +------------------------+
1225 | ENUM restriction |<>--{0..*}--[ CampaignID ]
1226 | STRING ext-restriction |<>--{0..*}--[ URL ]
1227 | |<>--{0..*}--[ Description ]
1228 | |<>--{0..*}--[ AdditionalData ]
1229 +------------------------+
1231 Figure 11: Campaign Class
1233 The aggregate classes of the Campaign class are:
1235 CampaignID
1236 Zero or more. STRING. An identifier for the campaign.
1238 URL
1239 Zero or more. URL. A URL to a reference describing the campaign.
1241 Description
1242 Zero or more. ML_STRING. A description of the campaign.
1244 AdditionalData
1245 Zero or more. EXTENSION. A mechanism by which to extend the data
1246 model.
1248 The Campaign class MUST have at least one instance of a child class.
1250 The attributes of the Campaign class are:
1252 restriction
1253 Optional. ENUM. See Section 3.3.1.
1255 ext-restriction
1256 Optional. STRING. A means by which to extend the restriction
1257 attribute. See Section 5.1.1.
1259 3.9. Contact Class
1261 The Contact class describes contact information for organizations and
1262 personnel involved in the incident. This class allows for the naming
1263 of the involved party, specifying contact information for them, and
1264 identifying their role in the incident.
1266 People and organizations are treated interchangeably as contacts; one
1267 can be associated with the other using the recursive definition of
1268 the class (the Contact class is aggregated into the Contact class).
1269 The 'type' attribute disambiguates the type of contact information
1270 being provided.
1272 The recursive definition of Contact provides a way to relate
1273 information without requiring the explicit use of identifiers or
1274 duplication of data. A complete point of contact is derived by a
1275 particular traversal from the root Contact class to the leaf Contact
1276 class. Each child Contact class logically inherits contact
1277 information from its ancestors.
1279 +------------------------+
1280 | Contact |
1281 +------------------------+
1282 | ENUM role |<>--{0..*}--[ ContactName ]
1283 | STRING ext-role |<>--{0..*}--[ ContactTitle ]
1284 | ENUM type |<>--{0..*}--[ Description ]
1285 | STRING ext-type |<>--{0..*}--[ RegistryHandle ]
1286 | ENUM restriction |<>--{0..1}--[ PostalAddress ]
1287 | STRING ext-restriction |<>--{0..*}--[ Email ]
1288 | |<>--{0..*}--[ Telephone ]
1289 | |<>--{0..1}--[ Timezone ]
1290 | |<>--{0..*}--[ Contact ]
1291 | |<>--{0..*}--[ AdditionalData ]
1292 +------------------------+
1294 Figure 12: The Contact Class
1296 The aggregate classes of the Contact class are:
1298 ContactName
1299 Zero or more. ML_STRING. The name of the contact. The contact
1300 may either be an organization or a person. The type attribute
1301 disambiguates the semantics.
1303 ContactTitle
1304 Zero or more. ML_STRING. The title for the individual named in
1305 the ContactName.
1307 Description
1308 Zero or more. ML_STRING. A free-form text description of the
1309 contact.
1311 RegistryHandle
1312 Zero or more. A handle name into the registry of the contact.
1313 See Section 3.9.1.
1315 PostalAddress
1316 Zero or more. The postal address of the contact. See
1317 Section 3.9.2.
1319 Email
1320 Zero or more. The email address of the contact. See
1321 Section 3.9.3.
1323 Telephone
1324 Zero or more. The telephone number of the contact. See
1325 Section 3.9.4.
1327 Timezone
1328 Zero or one. TIMEZONE. The timezone in which the contact
1329 resides.
1331 Contact
1332 Zero or more. A recursive definition of the Contact class. This
1333 definition can be used to group common data pertaining to multiple
1334 points of contact and is especially useful when listing multiple
1335 contacts at the same organization.
1337 AdditionalData
1338 Zero or more. EXTENSION. A mechanism by which to extend the data
1339 model.
1341 At least one of the aggregate classes MUST be present in an instance
1342 of the Contact class.
1344 The attributes of the Contact class are:
1346 role
1347 Required. ENUM. Indicates the role the contact fulfills. These
1348 values are maintained in the "Contact-role" IANA registry per
1349 Section 10.2.
1351 1. creator. The entity that generate the document.
1353 2. reporter. The entity that reported the information.
1355 3. admin. An administrative contact or business owner for an
1356 asset or organization.
1358 4. tech. An entity responsible for the day-to-day management of
1359 technical issues for an asset or organization.
1361 5. provider. An external hosting provider for an asset.
1363 6. zone. An entity with authority over a DNS zone.
1365 7. user. An end-user of an asset or part of an organization.
1367 8. billing. An entity responsible for billing issues for an
1368 asset or organization.
1370 9. legal. An entity responsible for legal issue related to an
1371 asset or organization.
1373 10. irt. An entity responsible for handling security issues for
1374 an asset or organization.
1376 11. abuse. An entity responsible for handling abuse originating
1377 from an asset or organization.
1379 12. cc. An entity that is to be kept informed about the events
1380 related to an asset or organization.
1382 13. cc-irt. A CSIRT or information sharing organization
1383 coordinating activity related to an asset or organization.
1385 14. leo. A law enforcement organization supporting the
1386 investigation of activity affecting an asset or organization.
1388 15. vendor. The vendor that produces an asset.
1390 16. vendor-support. A vendor that provides services.
1392 17. victim. A victim in the incident.
1394 18. victim-notified. A victim in the incident who has been
1395 notified.
1397 19. ext-value. A value used to indicate that this attribute is
1398 extended and the actual value is provided using the
1399 corresponding ext-* attribute. See Section 5.1.1.
1401 ext-role
1402 Optional. STRING. A means by which to extend the role attribute.
1403 See Section 5.1.1.
1405 type
1406 Required. ENUM. Indicates the type of contact being described.
1407 This attribute is defined as an enumerated list. These values are
1408 maintained in the "Contact-type" IANA registry per Section 10.2.
1410 1. person. The information for this contact references an
1411 individual.
1413 2. organization. The information for this contact references an
1414 organization.
1416 3. ext-value. A value used to indicate that this attribute is
1417 extended and the actual value is provided using the
1418 corresponding ext-* attribute. See Section 5.1.1.
1420 ext-type
1421 Optional. STRING. A means by which to extend the type attribute.
1422 See Section 5.1.1.
1424 restriction
1425 Optional. ENUM. See Section 3.3.1.
1427 ext-restriction
1428 Optional. STRING. A means by which to extend the restriction
1429 attribute. See Section 5.1.1.
1431 3.9.1. RegistryHandle Class
1433 The RegistryHandle class represents a handle into an Internet
1434 registry or community-specific database.
1436 +---------------------+
1437 | RegistryHandle |
1438 +---------------------+
1439 | STRING |
1440 | |
1441 | ENUM registry |
1442 | STRING ext-registry |
1443 +---------------------+
1445 Figure 13: The RegistryHandle Class
1447 The content of the class is a handle into a registry of type STRING.
1449 The attributes of the RegistryHandle class are:
1451 registry
1452 Required. ENUM. The database to which the handle belongs. These
1453 values are maintained in the "RegistryHandle-registry" IANA
1454 registry per Section 10.2. The possible values are:
1456 1. internic. Internet Network Information Center
1458 2. apnic. Asia Pacific Network Information Center
1460 3. arin. American Registry for Internet Numbers
1462 4. lacnic. Latin-American and Caribbean IP Address Registry
1464 5. ripe. Reseaux IP Europeens
1466 6. afrinic. African Internet Numbers Registry
1468 7. local. A database local to the CSIRT
1470 8. ext-value. A value used to indicate that this attribute is
1471 extended and the actual value is provided using the
1472 corresponding ext-* attribute. See Section 5.1.1.
1474 ext-registry
1475 Optional. STRING. A means by which to extend the registry
1476 attribute. See Section 5.1.1.
1478 3.9.2. PostalAddress Class
1480 The PostalAddress class specifies an postal address and associated
1481 annotation.
1483 +--------------------+
1484 | PostalAddress |
1485 +--------------------+
1486 | ENUM type |<>----------[ PAddress ]
1487 | STRING ext-type |<>--{0..*}--[ Description ]
1488 +--------------------+
1490 Figure 14: The PostalAddress Class
1492 The aggregate classes of the PostalAddress class are:
1494 PAddress
1495 One. POSTAL. A postal address.
1497 Description
1498 Zero or more. ML_STRING. A free-form text description of the
1499 address.
1501 The attributes of the PostalAddress class are:
1503 type
1504 Optional. ENUM. Categorizes the type of address described in the
1505 PAddress class. These values are maintained in the
1506 "PostalAddress-type" IANA registry per Section 10.2.
1508 1. street. An address describing a physical location.
1510 2. mailing. An address to which correspondence should be sent.
1512 3. ext-value. A value used to indicate that this attribute is
1513 extended and the actual value is provided using the
1514 corresponding ext-* attribute. See Section 5.1.1.
1516 ext-type
1517 Optional. STRING. A means by which to extend the type attribute.
1518 See Section 5.1.1.
1520 3.9.3. Email Class
1522 The Email class specifies an email address and associated annotation.
1524 +--------------------+
1525 | Email |
1526 +--------------------+
1527 | ENUM type |<>----------[ EmailTo ]
1528 | STRING ext-type |<>--{0..*}--[ Description ]
1529 +--------------------+
1531 Figure 15: The Email Class
1533 The aggregate classes of the Email class are:
1535 EmailTo
1536 One. EMAIL. An email address.
1538 Description
1539 Zero or more. ML_STRING. A free-form text description of the
1540 email address.
1542 The attributes of the Email class are:
1544 type
1545 Optional. ENUM. Categorizes the type of email address described
1546 in the EmailTo class. These values are maintained in the "Email-
1547 type" IANA registry per Section 10.2.
1549 1. direct. A email address of an individual.
1551 2. hotline. A email address regularly monitored for operational
1552 purposes.
1554 3. ext-value. A value used to indicate that this attribute is
1555 extended and the actual value is provided using the
1556 corresponding ext-* attribute. See Section 5.1.1.
1558 ext-type
1559 Optional. STRING. A means by which to extend the type attribute.
1560 See Section 5.1.1.
1562 3.9.4. Telephone Class
1564 The Telephone class describes a telephone number and associated
1565 annotation.
1567 +--------------------+
1568 | Telephone |
1569 +--------------------+
1570 | ENUM type |<>----------[ TelephoneNumber ]
1571 | STRING ext-type |<>--{0..*}--[ Description ]
1572 +--------------------+
1574 Figure 16: The Telephone Class
1576 The aggregate classes of the Telephone class are:
1578 TelephoneNumber
1579 One. PHONE. A telephone number.
1581 Description
1582 Zero or more. ML_STRING. A free-form text description of the
1583 phone number.
1585 The attributes of the Telephone class are:
1587 type
1588 Optional. ENUM. Categorizes the type of telephone number
1589 described in the TelephoneNumber class. These values are
1590 maintained in the "Telephone-type" IANA registry per Section 10.2.
1592 1. wired. A number of a wire-line (land-line) phone.
1594 2. mobile. A number of a mobile phone.
1596 3. fax. A number to a fax machine.
1598 4. hotline. A number to a regularly monitored operational
1599 hotline.
1601 5. ext-value. A value used to indicate that this attribute is
1602 extended and the actual value is provided using the
1603 corresponding ext-* attribute. See Section 5.1.1.
1605 ext-type
1606 Optional. STRING. A means by which to extend the type attribute.
1607 See Section 5.1.1.
1609 3.10. Discovery Class
1611 The Discovery class describes how an incident was detected.
1613 +------------------------+
1614 | Discovery |
1615 +------------------------+
1616 | ENUM source |<>--{0..*}--[ Description ]
1617 | STRING ext-source |<>--{0..*}--[ Contact ]
1618 | ENUM restriction |<>--{0..*}--[ DetectionPattern ]
1619 | STRING ext-restriction |
1620 +------------------------+
1622 Figure 17: The Discovery Class
1624 The aggregate classes of the Discovery class are:
1626 Description
1627 Zero or more. ML_STRING. A free-form text description of how
1628 this incident was detected.
1630 Contact
1631 Zero or more. Contact information for the party that discovered
1632 the incident. See Section 3.9.
1634 DetectionPattern
1635 Zero or more. Describes an application-specific configuration
1636 that detected the incident. See Section 3.10.1.
1638 The attributes of the Discovery class are:
1640 source
1641 Optional. ENUM. Categorizes the techniques used to discover the
1642 incident. These values are partially derived from Table 3-1 of
1643 [NIST800.61rev2]. These values are maintained in the "Discovery-
1644 source" IANA registry per Section 10.2.
1646 1. nidps. Network Intrusion Detection or Prevention system.
1648 2. hips. Host-based Intrusion Prevention system.
1650 3. siem. Security Information and Event Management System.
1652 4. av. Antivirus or and antispam software.
1654 5. third-party-monitoring. Contracted third-party monitoring
1655 service.
1657 6. incident. The activity was discovered while investigating an
1658 unrelated incident.
1660 7. os-log. Operating system logs.
1662 8. application-log. Application logs.
1664 9. device-log. Network device logs.
1666 10. network-flow. Network flow analysis.
1668 11. passive-dns. Passive DNS analysis.
1670 12. investigation. Manual investigation initiated based on
1671 notification of a new vulnerability or exploit.
1673 13. audit. Security audit.
1675 14. internal-notification. A party within the organization
1676 reported the activity
1678 15. external-notification. A party outside of the organization
1679 reported the activity.
1681 16. leo. A law enforcement organization notified the victim
1682 organization.
1684 17. partner. A customer or business partner reported the
1685 activity to the victim organization.
1687 18. actor. The threat actor directly or indirectly reported this
1688 activity to the victim organization.
1690 19. unknown. Unknown detection approach.
1692 20. ext-value. A value used to indicate that this attribute is
1693 extended and the actual value is provided using the
1694 corresponding ext-* attribute. See Section 5.1.1.
1696 ext-source
1697 Optional. STRING. A means by which to extend the source
1698 attribute. See Section 5.1.1.
1700 restriction
1701 Optional. ENUM. See Section 3.3.1.
1703 ext-restriction
1704 Optional. STRING. A means by which to extend the restriction
1705 attribute. See Section 5.1.1.
1707 3.10.1. DetectionPattern Class
1709 The DetectionPattern class describes a configuration or signature
1710 that can be used by an IDS/IPS, SIEM, anti-virus, end-point
1711 protection, network analysis, malware analysis, or host forensics
1712 tool to identify a particular phenomenon. This class requires the
1713 identification of the target application and allows the configuration
1714 to be describes in either free-form or machine readable form.
1716 +------------------------+
1717 | DetectionPattern |
1718 +------------------------+
1719 | ENUM restriction |<>----------[ Application ]
1720 | STRING ext-restriction |<>--{0..*}--[ Description ]
1721 | |<>--{0..*}--[ DetectionConfiguration ]
1722 +------------------------+
1724 Figure 18: The DetectionPattern Class
1726 The aggregate classes of the DetectionPattern class are:
1728 Application
1729 One. SOFTWARE. The application for which the
1730 DetectionConfiguration or Description is being provided.
1732 Description
1733 Zero or more. ML_STRING. A free-form text description of how to
1734 use the Application or provided DetectionConfiguration.
1736 DetectionConfiguration
1737 Zero or more. STRING. A machine consumable configuration to find
1738 a pattern of activity.
1740 Either an instance of the Description or DetectionConfiguration class
1741 MUST be present.
1743 The attributes of the DetectionPattern class are:
1745 restriction
1746 Optional. ENUM. See Section 3.3.1.
1748 ext-restriction
1749 Optional. STRING. A means by which to extend the restriction
1750 attribute. See Section 5.1.1.
1752 3.11. Method Class
1754 The Method class describes the tactics, techniques, procedures or
1755 weakness used by the threat actor in an incident. This class
1756 consists of both a list of references describing the attack methods
1757 and weaknesses and a free-form text description.
1759 +------------------------+
1760 | Method |
1761 +------------------------+
1762 | ENUM restriction |<>--{0..*}--[ Reference ]
1763 | STRING ext-restriction |<>--{0..*}--[ Description ]
1764 | |<>--{0..*}--[ sci:AttackPattern ]
1765 | |<>--{0..*}--[ sci:Vulnerability ]
1766 | |<>--{0..*}--[ sci:Weakness ]
1767 | |<>--{0..*}--[ AdditionalData ]
1768 +------------------------+
1770 Figure 19: The Method Class
1772 The aggregate classes of the Method class are:
1774 Reference
1775 Zero or more. A reference to a vulnerability, malware sample,
1776 advisory, or analysis of an attack technique. See Section 3.11.1.
1778 Description
1779 Zero or more. ML_STRING. A free-form text description of
1780 techniques, tactics, or procedures used by the threat actor.
1782 sci:AttackPattern
1783 Zero or more. A reference to an pattern of attack or exploitation
1784 per [RFC-SCI]
1786 sci:Vulnerability
1787 Zero or more. A reference to a vulnerability per [RFC-SCI]
1789 sci:Weakness
1790 Zero or more. A reference to the exploited weakness per [RFC-SCI]
1792 AdditionalData
1793 Zero or more. EXTENSION. A mechanism by which to extend the data
1794 model.
1796 An instance of one of these child MUST be present.
1798 The attributes of the Method class are:
1800 restriction
1801 Optional. ENUM. See Section 3.3.1.
1803 ext-restriction
1804 Optional. STRING. A means by which to extend the restriction
1805 attribute. See Section 5.1.1.
1807 3.11.1. Reference Class
1809 The Reference class is an external reference to relevant information
1810 such a vulnerability, IDS alert, malware sample, advisory, or attack
1811 technique.
1813 +-------------------------+
1814 | Reference |
1815 +-------------------------+
1816 | ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
1817 | |<>--{0..*}--[ URL ]
1818 | |<>--{0..*}--[ Description ]
1819 +-------------------------+
1821 Figure 20: The Reference Class
1823 The aggregate classes of the Reference class are:
1825 enum:ReferenceName
1826 Zero or one. Reference identifier per [RFC-ENUM].
1828 URL
1829 Zero or more. URL. A URL to a reference.
1831 Description
1832 Zero or more. ML_STRING. A free-form text description of this
1833 reference.
1835 At least one of these classes MUST be present.
1837 The attribute of the Reference class is:
1839 observable-id
1840 Optional. ID. See Section 3.3.2.
1842 3.12. Assessment Class
1844 The Assessment class describes the repercussions of the incident to
1845 the victim.
1847 +-------------------------+
1848 | Assessment |
1849 +-------------------------+
1850 | ENUM occurrence |<>--{0..*}--[ IncidentCategory ]
1851 | ENUM restriction |<>--{0..*}--[ SystemImpact ]
1852 | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ]
1853 | ID observable-id |<>--{0..*}--[ TimeImpact ]
1854 | |<>--{0..*}--[ MonetaryImpact ]
1855 | |<>--{0..*}--[ IntendedImpact ]
1856 | |<>--{0..*}--[ Counter ]
1857 | |<>--{0..*}--[ MitigatingFactor ]
1858 | |<>--{0..*}--[ Cause ]
1859 | |<>--{0..1}--[ Confidence ]
1860 | |<>--{0..*}--[ AdditionalData ]
1861 +-------------------------+
1863 Figure 21: Assessment Class
1865 The aggregate classes of the Assessment class are:
1867 IncidentCategory
1868 Zero or more. ML_STRING. A free-form text description
1869 categorizing the type of Incident.
1871 SystemImpact
1872 Zero or more. A technical characterization of the impact of the
1873 incident activity on the victim's enterprise. See Section 3.12.1.
1875 BusinessImpact
1876 Zero or more. Impact of the incident activity on the business
1877 functions of the victim organization. See Section 3.12.2.
1879 TimeImpact
1880 Zero or more. A characterization of the victim organization due
1881 to the incident activity as a function of time. See
1882 Section 3.12.3.
1884 MonetaryImpact
1885 Zero or more. The financial loss due to the incident activity.
1886 See Section 3.12.4.
1888 IntendedImpact
1889 Zero or more. The intended outcome to the victim sought by the
1890 threat actor. Defined identically to the BusinessImpact defined
1891 in Section 3.12.2, but describes intent rather than the realized
1892 impact.
1894 Counter
1895 Zero or more. A counter with which to summarize the magnitude of
1896 the activity. See Section 3.18.3.
1898 MitigatingFactor
1899 Zero or more. ML_STRING. A description of a mitigating factor
1900 relative to the impact on the victim organization.
1902 Cause
1903 Zero or more. ML_STRING. A description of an underlying cause of
1904 the impact.
1906 Confidence
1907 Zero or one. An estimate of confidence in the impact assessment.
1908 See Section 3.12.5.
1910 AdditionalData
1911 Zero or more. EXTENSION. A mechanism by which to extend the data
1912 model.
1914 A least one instance of the possible five impact classes (i.e.,
1915 SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or
1916 IntendedImpact) MUST be present.
1918 The attributes of the Assessment class are:
1920 occurrence
1921 Optional. ENUM. Specifies whether the assessment is describing
1922 actual or potential outcomes.
1924 1. actual. This assessment describes activity that has occurred.
1926 2. potential. This assessment describes potential activity that
1927 might occur.
1929 restriction
1930 Optional. ENUM. See Section 3.3.1.
1932 ext-restriction
1933 Optional. STRING. A means by which to extend the restriction
1934 attribute. See Section 5.1.1.
1936 observable-id
1937 Optional. ID. See Section 3.3.2.
1939 3.12.1. SystemImpact Class
1941 The SystemImpact class describes the technical impact of the incident
1942 to the systems on the network.
1944 +-----------------------+
1945 | SystemImpact |
1946 +-----------------------+
1947 | ENUM severity |<>--{0..*}--[ Description ]
1948 | ENUM completion |
1949 | ENUM type |
1950 | STRING ext-type |
1951 +-----------------------+
1953 Figure 22: SystemImpact Class
1955 The aggregate class of the SystemImpact class is:
1957 Description
1958 Zero or more. ML_STRING. A free-form text description of the
1959 impact to the system.
1961 The attributes of the SystemImpact class are:
1963 severity
1964 Optional. ENUM. An estimate of the relative severity of the
1965 activity. The permitted values are shown below. There is no
1966 default value.
1968 1. low. Low severity
1970 2. medium. Medium severity
1972 3. high. High severity
1974 completion
1975 Optional. ENUM. An indication whether the described activity was
1976 successful. The permitted values are shown below. There is no
1977 default value.
1979 1. failed. The attempted activity was not successful.
1981 2. succeeded. The attempted activity succeeded.
1983 type
1984 Required. ENUM. Classifies the impact. The permitted values are
1985 shown below. The default value is "unknown". These values are
1986 maintained in the "SystemImpact-type" IANA registry per
1987 Section 10.2.
1989 1. takeover-account. Control was taken of a given account.
1991 2. takeover-service. Control was taken of a given service.
1993 3. takeover-system. Control was taken of a given system.
1995 4. cps-manipulation. A cyber physical system was manipulated.
1997 5. cps-damage. A cyber physical system was damaged.
1999 6. availability-data. Access to particular data was degraded or
2000 denied.
2002 7. availability-account. Access to an account was degraded or
2003 denied.
2005 8. availability-service. Access to a service was degraded or
2006 denied.
2008 9. availability-system. Access to a system was degraded or
2009 denied.
2011 10. damaged-system. Hardware on a system was irreparably
2012 damaged.
2014 11. damaged-data. Data on a system was deleted.
2016 12. breach-proprietary. Sensitive or proprietary information was
2017 accessed or exfiltrated.
2019 13. breach-privacy. Personally identifiable information was
2020 accessed or exfiltrated.
2022 14. breach-credential. Credential information was accessed or
2023 exfiltrated.
2025 15. breach-configuration. System configuration or data inventory
2026 was access or exfiltrated.
2028 16. integrity-data. Data on the system was modified.
2030 17. integrity-configuration. Application or system configuration
2031 was modified.
2033 18. integrity-hardware. Firmware of a hardware component was
2034 modified.
2036 19. traffic-redirection. Network traffic on the system was
2037 redirected
2039 20. monitoring-traffic. Network traffic emerging from a host or
2040 enclave was monitored.
2042 21. monitoring-host. System activity (e.g., running processes,
2043 keystrokes) were monitored.
2045 22. policy. Activity violated the system owner's acceptable use
2046 policy.
2048 23. unknown. The impact is unknown.
2050 24. ext-value. A value used to indicate that this attribute is
2051 extended and the actual value is provided using the
2052 corresponding ext-* attribute. See Section 5.1.1.
2054 ext-type
2055 Optional. STRING. A means by which to extend the type attribute.
2056 See Section 5.1.1.
2058 3.12.2. BusinessImpact Class
2060 The BusinessImpact class describes and characterizes the degree to
2061 which the function of the organization was impacted by the Incident.
2063 +-------------------------+
2064 | BusinessImpact |
2065 +-------------------------+
2066 | ENUM severity |<>--{0..*}--[ Description ]
2067 | STRING ext-severity |
2068 | ENUM type |
2069 | STRING ext-type |
2070 +-------------------------+
2072 Figure 23: BusinessImpact Class
2074 The aggregate class of the BusinessImpact class is:
2076 Description
2077 Zero or more. ML_STRING. A free-form text description of the
2078 impact to the organization.
2080 The attributes of the BusinessImpact class are:
2082 severity
2083 Optional. ENUM. Characterizes the severity of the incident on
2084 business functions. The permitted values are shown below. They
2085 were derived from Table 3-2 of [NIST800.61rev2]. The default
2086 value is "unknown". These values are maintained in the
2087 "BusinessImpact-severity" IANA registry per Section 10.2.
2089 1. none. No effect to the organization's ability to provide all
2090 services to all users.
2092 2. low. Minimal effect as the organization can still provide all
2093 critical services to all users but has lost efficiency.
2095 3. medium. The organization has lost the ability to provide a
2096 critical service to a subset of system users.
2098 4. high. The organization is no longer able to provide some
2099 critical services to any users.
2101 5. unknown. The impact is not known.
2103 6. ext-value. A value used to indicate that this attribute is
2104 extended and the actual value is provided using the
2105 corresponding ext-* attribute. See Section 5.1.1.
2107 ext-severity
2108 Optional. STRING. A means by which to extend the severity
2109 attribute. See Section 5.1.1.
2111 type
2112 Required. ENUM. Characterizes the effect this incident had on
2113 the business. The permitted values are shown below. The default
2114 value is "unknown". These values are maintained in the
2115 "BusinessImpact-type" IANA registry per Section 10.2.
2117 1. breach-proprietary. Sensitive or proprietary information was
2118 accessed or exfiltrated.
2120 2. breach-privacy. Personally identifiable information was
2121 accessed or exfiltrated.
2123 3. breach-credential. Credential information was accessed or
2124 exfiltrated.
2126 4. loss-of-integrity. Sensitive or proprietary information was
2127 changed or deleted.
2129 5. loss-of-service. Service delivery was disrupted.
2131 6. theft-financial. Money was stolen.
2133 7. theft-service. Services were misappropriated.
2135 8. degraded-reputation. The reputation of the organization's
2136 brand was diminished.
2138 9. asset-damage. A cyber-physical system was damaged.
2140 10. asset-manipulation. A cyber-physical system was manipulated.
2142 11. legal. The incident resulted in legal or regulatory action.
2144 12. extortion. The incident resulted in actors extorting the
2145 victim organization.
2147 13. unknown. The impact is unknown.
2149 14. ext-value. A value used to indicate that this attribute is
2150 extended and the actual value is provided using the
2151 corresponding ext-* attribute. See Section 5.1.1.
2153 ext-type
2154 Optional. STRING. A means by which to extend the type attribute.
2155 See Section 5.1.1.
2157 3.12.3. TimeImpact Class
2159 The TimeImpact class describes the impact of the incident on an
2160 organization as a function of time. It provides a way to convey down
2161 time and recovery time.
2163 +---------------------+
2164 | TimeImpact |
2165 +---------------------+
2166 | REAL |
2167 | |
2168 | ENUM severity |
2169 | ENUM metric |
2170 | STRING ext-metric |
2171 | ENUM duration |
2172 | STRING ext-duration |
2173 +---------------------+
2175 Figure 24: TimeImpact Class
2177 The content of the class is of type REAL and specifies an amount of
2178 time. The duration attribute provides units for this content; and
2179 the metric attribute explains what this content is measuring.
2181 The attributes of the TimeImpact class are:
2183 severity
2184 Optional. ENUM. An estimate of the relative severity of the
2185 activity. The permitted values are shown below. There is no
2186 default value.
2188 1. low. Low severity
2190 2. medium. Medium severity
2192 3. high. High severity
2194 metric
2195 Required. ENUM. Defines the meaning of the value in the element
2196 content. These values are maintained in the "TimeImpact-metric"
2197 IANA registry per Section 10.2.
2199 1. labor. Total staff-time to recovery from the activity (e.g.,
2200 2 employees working 4 hours each would be 8 hours).
2202 2. elapsed. Elapsed time from the beginning of the recovery to
2203 its completion (i.e., wall-clock time).
2205 3. downtime. Duration of time for which some provided service(s)
2206 was not available.
2208 4. ext-value. A value used to indicate that this attribute is
2209 extended and the actual value is provided using the
2210 corresponding ext-* attribute. See Section 5.1.1.
2212 ext-metric
2213 Optional. STRING. A means by which to extend the metric
2214 attribute. See Section 5.1.1.
2216 duration
2217 Optional. ENUM. Defines the unit of time for the value in the
2218 element content. The default value is "hour". These values are
2219 maintained in the "TimeImpact-duration" IANA registry per
2220 Section 10.2.
2222 1. second. The unit of the element content is seconds.
2224 2. minute. The unit of the element content is minutes.
2226 3. hour. The unit of the element content is hours.
2228 4. day. The unit of the element content is days.
2230 5. month. The unit of the element content is months.
2232 6. quarter. The unit of the element content is quarters.
2234 7. year. The unit of the element content is years.
2236 8. ext-value. A value used to indicate that this attribute is
2237 extended and the actual value is provided using the
2238 corresponding ext-* attribute. See Section 5.1.1.
2240 ext-duration
2241 Optional. STRING. A means by which to extend the duration
2242 attribute. See Section 5.1.1.
2244 3.12.4. MonetaryImpact Class
2246 The MonetaryImpact class describes the financial impact of the
2247 activity on an organization. For example, this impact may consider
2248 losses due to the cost of the investigation or recovery, diminished
2249 productivity of the staff, or a tarnished reputation that will affect
2250 future opportunities.
2252 +------------------+
2253 | MonetaryImpact |
2254 +------------------+
2255 | REAL |
2256 | |
2257 | ENUM severity |
2258 | STRING currency |
2259 +------------------+
2261 Figure 25: MonetaryImpact Class
2263 The content of the class is of type REAL and specifies a quantity of
2264 money. The currency attribute defines the currently of this value.
2266 The attributes of the MonetaryImpact class are:
2268 severity
2269 Optional. ENUM. An estimate of the relative severity of the
2270 activity. The permitted values are shown below. There is no
2271 default value.
2273 1. low. Low severity
2275 2. medium. Medium severity
2277 3. high. High severity
2279 currency
2280 Optional. STRING. Defines the currency in which the value in the
2281 element content is expressed. The permitted values are defined in
2282 "Codes for the representation of currencies and funds" of
2283 [ISO4217]. There is no default value.
2285 3.12.5. Confidence Class
2287 The Confidence class represents an estimate of the validity and
2288 accuracy of data expressed in the document. This estimate can be
2289 expressed as a category or a numeric calculation.
2291 +-------------------+
2292 | Confidence |
2293 +-------------------+
2294 | REAL |
2295 | |
2296 | ENUM rating |
2297 | STRING ext-rating |
2298 +-------------------+
2300 Figure 26: Confidence Class
2302 The content of the class is of type REAL and specifies a numerical
2303 assessment in the confidence of the data when the value of the rating
2304 attribute is "numeric". Otherwise, this element MUST be empty.
2306 The attributes of the Confidence class are:
2308 rating
2309 Required. ENUM. A qualitative assessment of confidence.
2311 1. low. Low confidence.
2313 2. medium. Medium confidence.
2315 3. high. High confidence.
2317 4. numeric. The element content contains a number that conveys
2318 the confidence of the data. The semantics of this number
2319 outside the scope of this specification.
2321 5. unknown. The confidence rating value is not known.
2323 6. ext-value. A value used to indicate that this attribute is
2324 extended and the actual value is provided using the
2325 corresponding ext-* attribute. See Section 5.1.1.
2327 ext-rating
2328 Optional. STRING. A means by which to extend the rating
2329 attribute. See Section 5.1.1.
2331 3.13. History Class
2333 The History class is a log of the significant events or actions
2334 performed by the involved parties during the course of handling the
2335 incident.
2337 The level of detail maintained in this log is left up to the
2338 discretion of those handling the incident.
2340 +------------------------+
2341 | History |
2342 +------------------------+
2343 | ENUM restriction |<>--{1..*}--[ HistoryItem ]
2344 | STRING ext-restriction |
2345 +------------------------+
2347 Figure 27: The History Class
2349 The aggregate classes of the History class are:
2351 HistoryItem
2352 One or more. An entry in the history log of significant events or
2353 actions performed by the involved parties. See Section 3.13.1.
2355 The attributes of the History class are:
2357 restriction
2358 Optional. ENUM. See Section 3.3.1.
2360 ext-restriction
2361 Optional. STRING. A means by which to extend the restriction
2362 attribute. See Section 5.1.1.
2364 3.13.1. HistoryItem Class
2366 The HistoryItem class is an entry in the History (Section 3.13) log
2367 that documents a particular action or event that occurred in the
2368 course of handling the incident. The details of the entry are a
2369 free-form text description, but each can be categorized with the type
2370 attribute.
2372 +-------------------------+
2373 | HistoryItem |
2374 +-------------------------+
2375 | ENUM action |<>----------[ DateTime ]
2376 | STRING ext-action |<>--{0..1}--[ IncidentID ]
2377 | ENUM restriction |<>--{0..1}--[ Contact ]
2378 | STRING ext-restriction |<>--{0..*}--[ Description ]
2379 | ID observable-id |<>--{0..*}--[ DefinedCOA ]
2380 | |<>--{0..*}--[ AdditionalData ]
2381 +-------------------------+
2383 Figure 28: HistoryItem Class
2385 The aggregate classes of the HistoryItem class are:
2387 DateTime
2388 One. DATETIME. A timestamp of this entry in the history log.
2390 IncidentID
2391 Zero or One. In a history log created by multiple parties, the
2392 IncidentID provides a mechanism to specify which CSIRT created a
2393 particular entry and references this organization's tracking
2394 number. When a single organization is maintaining the log, this
2395 class can be ignored. See Section 3.4.
2397 Contact
2398 Zero or One. Provides contact information for the entity that
2399 performed the action documented in this class. See Section 3.9.
2401 Description
2402 Zero or more. ML_STRING. A free-form text description of the
2403 action or event.
2405 DefinedCOA
2406 Zero or more. STRING. An identifier meaningful to the sender and
2407 recipient of this document that references a course of action.
2408 This class MUST be present if the action attribute is set to
2409 "defined-coa".
2411 AdditionalData
2412 Zero or more. EXTENSION. A mechanism by which to extend the data
2413 model.
2415 The attributes of the HistoryItem class are:
2417 action
2418 Required. ENUM. Classifies a performed action or occurrence
2419 documented in this history log entry. As activity will likely
2420 have been instigated either through a previously conveyed
2421 expectation or internal investigation. This attribute is
2422 identical to the action attribute of the Expectation class. The
2423 difference is only one of tense. When an action is in this class,
2424 it has been completed. See Section 3.15.
2426 ext-action
2427 Optional. STRING. A means by which to extend the action
2428 attribute. See Section 5.1.1.
2430 restriction
2431 Optional. ENUM. See Section 3.3.1.
2433 ext-restriction
2434 Optional. STRING. A means by which to extend the restriction
2435 attribute. See Section 5.1.1.
2437 observable-id
2438 Optional. ID. See Section 3.3.2.
2440 3.14. EventData Class
2442 The EventData class is a container class to organize data about
2443 events that occurred during an incident.
2445 +-------------------------+
2446 | EventData |
2447 +-------------------------+
2448 | ENUM restriction |<>--{0..*}--[ Description ]
2449 | STRING ext-restriction |<>--{0..1}--[ DetectTime ]
2450 | ID observable-id |<>--{0..1}--[ StartTime ]
2451 | |<>--{0..1}--[ EndTime ]
2452 | |<>--{0..1}--[ RecoveryTime ]
2453 | |<>--{0..1}--[ ReportTime ]
2454 | |<>--{0..*}--[ Contact ]
2455 | |<>--{0..*}--[ Discovery ]
2456 | |<>--{0..1}--[ Assessment ]
2457 | |<>--{0..*}--[ Method ]
2458 | |<>--{0..*}--[ Flow ]
2459 | |<>--{0..*}--[ Expectation ]
2460 | |<>--{0..1}--[ Record ]
2461 | |<>--{0..*}--[ EventData ]
2462 | |<>--{0..*}--[ AdditionalData ]
2463 +-------------------------+
2465 Figure 29: The EventData Class
2467 The aggregate classes of the EventData class are:
2469 Description
2470 Zero or more. ML_STRING. A free-form text description of the
2471 event.
2473 DetectTime
2474 Zero or one. DATETIME. The time the event was detected.
2476 StartTime
2477 Zero or one. DATETIME. The time the event started.
2479 EndTime
2480 Zero or one. DATETIME. The time the event ended.
2482 RecoveryTime
2483 Zero or one. DATETIME. The time the site recovered from the
2484 event.
2486 ReportTime
2487 One. DATETIME. The time the event was reported.
2489 Contact
2490 Zero or more. Contact information for the parties involved in the
2491 event. See Section 3.9.
2493 Discovery
2494 Zero or more. The means by which the event was detected. See
2495 Section 3.10.
2497 Assessment
2498 Zero or one. The impact of the event on the victim and the
2499 actions taken. See Section 3.12.
2501 Method
2502 Zero or more. The technique used by the threat actor in the
2503 event. See Section 3.11.
2505 Flow
2506 Zero or more. A description of the systems or networks involved.
2507 See Section 3.16.
2509 Expectation
2510 Zero or more. The expected action to be performed by the
2511 recipient for the described event. See Section 3.15.
2513 Record
2514 Zero or one. Supportive data (e.g., log files) that provides
2515 additional information about the event. See Section 3.22.
2517 EventData
2518 Zero or more. A recursive definition of the EventData class. See
2519 Section 3.14.2 for an explanation on using this class.
2521 AdditionalData
2522 Zero or more. EXTENSION. An extension mechanism for data not
2523 explicitly represented in the data model.
2525 At least one of the aggregate classes MUST be present in an instance
2526 of the EventData class.
2528 The attributes of the EventData class are:
2530 restriction
2531 Optional. ENUM. See Section 3.3.1. The default value is
2532 "default".
2534 ext-restriction
2535 Optional. STRING. A means by which to extend the restriction
2536 attribute. See Section 5.1.1.
2538 observable-id
2539 Optional. ID. See Section 3.3.2.
2541 3.14.1. Relating the Incident and EventData Classes
2543 There is substantial overlap in the child classes aggregated in the
2544 Incident and EventData classes. Nevertheless, the semantics of these
2545 classes are quite different. The Incident class provides summary
2546 information about the entire incident, while the EventData class
2547 provides information about the individual events comprising the
2548 incident. In the common case, the EventData class will provide more
2549 specific information for the general description provided in the
2550 Incident class. However, in the case where the summarized
2551 information in the Incident class conflicts the detailed information
2552 in an EventData class the more specific EventData class MUST
2553 supersede the more generic information provided in Incident class.
2555 3.14.2. Recursive Definition of EventData
2557 The EventData class is container for the properties of an event in an
2558 incident. These properties include: the hosts involved, impact of
2559 the incident activity on the hosts, forensic logs, etc. The
2560 recursive definition of EvenData allows for the grouping of related
2561 information with common properties. This approach eliminates the
2562 need for explicit identifiers to relate information or duplicate it.
2563 Instead, the relative depth (nesting) of a class is used to group
2564 (relate) information.
2566 For example, consider a case where two hosts experience different
2567 impacts during an incident. However, these two hosts have common
2568 contact information. A depiction of how this situation would be
2569 represented can be found in Figure 30. EventData (2) and (3) group
2570 each of the two hosts with their unique impact. EventData (1)
2571 describes the common Contact class these two hosts share.
2573 +------------------+
2574 | EventData (1) |
2575 +------------------+
2576 | |<>----[ Contact ]
2577 | |
2578 | |<>----[ EventData (2) ]<>----[ Flow ]
2579 | | [ ]<>----[ Assessment ]
2580 | |
2581 | |<>----[ EventData (3) ]<>----[ Flow ]
2582 | | [ ]<>----[ Assessment ]
2583 +------------------+
2585 Figure 30: Recursion in the EventData Class
2587 3.15. Expectation Class
2589 The Expectation class conveys to the recipient of the IODEF document
2590 the actions the sender is requesting.
2592 +-------------------------+
2593 | Expectation |
2594 +-------------------------+
2595 | ENUM action |<>--{0..*}--[ Description ]
2596 | STRING ext-action |<>--{0..*}--[ DefinedCOA ]
2597 | ENUM severity |<>--{0..1}--[ StartTime ]
2598 | ENUM restriction |<>--{0..1}--[ EndTime ]
2599 | STRING ext-restriction |<>--{0..1}--[ Contact ]
2600 | ID observable-id |
2601 +-------------------------+
2603 Figure 31: The Expectation Class
2605 The aggregate classes of the Expectation class are:
2607 Description
2608 Zero or more. ML_STRING. A free-form text description of the
2609 desired action(s).
2611 DefinedCOA
2612 Zero or more. STRING. A unique identifier meaningful to the
2613 sender and recipient of this document that references a course of
2614 action. This class MUST be present if the action attribute is set
2615 to "defined-coa".
2617 StartTime
2618 Zero or one. DATETIME. The time at which the sender would like
2619 the action performed. A timestamp that is earlier than the
2620 ReportTime specified in the Incident class denotes that the sender
2621 would like the action performed as soon as possible. The absence
2622 of this element indicates no expectations of when the recipient
2623 would like the action performed.
2625 EndTime
2626 Zero or one. DATETIME. The time by which the sender expects the
2627 recipient to complete the action. If the recipient cannot
2628 complete the action before EndTime, the recipient MUST NOT carry
2629 out the action. Because of transit delays and clock drift the
2630 sender MUST be prepared for the recipient to have carried out the
2631 action, even if it completes past EndTime.
2633 Contact
2634 Zero or one. The entity expected to perform the action. See
2635 Section 3.9.
2637 The attributes of the Expectation class are:
2639 action
2640 Optional. ENUM. Classifies the type of action requested. The
2641 default value of "other". These values are maintained in the
2642 "Expectation-action" IANA registry per Section 10.2.
2644 1. nothing. No action is requested. Do nothing with the
2645 information.
2647 2. contact-source-site. Contact the site(s) identified as the
2648 source of the activity.
2650 3. contact-target-site. Contact the site(s) identified as the
2651 target of the activity.
2653 4. contact-sender. Contact the originator of the document.
2655 5. investigate. Investigate the systems(s) listed in the event.
2657 6. block-host. Block traffic from the machine(s) listed as
2658 sources the event.
2660 7. block-network. Block traffic from the network(s) lists as
2661 sources in the event.
2663 8. block-port. Block the port listed as sources in the event.
2665 9. rate-limit-host. Rate-limit the traffic from the machine(s)
2666 listed as sources in the event.
2668 10. rate-limit-network. Rate-limit the traffic from the
2669 network(s) lists as sources in the event.
2671 11. rate-limit-port. Rate-limit the port(s) listed as sources in
2672 the event.
2674 12. redirect-traffic. Redirect traffic from the intended
2675 recipient for further analysis.
2677 13. honeypot. Redirect traffic from systems listed in the event
2678 to a honeypot for further analysis.
2680 14. upgrade-software. Upgrade or patch the software or firmware
2681 on an asset listed in the event.
2683 15. rebuild-asset. Reinstall the operating system or
2684 applications on an asset listed in the event.
2686 16. harden-asset. Change the configuration an asset listed in
2687 the event to reduce the attack surface.
2689 17. remediate-other. Remediate the activity in a way other than
2690 by rate limiting or blocking.
2692 18. status-triage. Confirm receipt and begin triaging the
2693 incident.
2695 19. status-new-info. Notify the sender when new information is
2696 received for this incident.
2698 20. watch-and-report. Watch for the described activity or
2699 indicators; and notify the sender when seen.
2701 21. training. Train user to identify or mitigate the described
2702 threat.
2704 22. defined-coa. Perform a predefined course of action (COA).
2705 The COA is named in the DefinedCOA class.
2707 23. other. Perform a custom action described in the Description
2708 class.
2710 24. ext-value. A value used to indicate that this attribute is
2711 extended and the actual value is provided using the
2712 corresponding ext-* attribute. See Section 5.1.1.
2714 ext-action
2715 Optional. STRING. A means by which to extend the action
2716 attribute. See Section 5.1.1.
2718 severity
2719 Optional. ENUM. Indicates the desired priority of the action.
2720 This attribute is an enumerated list with no default value, and
2721 the semantics of these relative measures are context dependent.
2723 1. low. Low priority
2725 2. medium. Medium priority
2727 3. high. High priority
2729 restriction
2730 Optional. ENUM. See Section 3.3.1. The default value is
2731 "default".
2733 ext-restriction
2734 Optional. STRING. A means by which to extend the restriction
2735 attribute. See Section 5.1.1.
2737 observable-id
2738 Optional. ID. See Section 3.3.2.
2740 3.16. Flow Class
2742 The Flow class describes the systems and networks involved in the
2743 incident; and the relationships between them.
2745 +------------------+
2746 | Flow |
2747 +------------------+
2748 | |<>--{1..*}--[ System ]
2749 +------------------+
2751 Figure 32: The Flow Class
2753 The aggregate class of the Flow class is:
2755 System
2756 One or More. A host or network involved in an event. See
2757 Section 3.17.
2759 The Flow class has no attributes.
2761 3.17. System Class
2763 The System class describes a system or network involved in an event.
2765 +------------------------+
2766 | System |
2767 +------------------------+
2768 | ENUM category |<>----------[ Node ]
2769 | STRING ext-category |<>--{0..*}--[ NodeRole ]
2770 | STRING interface |<>--{0..*}--[ Service ]
2771 | ENUM spoofed |<>--{0..*}--[ OperatingSystem ]
2772 | ENUM virtual |<>--{0..*}--[ Counter ]
2773 | ENUM ownership |<>--{0..*}--[ AssetID ]
2774 | STRING ext-ownership |<>--{0..*}--[ Description ]
2775 | ENUM restriction |<>--{0..*}--[ AdditionalData ]
2776 | STRING ext-restriction |
2777 +------------------------+
2779 Figure 33: The System Class
2781 The aggregate classes of the System class are:
2783 Node
2784 One. A host or network involved in the incident. See
2785 Section 3.18.
2787 NodeRole
2788 Zero or more. The intended purpose of the system. See
2789 Section 3.18.2.
2791 Service
2792 Zero or more. A network service running on the system. See
2793 Section 3.20.
2795 OperatingSystem
2796 Zero or more. SOFTWARE. The operating system running on the
2797 system.
2799 Counter
2800 Zero or more. A counter with which to summarize properties of
2801 this host or network. See Section 3.18.3.
2803 AssetID
2804 Zero or more. STRING. An asset identifier for the System.
2806 Description
2807 Zero or more. ML_STRING. A free-form text description of the
2808 System.
2810 AdditionalData
2811 Zero or more. EXTENSION. A mechanism by which to extend the data
2812 model.
2814 The attributes of the System class are:
2816 category
2817 Optional. ENUM. Classifies the role the host or network played
2818 in the incident. These values are maintained in the "System-
2819 category" IANA registry per Section 10.2.
2821 1. source. The System was the source of the event.
2823 2. target. The System was the target of the event.
2825 3. intermediate. The System was an intermediary in the event.
2827 4. sensor. The System was a sensor monitoring the event.
2829 5. infrastructure. The System was an infrastructure node of
2830 IODEF document exchange.
2832 6. ext-value. A value used to indicate that this attribute is
2833 extended and the actual value is provided using the
2834 corresponding ext-* attribute. See Section 5.1.1.
2836 ext-category
2837 Optional. STRING. A means by which to extend the category
2838 attribute. See Section 5.1.1.
2840 interface
2841 Optional. STRING. Specifies the interface on which the event(s)
2842 on this System originated. If the Node class specifies a network
2843 rather than a host, this attribute has no meaning.
2845 spoofed
2846 Optional. ENUM. An indication of confidence in whether this
2847 System was the true target or attacking host. The permitted
2848 values for this attribute are shown below. The default value is
2849 "unknown".
2851 1. unknown. The accuracy of the category attribute value is
2852 unknown.
2854 2. yes. The category attribute value is likely incorrect. In
2855 the case of a source, the System is likely a decoy; with a
2856 target, the System was likely not the intended victim.
2858 3. no. The category attribute value is believed to be correct.
2860 virtual
2861 Optional. ENUM. Indicates whether this System is a virtual or
2862 physical device. The default value is "unknown".
2864 1. yes. The System is a virtual device.
2866 2. no. The System is a physical device.
2868 3. unknown. It is not known if the System is virtual.
2870 ownership
2871 Optional. ENUM. Describes the ownership of this System relative
2872 to the victim in the incident. These values are maintained in the
2873 "System-ownership" IANA registry per Section 10.2.
2875 1. organization. Corporate or enterprise-owned.
2877 2. personal. Personally-owned by an employee or affiliate of the
2878 corporation or enterprise.
2880 3. partner. Owned by a partner of the corporation or enterprise.
2882 4. customer. Owned by a customer of the corporation or
2883 enterprise.
2885 5. no-relationship. Owned by an entity that has no known
2886 relationship with victim organization.
2888 6. unknown. Ownership is unknown.
2890 7. ext-value. A value used to indicate that this attribute is
2891 extended and the actual value is provided using the
2892 corresponding ext-* attribute. See Section 5.1.1.
2894 ext-ownership
2895 Optional. STRING. A means by which to extend the ownership
2896 attribute. See Section 5.1.1.
2898 restriction
2899 Optional. ENUM. See Section 3.3.1.
2901 ext-restriction
2902 Optional. STRING. A means by which to extend the restriction
2903 attribute. See Section 5.1.1.
2905 3.18. Node Class
2907 The Node class identifies a system, asset or network; and its
2908 location.
2910 +---------------+
2911 | Node |
2912 +---------------+
2913 | |<>--{0..*}--[ DomainData ]
2914 | |<>--{0..*}--[ Address ]
2915 | |<>--{0..1}--[ PostalAddress ]
2916 | |<>--{0..*}--[ Location ]
2917 | |<>--{0..*}--[ Counter ]
2918 +---------------+
2920 Figure 34: The Node Class
2922 The aggregate classes of the Node class are:
2924 DomainData
2925 Zero or more. The domain (DNS) information associated with this
2926 Node. If an Address is not provided, at least one DomainData MUST
2927 be specified. See Section 3.19.
2929 Address
2930 Zero or more. The hardware, network, or application address of
2931 the Node. If a DomainData is not provided, at least one Address
2932 MUST be specified. See Section 3.18.1.
2934 PostalAddress
2935 Zero or one. POSTAL. The postal address of the node.
2937 Location
2938 Zero or more. ML_STRING. A free-form text description of the
2939 physical location of the Node. This description may provide a
2940 more detailed description of where in the PostalAddress this Node
2941 is found (e.g., room number, rack number, slot number in a
2942 chassis).
2944 Counter
2945 Zero or more. A counter with which to summarizes properties of
2946 this host or network. See Section 3.18.3.
2948 The Node class has no attributes.
2950 3.18.1. Address Class
2952 The Address class represents a hardware (layer-2), network (layer-3),
2953 or application (layer-7) address.
2955 +-------------------------+
2956 | Address |
2957 +-------------------------+
2958 | STRING |
2959 | |
2960 | ENUM category |
2961 | STRING ext-category |
2962 | STRING vlan-name |
2963 | INTEGER vlan-num |
2964 | ID observable-id |
2965 +-------------------------+
2967 Figure 35: The Address Class
2969 The content of the class is an address of type STRING whose semantics
2970 are determined by the category attribute.
2972 The attributes of the Address class are:
2974 category
2975 Required. ENUM. The type of address represented. The default
2976 value is "ipv6-addr". These values are maintained in the
2977 "Address-category" IANA registry per Section 10.2.
2979 1. asn. Autonomous System Number.
2981 2. atm. Asynchronous Transfer Mode (ATM) address.
2983 3. e-mail. Email address (RFC 822).
2985 4. ipv4-addr. IPv4 host address in dotted-decimal notation
2986 (a.b.c.d).
2988 5. ipv4-net. IPv4 network address in dotted-decimal notation,
2989 slash, significant bits (i.e., a.b.c.d/nn).
2991 6. ipv4-net-mask. IPv4 network address in dotted-decimal
2992 notation, slash, network mask in dotted-decimal notation
2993 (i.e., a.b.c.d/w.x.y.z).
2995 7. ipv6-addr. IPv6 host address.
2997 8. ipv6-net. IPv6 network address, slash, significant bits.
2999 9. ipv6-net-mask. IPv6 network address, slash, network mask.
3001 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f).
3003 11. site-uri. A URL or URI for a resource.
3005 12. ext-value. A value used to indicate that this attribute is
3006 extended and the actual value is provided using the
3007 corresponding ext-* attribute. See Section 5.1.1.
3009 ext-category
3010 Optional. STRING. A means by which to extend the category
3011 attribute. See Section 5.1.1.
3013 vlan-name
3014 Optional. STRING. The name of the Virtual LAN to which the
3015 address belongs.
3017 vlan-num
3018 Optional. STRING. The number of the Virtual LAN to which the
3019 address belongs.
3021 observable-id
3022 Optional. ID. See Section 3.3.2.
3024 3.18.2. NodeRole Class
3026 The NodeRole class describes the function performed by or role of a
3027 particular system, asset or network.
3029 +-----------------------+
3030 | NodeRole |
3031 +-----------------------+
3032 | ENUM category |<>--{0..*}--[ Description ]
3033 | STRING ext-category |
3034 +-----------------------+
3036 Figure 36: The NodeRole Class
3038 The aggregate class of the NodeRole class is:
3040 Description
3041 Zero or more. ML_STRING. A free-form text description of the
3042 role of the system.
3044 The attributes of the NodeRole class are:
3046 category
3047 Required. ENUM. Function or role of a node. These values are
3048 maintained in the "NodeRole-category" IANA registry per
3049 Section 10.2.
3051 1. client. Client computer.
3053 2. client-enterprise. Client computer on the enterprise
3054 network.
3056 3. client-partner. Client computer on network of a partner.
3058 4. client-remote. Client computer remotely connected to the
3059 enterprise network.
3061 5. client-kiosk. Client computer serving as a kiosk.
3063 6. client-mobile. Mobile device.
3065 7. server-internal. Server with internal services.
3067 8. server-public. Server with public services.
3069 9. www. WWW server.
3071 10. mail. Mail server.
3073 11. webmail. Web mail server.
3075 12. messaging. Messaging server (e.g., NNTP, IRC, IM).
3077 13. streaming. Streaming-media server.
3079 14. voice. Voice server (e.g., SIP, H.323).
3081 15. file. File server.
3083 16. ftp. FTP server.
3085 17. p2p. Peer-to-peer node.
3087 18. name. Name server (e.g., DNS, WINS).
3089 19. directory. Directory server (e.g., LDAP, finger, whois).
3091 20. credential. Credential server (e.g., domain controller,
3092 Kerberos).
3094 21. print. Print server.
3096 22. application. Application server.
3098 23. database. Database server.
3100 24. backup. Backup server.
3102 25. dhcp. DHCP server.
3104 26. assessment. Assessment server (e.g., vulnerability scanner,
3105 end-point assessment).
3107 27. source-control. Source code control server.
3109 28. config-management. Configuration management server.
3111 29. monitoring. Security monitoring server (e.g., IDS).
3113 30. infra. Infrastructure server (e.g., router, firewall, DHCP).
3115 31. infra-firewall. Firewall.
3117 32. infra-router. Router.
3119 33. infra-switch. Switch.
3121 34. camera. Camera and video system.
3123 35. proxy. Proxy server.
3125 36. remote-access. Remote access server.
3127 37. log. Log server (e.g., syslog).
3129 38. virtualization. Server running virtual machines.
3131 39. pos. Point-of-sale device.
3133 40. scada. Supervisory control and data acquisition (SCADA)
3134 system.
3136 41. scada-supervisory. Supervisory system for a SCADA.
3138 42. sinkhole. Traffic sinkhole destination.
3140 43. honeypot. Honeypot server.
3142 44. anonymization. Anonymization server (e.g., Tor node).
3144 45. c2-server. Malicious command and control server.
3146 46. malware-distribution. Server that distributes malware
3148 47. drop-server. Server to which exfiltrated content is
3149 uploaded.
3151 48. hop-point. Intermediary server used to get to a victim.
3153 49. reflector. A system used in a reflector attack.
3155 50. phishing-site. Site hosting phishing content.
3157 51. spear-phishing-site. Site hosting spear-phishing content.
3159 52. recruiting-site. Site to recruit.
3161 53. fraudulent-site. Fraudulent site.
3163 54. ext-value. A value used to indicate that this attribute is
3164 extended and the actual value is provided using the
3165 corresponding ext-* attribute. See Section 5.1.1.
3167 ext-category
3168 Optional. STRING. A means by which to extend the category
3169 attribute. See Section 5.1.1.
3171 3.18.3. Counter Class
3173 The Counter class summarizes multiple occurrences of an event or
3174 conveys counts or rates of various features.
3176 The complete semantics of this class are context dependent based on
3177 the class in which it is aggregated.
3179 +---------------------+
3180 | Counter |
3181 +---------------------+
3182 | REAL |
3183 | |
3184 | ENUM type |
3185 | STRING ext-type |
3186 | ENUM unit |
3187 | STRING ext-unit |
3188 | STRING meaning |
3189 | ENUM duration |
3190 | STRING ext-duration |
3191 +---------------------+
3193 Figure 37: The Counter Class
3195 The content of the class is a value of type REAL whose meaning and
3196 units are determined by the type and duration attributes,
3197 respectively. If the duration attribute is present, the element
3198 content is a rather. Otherwise, it is a simple counter.
3200 The attributes of the Counter class are:
3202 type
3203 Required. ENUM. Specifies the type of counter specified in the
3204 element content. These values are maintained in the "Counter-
3205 type" IANA registry per Section 10.2.
3207 1. count. The Counter class value is a counter.
3209 2. peak. The Counter class value is a peak value.
3211 3. average. The Counter class value is an average.
3213 4. ext-value. A value used to indicate that this attribute is
3214 extended and the actual value is provided using the
3215 corresponding ext-* attribute. See Section 5.1.1.
3217 ext-type
3218 Optional. STRING. A means by which to extend the type attribute.
3219 See Section 5.1.1.
3221 unit
3222 Required. ENUM. Specifies the units of the element content.
3223 These values are maintained in the "Counter-unit" IANA registry
3224 per Section 10.2.
3226 1. byte. Bytes transferred.
3228 2. mbit. Megabits (Mbits) transfered.
3230 3. packet. Packets.
3232 4. flow. Network flow records.
3234 5. session. Sessions.
3236 6. alert. Notifications generated by another system (e.g., IDS
3237 or SIM).
3239 7. message. Messages (e.g., mail messages).
3241 8. event. Events.
3243 9. host. Hosts.
3245 10. site. Site.
3247 11. organization. Organizations.
3249 12. ext-value. A value used to indicate that this attribute is
3250 extended and the actual value is provided using the
3251 corresponding ext-* attribute. See Section 5.1.1.
3253 ext-unit
3254 Optional. STRING. A means by which to extend the unit attribute.
3255 See Section 5.1.1.
3257 meaning
3258 Optional. STRING. A free-form text description of the metric
3259 represented by the Counter.
3261 duration
3262 Optional. ENUM. If present, the Counter class represents a rate.
3263 This attribute specifies unit of time over which the rate whose
3264 units are specified in the unit attribute is being conveyed. This
3265 attribute is the the denominator of the rate (where the unit
3266 attribute specified the nominator). The possible values of this
3267 attribute are defined in the duration attribute of Section 3.12.3
3269 ext-duration
3270 Optional. STRING. A means by which to extend the duration
3271 attribute. See Section 5.1.1.
3273 3.19. DomainData Class
3275 The DomainData class describes a domain name and meta-data associated
3276 with this domain.
3278 +--------------------------+
3279 | DomainData |
3280 +--------------------------+
3281 | ENUM system-status |<>----------[ Name ]
3282 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
3283 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
3284 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
3285 | ID observable-id |<>--{0..*}--[ RelatedDNS ]
3286 | |<>--{0..*}--[ Nameservers ]
3287 | |<>--{0..1}--[ DomainContacts ]
3288 +--------------------------+
3290 Figure 38: The DomainData Class
3292 The aggregate classes of the DomainData class are:
3294 Name
3295 One. STRING. The domain name of a system.
3297 DateDomainWasChecked
3298 Zero or one. DATETIME. A timestamp of when the domain listed in
3299 the Name class was resolved.
3301 RegistrationDate
3302 Zero or one. DATETIME. A timestamp of when domain listed in Name
3303 class was registered.
3305 ExpirationDate
3306 Zero or one. DATETIME. A timestamp of when the domain listed in
3307 Name class is set to expire.
3309 RelatedDNS
3310 Zero or more. EXTENSION. Additional DNS records associated with
3311 this domain.
3313 Nameservers
3314 Zero or more. The name servers identified for the domain listed
3315 in Name class. See Section 3.19.1.
3317 DomainContacts
3318 Zero or one. Contact information for the domain listed in Name
3319 class supplied by the registrar or through a whois query.
3321 The attributes of the DomainData class are:
3323 system-status
3324 Required. ENUM. Assesses the domain's involvement in the event.
3325 These values are maintained in the "DomainData-system-status" IANA
3326 registry per Section 10.2.
3328 1. spoofed. This domain was spoofed.
3330 2. fraudulent. This domain was operated with fraudulent
3331 intentions.
3333 3. innocent-hacked. This domain was compromised by a third
3334 party.
3336 4. innocent-hijacked. This domain was deliberately hijacked.
3338 5. unknown. No categorization for this domain known.
3340 6. ext-value. A value used to indicate that this attribute is
3341 extended and the actual value is provided using the
3342 corresponding ext-* attribute. See Section 5.1.1.
3344 ext-system-status
3345 Optional. STRING. A means by which to extend the system-status
3346 attribute. See Section 5.1.1.
3348 domain-status
3349 Required. ENUM. Categorizes the registry status of the domain at
3350 the time the document was generated. These values and their
3351 associated descriptions are derived from Section 3.2.2 of
3352 [RFC3982]. These values are maintained in the "DomainData-domain-
3353 status" IANA registry per Section 10.2.
3355 1. reservedDelegation. The domain is permanently inactive.
3357 2. assignedAndActive. The domain is in a normal state.
3359 3. assignedAndInactive. The domain has an assigned registration
3360 but the delegation is inactive.
3362 4. assignedAndOnHold. The domain is in dispute.
3364 5. revoked. The domain is in the process of being purged from
3365 the database.
3367 6. transferPending. The domain is pending a change in
3368 authority.
3370 7. registryLock. The domain is on hold by the registry.
3372 8. registrarLock. Same as "registryLock".
3374 9. other. The domain has a known status but it is not one of
3375 the redefined enumerated values.
3377 10. unknown. The domain has an unknown status.
3379 11. ext-value. A value used to indicate that this attribute is
3380 extended and the actual value is provided using the
3381 corresponding ext-* attribute. See Section 5.1.1.
3383 ext-domain-status
3384 Optional. STRING. A means by which to extend the domain-status
3385 attribute. See Section 5.1.1.
3387 observable-id
3388 Optional. ID. See Section 3.3.2.
3390 3.19.1. Nameservers Class
3392 The Nameservers class describes the name servers associated with a
3393 given domain.
3395 +--------------------+
3396 | Nameservers |
3397 +--------------------+
3398 | |<>----------[ Server ]
3399 | |<>--{1..*}--[ Address ]
3400 +--------------------+
3402 Figure 39: The Nameservers Class
3404 The aggregate classes of the Nameservers class are:
3406 Server
3407 One. STRING. The domain name of the name server.
3409 Address
3410 One or more. The address of the name server. The value of the
3411 category attribute MUST be either "ipv4-addr" or "ipv6-addr". See
3412 Section 3.18.1.
3414 The Nameservers class has no attributes.
3416 3.19.2. DomainContacts Class
3418 The DomainContacts class describes the contact information for a
3419 given domain provided either by the registrar or through a whois
3420 query.
3422 This contact information can be explicitly described through a
3423 Contact class or a reference can be provided to a domain with
3424 identical contact information. Either a single SameDomainContact
3425 MUST be present or one or more Contact classes.
3427 +--------------------+
3428 | DomainContacts |
3429 +--------------------+
3430 | |<>--{0..1}--[ SameDomainContact ]
3431 | |<>--{1..*}--[ Contact ]
3432 +--------------------+
3434 Figure 40: The DomainContacts Class
3436 The aggregate classes of the DomainContacts class are:
3438 SameDomainContact
3439 Zero or one. STRING. A domain name already cited in this
3440 document or through previous exchange that contains the identical
3441 contact information as the domain name in question. The domain
3442 contact information associated with this domain should be used
3443 instead of an explicit definition with the Contact class.
3445 Contact
3446 One or more. Contact information for the domain. See
3447 Section 3.9.
3449 The DomainContacts class has no attributes.
3451 3.20. Service Class
3453 The Service class describes a network service. The service is
3454 described by protocol, port, protocol header field and application
3455 providing or using the service.
3457 +-------------------------+
3458 | Service |
3459 +-------------------------+
3460 | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
3461 | ID observable-id |<>--{0..1}--[ Port ]
3462 | |<>--{0..1}--[ Portlist ]
3463 | |<>--{0..1}--[ ProtoCode ]
3464 | |<>--{0..1}--[ ProtoType ]
3465 | |<>--{0..1}--[ ProtoField ]
3466 | |<>--{0..1}--[ ApplicationHeader ]
3467 | |<>--{0..1}--[ EmailData ]
3468 | |<>--{0..1}--[ Application ]
3469 +-------------------------+
3471 Figure 41: The Service Class
3473 The aggregate classes of the Service class are:
3475 ServiceName
3476 Zero or one. A protocol name.
3478 Port
3479 Zero or one. INTEGER. A port number.
3481 Portlist
3482 Zero or one. PORTLIST. A list of port numbers.
3484 ProtoCode
3485 Zero or one. INTEGER. A transport layer (layer 4) protocol-
3486 specific code field (e.g., ICMP code field).
3488 ProtoType
3489 Zero or one. INTEGER. A transport layer (layer 4) protocol
3490 specific type field (e.g., ICMP type field).
3492 ProtoField
3493 Zero or one. INTEGER. A transport layer (layer 4) protocol
3494 specific flag field (e.g., TCP flag field).
3496 ApplicationHeader
3497 Zero or one. A protocol header. See Section 3.20.2.
3499 EmailData
3500 Zero or one. Headers associated with an email message. See
3501 Section 3.21.
3503 Application
3504 Zero or one. SOFTWARE. The application acting as either the
3505 client or server for the service.
3507 Either a Port or Portlist class MUST be specified for a given
3508 instance of a Service class.
3510 When a given System classes with category="source" and another with
3511 category="target" are aggregated into a single Flow class, and each
3512 of these System classes has a Service and Portlist class, an implicit
3513 relationship between these Portlists exists. If N ports are listed
3514 for a System@category="source", and M ports are listed for
3515 System@category="target", the number of ports in N must be equal to
3516 M. Likewise, the ports MUST be listed in an identical sequence such
3517 that the n-th port in the source corresponds to the n-th port of the
3518 target. If N is greater than 1, a given instance of a Flow class
3519 MUST only have a single instance of a System@category="source" and
3520 System@category="target".
3522 The attributes of the Service class are:
3524 ip-protocol
3525 Required. INTEGER. The IANA assigned IP protocol number per
3526 [IANA.Protocols].
3528 observable-id
3529 Optional. ID. See Section 3.3.2.
3531 3.20.1. ServiceName Class
3533 The ServiceName class identifies an application protocol. It can be
3534 described by referencing an IANA registered protocol, a URL or with
3535 free-form text.
3537 +--------------------+
3538 | ServiceName |
3539 +--------------------+
3540 | |<>--{0..1}--[ IANAService ]
3541 | |<>--{0..*}--[ URL ]
3542 | |<>--{0..*}--[ Description ]
3543 +--------------------+
3545 Figure 42: The ServiceName Class
3547 The aggregate classes of the ServiceName class are:
3549 IANAService
3550 Zero or one. STRING. The name of the service per the "Service
3551 Name" field of the [IANA.Ports] registry.
3553 URL
3554 Zero or more. URL. A URL to a resource describing the service.
3556 Description
3557 Zero or more. ML_STRING. A free-form text description of the
3558 service.
3560 At least one of these classes MUST be present.
3562 The ServiceName class has no attributes.
3564 3.20.2. ApplicationHeader Class
3566 The ApplicationHeader class describes arbitrary fields from a
3567 protocol header and its corresponding value.
3569 +--------------------------+
3570 | ApplicationHeader |
3571 +--------------------------+
3572 | |<>--{1..*}--[ ApplicationHeaderField ]
3573 +--------------------------+
3575 Figure 43: The ApplicationHeader Class
3577 The aggregate class of the ApplicationHeader class is:
3579 ApplicationHeaderField
3580 One or more. EXTENSION. A field name and value in a protocol
3581 header. The 'name' attribute MUST be set to the field name. The
3582 field value MUST be set in the element content.
3584 The ApplicationHeader class has no attributes.
3586 3.21. EmailData Class
3588 The EmailData class describes headers from an email message and
3589 cryptographic hash and signatures applied to it.
3591 +-------------------------+
3592 | EmailData |
3593 +-------------------------+
3594 | ID observable-id |<>--{0..*}--[ EmailTo ]
3595 | |<>--{0..1}--[ EmailFrom ]
3596 | |<>--{0..1}--[ EmailSubject ]
3597 | |<>--{0..1}--[ EmailX-Mailer ]
3598 | |<>--{0..*}--[ EmailHeaderField ]
3599 | |<>--{0..1}--[ EmailHeaders ]
3600 | |<>--{0..1}--[ EmailBody ]
3601 | |<>--{0..1}--[ EmailMessage ]
3602 | |<>--{0..*}--[ HashData ]
3603 | |<>--{0..*}--[ SignatureData ]
3604 +-------------------------+
3606 Figure 44: EmailData Class
3608 The aggregate classes of the EmailData class are:
3610 EmailTo
3611 Zero or more. EMAIL. The value of the "To:" header field
3612 (Section 3.6.3 of [RFC5322]) in an email.
3614 EmailFrom
3615 Zero or one. EMAIL. The value of the "From:" header field
3616 (Section 3.6.2 of [RFC5322]) in an email.
3618 EmailSubject
3619 Zero or one. STRING. The value of the "Subject:" header field in
3620 an email. See Section 3.6.4 of [RFC5322].
3622 EmailX-Mailer
3623 Zero or one. STRING. The value of the "X-Mailer:" header field
3624 in an email.
3626 EmailHeaderField
3627 Zero or more. EXTENSION. The header name and value of an
3628 arbitrary header field of the email message. The 'name' attribute
3629 MUST be set to header name. The header value MUST be set in the
3630 element body. The dtype attribute MUST be set to "string".
3632 EmailHeaders
3633 Zero or one. STRING. The headers of an email message.
3635 EmailBody
3636 Zero or one. STRING. The body of an email message.
3638 EmailMessage
3639 Zero or one. STRING. The headers and body of an email message.
3641 HashData
3642 Zero or One. Hash(es) associated with this email message. See
3643 Section 3.26.
3645 SignatureData
3646 Zero or One. Signature(s) associated with this email message.
3647 See Section 3.27.
3649 The attribute of the EmailData class is:
3651 observable-id
3652 Optional. ID. See Section 3.3.2.
3654 3.22. Record Class
3656 The Record class is a container class for log and audit data that
3657 provides supportive information about the events in an incident. The
3658 source of this data will often be the output of monitoring tools.
3659 These logs substantiate the activity described in the document.
3661 +------------------------+
3662 | Record |
3663 +------------------------+
3664 | ENUM restriction |<>--{1..*}--[ RecordData ]
3665 | STRING ext-restriction |
3666 +------------------------+
3668 Figure 45: Record Class
3670 The aggregate classes of the Record class are:
3672 RecordData
3673 One or more. Log or audit data generated by a particular tool.
3674 Separate instances of the RecordData class SHOULD be used for each
3675 type of log. See Section 3.22.1.
3677 The attributes of the Record class are:
3679 restriction
3680 Optional. ENUM. See Section 3.3.1.
3682 ext-restriction
3683 Optional. STRING. A means by which to extend the restriction
3684 attribute. See Section 5.1.1.
3686 3.22.1. RecordData Class
3688 The RecordData class describes or references log or audit data from a
3689 given type of tool and provides a means to annotate the output.
3691 +------------------------+
3692 | RecordData |
3693 +------------------------+
3694 | ENUM restriction |<>--{0..1}--[ DateTime ]
3695 | STRING ext-restriction |<>--{0..*}--[ Description ]
3696 | ID observable-id |<>--{0..1}--[ Application ]
3697 | |<>--{0..*}--[ RecordPattern ]
3698 | |<>--{0..*}--[ RecordItem ]
3699 | |<>--{0..*}--[ URL ]
3700 | |<>--{0..*}--[ FileData ]
3701 | |<>--{0..*}--
3702 | | [ WindowsRegistryKeysModified ]
3703 | |<>--{0..*}--[ CertificateData ]
3704 | |<>--{0..*}--[ AdditionalData ]
3705 +------------------------+
3707 Figure 46: The RecordData Class
3709 The aggregate classes of the RecordData class are:
3711 DateTime
3712 Zero or one. DATETIME. A timestamp of the data found in the
3713 RecordItem or URL classes.
3715 Description
3716 Zero or more. ML_STRING. A free-form text description of the
3717 data provided in the RecordItem or URL classes.
3719 Application
3720 Zero or one. SOFTWARE. Identifies the tool used to generate the
3721 data in the RecordItem or URL classes.
3723 RecordPattern
3724 Zero or more. A search string to precisely find the relevant data
3725 in the RecordItem or URL classes. See Section 3.22.2.
3727 RecordItem
3728 Zero or more. EXTENSION. Log, audit, or forensic data to support
3729 the conclusions made during the course of analyzing the incident.
3731 URL
3732 Zero or more. URL. A URL reference to a log or audit data.
3734 FileData
3735 Zero or one. The files involved in the incident. See
3736 Section 3.25.
3738 WindowsRegistryKeysModified
3739 Zero or more. The registry keys that were involved in the
3740 incident. See Section 3.23.
3742 CertificateData
3743 Zero or more. The certificates that were involved in the
3744 incident. See Section 3.24.
3746 AdditionalData
3747 Zero or more. EXTENSION. An extension mechanism for data not
3748 explicitly represented in the data model.
3750 The attributes of the RecordData class are:
3752 restriction
3753 Optional. ENUM. See Section 3.3.1.
3755 ext-restriction
3756 Optional. STRING. A means by which to extend the restriction
3757 attribute. See Section 5.1.1.
3759 observable-id
3760 Optional. ID. See Section 3.3.2.
3762 3.22.2. RecordPattern Class
3764 The RecordPattern class describes where in the log data provided or
3765 referenced in RecordData class relevant information can be found. It
3766 provides a way to reference subsets of information, identified by a
3767 pattern, in a large log file, audit trail, or forensic data.
3769 +-----------------------+
3770 | RecordPattern |
3771 +-----------------------+
3772 | STRING |
3773 | |
3774 | ENUM type |
3775 | STRING ext-type |
3776 | INTEGER offset |
3777 | ENUM offsetunit |
3778 | STRING ext-offsetunit |
3779 | INTEGER instance |
3780 +-----------------------+
3782 Figure 47: The RecordPattern Class
3784 The content of the class is of type STRING and specifies a search
3785 pattern.
3787 The attributes of the RecordPattern class are:
3789 type
3790 Required. ENUM. Describes the type of pattern being specified in
3791 the element content. The default is "regex". These values are
3792 maintained in the "RecordPattern-type" IANA registry per
3793 Section 10.2.
3795 1. regex. regular expression as defined by POSIX Extended
3796 Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].
3798 2. binary. Binhex encoded binary pattern, per the HEXBIN data
3799 type.
3801 3. xpath. XML Path (XPath) [W3C.XPATH]
3803 4. ext-value. A value used to indicate that this attribute is
3804 extended and the actual value is provided using the
3805 corresponding ext-* attribute. See Section 5.1.1.
3807 ext-type
3808 Optional. STRING. A means by which to extend the type attribute.
3809 See Section 5.1.1.
3811 offset
3812 Optional. INTEGER. Amount of units (determined by the offsetunit
3813 attribute) to seek into the RecordItem data before matching the
3814 pattern.
3816 offsetunit
3817 Optional. ENUM. Describes the units of the offset attribute.
3818 The default is "line". These values are maintained in the
3819 "RecordPattern-offsetunit" IANA registry per Section 10.2.
3821 1. line. Offset is a count of lines.
3823 2. byte. Offset is a count of bytes.
3825 3. ext-value. A value used to indicate that this attribute is
3826 extended and the actual value is provided using the
3827 corresponding ext-* attribute. See Section 5.1.1.
3829 ext-offsetunit
3830 Optional. STRING. A means by which to extend the offsetunit
3831 attribute. See Section 5.1.1.
3833 instance
3834 Optional. INTEGER. Number of times to apply the specified
3835 pattern.
3837 3.23. WindowsRegistryKeysModified Class
3839 The WindowsRegistryKeysModified class describes Windows operating
3840 system registry keys and the operations that were performed on them.
3841 This class was derived from [RFC5901].
3843 +-----------------------------+
3844 | WindowsRegistryKeysModified |
3845 +-----------------------------+
3846 | ID observable-id |<>--{1..*}--[ Key ]
3847 +-----------------------------+
3849 Figure 48: The WindowsRegistryKeysModified Class
3851 The aggregate classes of the WindowsRegistryKeysModified class are:
3853 Key
3854 One or more. The Window registry key. See Section 3.23.1.
3856 The attribute of the WindowsRegistryKeysModified class is:
3858 observable-id
3859 Optional. ID. See Section 3.3.2.
3861 3.23.1. Key Class
3863 The Key class describes a Windows operating system registry key name
3864 and value pair, and the operation performed on it.
3866 +---------------------------+
3867 | Key |
3868 +---------------------------+
3869 | ENUM registryaction |<>----------[ KeyName ]
3870 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
3871 | ID observable-id |
3872 +---------------------------+
3874 Figure 49: The Key Class
3876 The aggregate classes of the Key class are:
3878 KeyName
3879 One. STRING. The name of a Windows operating system registry key
3880 (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
3882 KeyValue
3883 Zero or one. STRING. The value of the registry key identified in
3884 the KeyName class encoded per the .reg file format [KB310516].
3886 The attributes of the Key class are:
3888 registryaction
3889 Optional. ENUM. The type of action taken on the registry key.
3890 These values are maintained in the "Key-registryaction" IANA
3891 registry per Section 10.2.
3893 1. add-key. Registry key added.
3895 2. add-value. Value added to a registry key.
3897 3. delete-key. Registry key deleted.
3899 4. delete-value. Value deleted from a registry key.
3901 5. modify-key. Registry key modified.
3903 6. modify-value. Value modified in a registry key.
3905 7. ext-value. A value used to indicate that this attribute is
3906 extended and the actual value is provided using the
3907 corresponding ext-* attribute. See Section 5.1.1.
3909 ext-registryaction
3910 Optional. STRING. A means by which to extend the registryaction
3911 attribute. See Section 5.1.1.
3913 observable-id
3914 Optional. ID. See Section 3.3.2.
3916 3.24. CertificateData Class
3918 The CertificateData class describes X.509 certificates.
3920 +------------------------+
3921 | CertificateData |
3922 +------------------------+
3923 | ENUM restriction |<>--{1..*}--[ Certificate ]
3924 | STRING ext-restriction |
3925 | ID observable-id |
3926 +------------------------+
3928 Figure 50: The CertificateData Class
3930 The aggregate classes of the CertificateData class are:
3932 Certificate
3933 One or more. A description of an X.509 certificate or certificate
3934 chain. See Section 3.24.1.
3936 The attributes of the CertificateData class are:
3938 restriction
3939 Optional. ENUM. See Section 3.3.1.
3941 ext-restriction
3942 Optional. STRING. A means by which to extend the restriction
3943 attribute. See Section 5.1.1.
3945 observable-id
3946 Optional. ID. See Section 3.3.2.
3948 3.24.1. Certificate Class
3950 The Certificate class describes a given X.509 certificate or
3951 certificate chain.
3953 +--------------------------+
3954 | Certificate |
3955 +--------------------------+
3956 | ID observable-id |<>----------[ ds: X509Data ]
3957 | |<>--{0..*}--[ Description ]
3958 +--------------------------+
3960 Figure 51: The Certificate Class
3962 The aggregate classes of the Certificate class are:
3964 ds:X509Data
3965 One. A given X.509 certificate or chain. See Section 4.4.4 of
3966 [W3C.XMLSIG].
3968 Description
3969 Zero or more. ML_STRING. A free-form text description explaining
3970 the context of this certificate.
3972 The attributes of the Certificate class are:
3974 observable-id
3975 Optional. ID. See Section 3.3.2.
3977 3.25. FileData Class
3979 The FileData class describes a file or set of files.
3981 +------------------------+
3982 | FileData |
3983 +------------------------+
3984 | ENUM restriction |<>--{1..*}--[ File ]
3985 | STRING ext-restriction |
3986 | ID observable-id |
3987 +------------------------+
3989 Figure 52: The FileData Class
3991 The aggregate classes of the FileData class are:
3993 File
3994 One or more. A description of a file. See Section 3.25.1.
3996 The attributes of the FileData class are:
3998 restriction
3999 Optional. ENUM. See Section 3.3.1.
4001 ext-restriction
4002 Optional. STRING. A means by which to extend the restriction
4003 attribute. See Section 5.1.1.
4005 observable-id
4006 Optional. ID. See Section 3.3.2.
4008 3.25.1. File Class
4010 The File class describes a file; its associated meta data; and
4011 cryptographic hashes and signatures applied to it.
4013 +-----------------------+
4014 | File |
4015 +-----------------------+
4016 | ID observable-id |<>--{0..1}--[ FileName ]
4017 | |<>--{0..1}--[ FileSize ]
4018 | |<>--{0..1}--[ FileType ]
4019 | |<>--{0..*}--[ URL ]
4020 | |<>--{0..1}--[ HashData ]
4021 | |<>--{0..1}--[ SignatureData ]
4022 | |<>--{0..1}--[ AssociatedSoftware ]
4023 | |<>--{0..*}--[ FileProperties ]
4024 +-----------------------+
4026 Figure 53: The File Class
4028 The aggregate classes of the File class are:
4030 FileName
4031 Zero or One. STRING. The name of the file.
4033 FileSize
4034 Zero or One. INTEGER. The size of the file in bytes.
4036 FileType
4037 Zero or One. STRING. The type of file per the IANA Media Types
4038 Registry [IANA.Media]. Valid values correspond to the text in the
4039 "Template" column (e.g., "application/pdf").
4041 URL
4042 Zero or more. URL. A URL reference to the file.
4044 HashData
4045 Zero or One. Hash(es) associated with this file. See
4046 Section 3.26.
4048 SignatureData
4049 Zero or One. Signature(s) associated with this file. See
4050 Section 3.27.
4052 AssociatedSoftware
4053 Zero or One. SOFTWARE. The software application or operating
4054 system to which this file belongs or by which it can be processed.
4056 FileProperties
4057 Zero or more. EXTENSION. Mechanism by which to extend the data
4058 model to describe properties of the file.
4060 The attributes of the File class are:
4062 observable-id
4063 Optional. ID. See Section 3.3.2.
4065 3.26. HashData Class
4067 The HashData class describes different types of hashes on an given
4068 object (e.g., file, part of a file, email).
4070 +--------------------------+
4071 | HashData |
4072 +--------------------------+
4073 | ENUM scope |<>--{0..1}--[ HashTargetID ]
4074 | |<>--{0..*}--[ Hash ]
4075 | |<>--{0..*}--[ FuzzyHash ]
4076 +--------------------------+
4078 Figure 54: The HashData Class
4080 The aggregate classes of the HashData class are:
4082 HashTargetID
4083 Zero or One. STRING. An identifier that references a subset of
4084 the object being hashed. The semantics of this identifier are
4085 specified by the scope attribute.
4087 Hash
4088 Zero or more. The hash of an object. See Section 3.26.1.
4090 FuzzyHash
4091 Zero or more. The fuzzy hash of an object. See Section 3.26.2.
4093 A single instance of Hash or FuzzyHash MUST be present.
4095 The attribute of the HashData class is:
4097 scope
4098 Required. ENUM. Describes on which part of the object the hash
4099 should be applied. These values are maintained in the "HashData-
4100 scope" IANA registry per Section 10.2.
4102 1. file-contents. A hash computed over the entire contents of a
4103 file.
4105 2. file-pe-section. A hash computed on a given section of a
4106 Windows Portable Executable (PE) file. If set to this value,
4107 the HashTargetID class MUST identify the section being hashed.
4108 A section is identified by an ordinal number (starting at 1)
4109 corresponding to the the order in which the given section
4110 header was defined in the Section Table of the PE file header.
4112 3. file-pe-iat. A hash computed on the Import Address
4113 Table (IAT) of a PE file. As IAT hashes are often tool
4114 dependent, if this value is set, the Application class of
4115 either the Hash or FuzzyHash classes MUST specify the tool
4116 used to generate the hash.
4118 4. file-pe-resource. A hash computed on a given resource in a PE
4119 file. If set to this value, the HashTargetID class MUST
4120 identify the resource being hashed. A resource is identified
4121 by an ordinal number (starting at 1) corresponding to the
4122 order in which the given resource is declared in the Resource
4123 Directory of the Data Dictionary in the PE file header.
4125 5. file-pdf-object. A hash computed on a given object in a
4126 Portable Document Format (PDF) file. If set to this value,
4127 the HashTargetID class MUST identify the object being hashed.
4128 This object is identified by its offset in the PDF file.
4130 6. email-hash. A hash computed over the headers and body of an
4131 email message.
4133 7. email-headers-hash. A hash computed over all of the headers
4134 of an email message.
4136 8. email-body-hash. A hash computed over the body of an email
4137 message.
4139 9. ext-value. A value used to indicate that this attribute is
4140 extended and the actual value is provided using the
4141 corresponding ext-* attribute. See Section 5.1.1.
4143 ext-scope
4144 Optional. STRING. A means by which to extend the scope
4145 attribute. See Section 5.1.1.
4147 3.26.1. Hash Class
4149 The Hash class describes a cryptographic hash value; the algorithm
4150 and application used to generate it; and the canonicalization method
4151 applied to the object being hashed.
4153 +----------------+
4154 | Hash |
4155 +----------------+
4156 | |<>----------[ ds:DigestMethod ]
4157 | |<>----------[ ds:DigestValue ]
4158 | |<>--{0..1}--[ ds:CanonicalizationMethod ]
4159 | |<>--{0..1}--[ Application ]
4160 +----------------+
4162 Figure 55: The Hash Class
4164 The aggregate classes of the Hash class are:
4166 ds:DigestMethod
4167 One. The hash algorithm used to generate the hash. See
4168 Section 4.3.3.5 of [W3C.XMLSIG]
4170 ds:DigestValue
4171 One. The computed hash value. See Section 4.3.3.6 of
4172 [W3C.XMLSIG].
4174 ds:CanonicalizationMethod
4175 Zero or one. The canonicalization method used on the object being
4176 hashed. See Section 4.3.1 of [W3C.XMLSIG].
4178 Application
4179 Zero or One. SOFTWARE. The application used to calculate the
4180 hash.
4182 The HashData class has no attributes.
4184 3.26.2. FuzzyHash Class
4186 The FuzzyHash class describes a fuzzy hash and the application used
4187 to generate it.
4189 +--------------------------+
4190 | FuzzyHash |
4191 +--------------------------+
4192 | |<>--{1..*}--[ FuzzyHashValue ]
4193 | |<>--{0..1}--[ Application ]
4194 | |<>--{0..*}--[ AdditionalData ]
4195 +--------------------------+
4197 Figure 56: The FuzzyHash Class
4199 The aggregate classes of the FuzzyHash class are:
4201 FuzzyHashValue
4202 One or more. EXTENSION. The computed fuzzy hash value.
4204 Application
4205 Zero or One. SOFTWARE. The application used to calculate the
4206 hash.
4208 AdditionalData
4209 Zero or more. EXTENSION. Mechanism by which to extend the data
4210 model.
4212 The FuzzyData class has no attributes.
4214 3.27. SignatureData Class
4216 The SignatureData class describes different types of digital
4217 signatures on an object.
4219 +--------------------------+
4220 | SignatureData |
4221 +--------------------------+
4222 | |<>--{1..*}--[ ds:Signature ]
4223 +--------------------------+
4225 Figure 57: The SignatureData Class
4227 The aggregate class of the SignatureData class is:
4229 Signature
4230 One or more. An given signature. See Section 4.2 of [W3C.XMLSIG]
4232 The SignatureData class has no attributes.
4234 3.28. IndicatorData Class
4236 The IndicatorData class describes cyber indicators and meta-data
4237 associated with them.
4239 +--------------------------+
4240 | IndicatorData |
4241 +--------------------------+
4242 | |<>--{1..*}--[ Indicator ]
4243 +--------------------------+
4245 Figure 58: The IndicatorData Class
4247 The aggregate class of the IndicatorData class is:
4249 Indicator
4250 One or more. A description of an indicator. See Section 3.29.
4252 The IndicatorData class has no attributes.
4254 3.29. Indicator Class
4256 The Indicator class describes a cyber indicator. An indicator
4257 consists of observable features and phenomenon that aid in the
4258 forensic or proactive detection of malicious activity; and associated
4259 meta-data. An indicator can be described outright; by referencing or
4260 composing previously defined indicators; or by referencing
4261 observables described in the incident report found in this document.
4263 +------------------------+
4264 | Indicator |
4265 +------------------------+
4266 | ENUM restriction |<>----------[ IndicatorID ]
4267 | STRING ext-restriction |<>--{0..1}--[ AlternativeIndicatorID ]
4268 | |<>--{0..*}--[ Description ]
4269 | |<>--{0..1}--[ StartTime ]
4270 | |<>--{0..1}--[ EndTime ]
4271 | |<>--{0..1}--[ Confidence ]
4272 | |<>--{0..*}--[ Contact ]
4273 | |<>--{0..1}--[ Observable ]
4274 | |<>--{0..1}--[ ObservableReference ]
4275 | |<>--{0..1}--[ IndicatorExpression ]
4276 | |<>--{0..1}--[ IndicatorReference ]
4277 | |<>--{0..*}--[ NodeRole ]
4278 | |<>--{0..*}--[ AttackPhase ]
4279 | |<>--{0..*}--[ AdditionalData ]
4280 +------------------------+
4282 Figure 59: The Indicator Class
4284 The aggregate classes of the Indicator class are:
4286 IndicatorID
4287 One. An identifier for this indicator. See Section 3.29.1
4289 AlternativeIndicatorID
4290 Zero or one. An alternative identifier for this indicator. See
4291 Section 3.29.2
4293 Description
4294 Zero or more. ML_STRING. A free-form text description of the
4295 indicator.
4297 StartTime
4298 Zero or one. DATETIME. A timestamp of the start of the time
4299 period during which this indicator is valid.
4301 EndTime
4302 Zero or one. DATETIME. A timestamp of the end of the time period
4303 during which this indicator is valid.
4305 Confidence
4306 Zero or one. An estimate of the confidence in the quality of the
4307 indicator. See Section 3.12.5.
4309 Contact
4310 Zero or more. Contact information for this indicator. See
4311 Section 3.9.
4313 Observable
4314 Zero or one. An observable feature or phenomenon of this
4315 indicator. See Section 3.29.3.
4317 ObservableReference
4318 Zero or one. A reference to an observable feature or phenomenon
4319 defined elsewhere in the document. See Section 3.29.6.
4321 IndicatorExpression
4322 Zero or one. A composition of observables. See Section 3.29.4.
4324 IndicatorReference
4325 Zero or one. A reference to an indicator. See Section 3.29.7.
4327 NodeRole
4328 Zero or many. The role of the system in the attack should this
4329 indicator be matched to it. See Section 3.18.2.
4331 AttackPhase
4332 Zero or many. The phase in an attack lifecycle during which this
4333 indicator might be seen. See Section 3.29.8.
4335 AdditionalData
4336 Zero or more. EXTENSION. Mechanism by which to extend the data
4337 model.
4339 The Indicator class MUST have exactly one instance of an Observable,
4340 IndicatorExpression, ObservableReference, or IndicatorReference
4341 class.
4343 The StartTime and EndTime classes can be used to define an interval
4344 during which the indicator is valid. If both classes are present,
4345 the indicator is consider valid only during the described interval.
4346 If neither class is provided, the indicator is considered valid
4347 during any time interval. If only a StartTime is provided, the
4348 indicator is valid anytime after this timestamp. If only an EndTime
4349 is provided, the indicator is valid anytime prior to this timestamp.
4351 The attributes of the Indicator class are:
4353 restriction
4354 Optional. ENUM. See Section 3.3.1.
4356 ext-restriction
4357 Optional. STRING. A means by which to extend the restriction
4358 attribute. See Section 5.1.1.
4360 3.29.1. IndicatorID Class
4362 The IndicatorID class identifies an indicator with a globally unique
4363 identifier. The combination of the name and version attributes, and
4364 the element content form this identifier. Indicators generated by
4365 given CSIRT MUST NOT reuse the same value unless they are referencing
4366 the same indicator.
4368 +------------------+
4369 | IndicatorID |
4370 +------------------+
4371 | ID |
4372 | |
4373 | STRING name |
4374 | STRING version |
4375 +------------------+
4377 Figure 60: The IndicatorID Class
4379 The content of the class is of type ID and specifies an identifier
4380 for an indicator.
4382 The attributes of the IndicatorID class are:
4384 name
4385 Required. STRING. An identifier describing the CSIRT that
4386 created the indicator. In order to have a globally unique CSIRT
4387 name, the fully qualified domain name associated with the CSIRT
4388 MUST be used. This format is identical to the IncidentID@name
4389 attribute in Section 3.4.
4391 version
4392 Required. STRING. A version number of an indicator.
4394 3.29.2. AlternativeIndicatorID Class
4396 The AlternativeIndicatorID class lists alternative identifiers for an
4397 indicator.
4399 +-------------------------+
4400 | AlternativeIndicatorID |
4401 +-------------------------+
4402 | ENUM restriction |<>--{1..*}--[ IndicatorReference ]
4403 | STRING ext-restriction |
4404 +-------------------------+
4406 Figure 61: The AlternativeIndicatorID Class
4408 The aggregate class of the AlternativeIndicatorID class is:
4410 IndicatorReference
4411 One or more. A reference to an indicator. See Section 3.29.7
4413 The attributes of the AlternativeIndicatorID class are:
4415 restriction
4416 Optional. ENUM. See Section 3.3.1.
4418 ext-restriction
4419 Optional. STRING. A means by which to extend the restriction
4420 attribute. See Section 5.1.1.
4422 3.29.3. Observable Class
4424 The Observable class describes a feature and phenomenon that can be
4425 observed or measured for the purposes of detecting malicious
4426 behavior.
4428 +-------------------+
4429 | Observable |
4430 +-------------------+
4431 | |<>--{0..1}--[ Address ]
4432 | |<>--{0..1}--[ DomainData ]
4433 | |<>--{0..1}--[ Service ]
4434 | |<>--{0..1}--[ EmailData ]
4435 | |<>--{0..1}--[ Service ]
4436 | |<>--{0..1}--[ WindowsRegistryKeysModified ]
4437 | |<>--{0..1}--[ FileData ]
4438 | |<>--{0..1}--[ CertificateData ]
4439 | |<>--{0..1]--[ RegistryHandle ]
4440 | |<>--{0..1}--[ RecordData ]
4441 | |<>--{0..1}--[ EventData ]
4442 | |<>--{0..1}--[ Incident ]
4443 | |<>--{0..*}--[ Expectation ]
4444 | |<>--{0..*}--[ Reference ]
4445 | |<>--{0..1}--[ Assessment ]
4446 | |<>--{0..1}--[ HistoryItem ]
4447 | |<>--{0..1}--[ BulkObservable ]
4448 | |<>--{0..*}--[ AdditionalData ]
4449 +-------------------+
4451 Figure 62: The Observable Class
4453 The aggregate classes of the Observable class are:
4455 Address
4456 Zero or One. An Address observable. See Section 3.18.1.
4458 DomainData
4459 Zero or One. A DomainData observable. See Section 3.19.
4461 Service
4462 Zero or One. A Service observable. See Section 3.20.
4464 EmailData
4465 Zero or One. A EmailData observable. See Section 3.21.
4467 WindowsRegistryKeysModified
4468 Zero or One. A WindowsRegistryKeysModified observable. See
4469 Section 3.23.
4471 FileData
4472 Zero or One. A FileData observable. See Section 3.25.
4474 CertificateData
4475 Zero or One. A CertificateData observable. See Section 3.24.
4477 RegistryHandle
4478 Zero or One. A RegistryHandle observable. See Section 3.9.1.
4480 RecordData
4481 Zero or One. A RecordData observable. See Section 3.22.1.
4483 EventData
4484 Zero or One. An EventData observable. See Section 3.14.
4486 Incident
4487 Zero or One. An Incident observable. See Section 3.2.
4489 EventData
4490 Zero or One. An EventData observable. See Section 3.14.
4492 Expectation
4493 Zero or One. An Expectation observable. See Section 3.15.
4495 Reference
4496 Zero or One. A Reference observable. See Section 3.11.1.
4498 Assessment
4499 Zero or One. An Assessment observable. See Section 3.12.
4501 HistoryItem
4502 Zero or One. A HistoryItem observable. See Section 3.13.1.
4504 BulkObservable
4505 Zero or One. A bulk list of observables. See Section 3.29.3.1.
4507 AdditionalData
4508 Zero or more. EXTENSION. Mechanism by which to extend the data
4509 model.
4511 The Observable class MUST have exactly one of the possible child
4512 classes.
4514 The Observable class has no attributes.
4516 3.29.3.1. BulkObservable Class
4518 The BulkObservable class allows the enumeration of a single type of
4519 observables without requiring each one to be encoded individually in
4520 multiple instances of the same class.
4522 The type attribute describes the type of observable listed in the
4523 child BulkObservableList class. The BulkObservableFormat class
4524 optionally provides additional meta-data.
4526 +---------------------------+
4527 | BulkObservable |
4528 +---------------------------+
4529 | ENUM type |<>--{0..1}--[ BulkObservableFormat ]
4530 | STRING ext-type |<>----------[ BulkObservableList ]
4531 | |<>--{0..*}--[ AdditionalData ]
4532 +---------------------------+
4534 Figure 63: The BulkObservable Class
4536 The aggregate classes of the BulkObservable class are:
4538 BulkObservableFormat
4539 Zero or one. Provides additional meta-data about the observables
4540 enumerated in the BulkObservableList class. See
4541 Section 3.29.3.1.1.
4543 BulkObservableList
4544 One. STRING. A list of observables, one per line. Each line is
4545 separated with either a LF character or CR-and-LF characters. The
4546 type attribute specifies which observables will be listed.
4548 AdditionalData
4549 Zero or more. EXTENSION. Mechanism by which to extend the data
4550 model.
4552 The attributes of the BulkObservable class are:
4554 type
4555 Optional. ENUM. The type of the observable listed in the child
4556 ObservableList class. These values are maintained in the
4557 "BulkObservable-type" IANA registry per Section 10.2.
4559 1. asn. Autonomous System Number (per the Address@category
4560 attribute).
4562 2. atm. Asynchronous Transfer Mode (ATM) address (per the
4563 Address@category attribute).
4565 3. e-mail. Electronic mail address (RFC 822) (per the
4566 Address@category attribute).
4568 4. ipv4-addr. IPv4 host address in dotted-decimal notation
4569 (e.g., 192.0.2.1) (per the Address@category attribute).
4571 5. ipv4-net. IPv4 network address in dotted-decimal notation,
4572 slash, significant bits (e.g., 192.0.2.0/24) (per the
4573 Address@category attribute).
4575 6. ipv4-net-mask. IPv4 network address in dotted-decimal
4576 notation, slash, network mask in dotted-decimal notation
4577 (i.e., 192.0.2.0/255.255.255.0) (per the Address@category
4578 attribute).
4580 7. ipv6-addr. IPv6 host address (e.g., 2001:DB8::3) (per the
4581 Address@category attribute).
4583 8. ipv6-net. IPv6 network address, slash, significant bits
4584 (e.g., 2001:DB8::/32) (per the Address@category attribute).
4586 9. ipv6-net-mask. IPv6 network address, slash, network mask
4587 (per the Address@category attribute).
4589 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f)
4590 (per the Address@category attribute).
4592 11. site-uri. A URL or URI for a resource (per the
4593 Address@category attribute).
4595 12. domain-name. A fully qualified domain name or part of a
4596 name. (e.g., fqdn.example.com, example.com).
4598 13. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as
4599 a comma separated list (e.g., "fqdn.example.com, 192.0.2.1").
4601 14. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as
4602 a comma separated list (e.g., "fqdn.example.com,
4603 2001:DB8::3").
4605 15. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a
4606 timestamp (in the DATETIME format) of the resolution (e.g.,
4607 "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00").
4609 16. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a
4610 timestamp (in the DATETIME format) of the resolution (e.g.,
4611 "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00").
4613 17. ipv4-port. An IPv4 address, port and protocol tuple (e.g.,
4614 192.0.2.1, 80, tcp). The protocol name corresponds to the
4615 "Keyword" column in the [IANA.Protocols] registry.
4617 18. ipv6-port. An IPv6 address, port and protocol tuple (e.g.,
4618 2001:DB8::3, 80, tcp). The protocol name corresponds to the
4619 "Keyword" column in the [IANA.Protocols] registry.
4621 19. windows-reg-key. A Microsoft Windows Registry key.
4623 20. file-hash. A file hash. The format of this hash is
4624 described in the Hash class that MUST be present in a sibling
4625 BulkObservableFormat class.
4627 21. email-x-mailer. An X-Mailer field from an email.
4629 22. email-subject. An email subject line.
4631 23. http-user-agent. A User Agent field from an HTTP request
4632 header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0)
4633 Gecko/20100101 Firefox/38.0").
4635 24. http-request-uri. The Request URI from an HTTP request
4636 header.
4638 25. mutex. The name of a system mutex.
4640 26. file-path. A file path (e.g., "/tmp/local/file",
4641 "c:\windows\system32\file.sys")
4643 27. user-name. A username.
4645 28. ext-value. A value used to indicate that this attribute is
4646 extended and the actual value is provided using the
4647 corresponding ext-* attribute. See Section 5.1.1.
4649 ext-type
4650 Optional. STRING. A means by which to extend the type attribute.
4651 See Section 5.1.1.
4653 3.29.3.1.1. BulkObservableFormat Class
4655 The ObservableFormat class specifies meta-data about the format of an
4656 observable enumerated in a sibling BulkObservableList class.
4658 +---------------------------+
4659 | BulkObservableFormat |
4660 +---------------------------+
4661 | |<>--{0..1}--[ Hash ]
4662 | |<>--{0..*}--[ AdditionalData ]
4663 +---------------------------+
4665 Figure 64: The BulkObservableFormat Class
4667 The aggregate classes of the BulkObservableFormat class are:
4669 Hash
4670 Zero or one. Describes the format of a hash. See Section 3.26.1.
4672 AdditionalData
4673 Zero or more. EXTENSION. Mechanism by which to extend the data
4674 model.
4676 The BulkObservableFormat class has no attributes.
4678 Either Hash or AdditionalData MUST be present.
4680 3.29.4. IndicatorExpression Class
4682 The IndicatorExpression describes an expression composed of observed
4683 phenomenon or features, or indicators. Elements of the expression
4684 can be described directly, reference relevant data from other parts
4685 of a given IODEF document, or reference previously defined
4686 indicators.
4688 All child classes of a given instance of IndicatorExpression form a
4689 boolean algebraic expression where the operator between them is
4690 determined by the operator attribute.
4692 +--------------------------+
4693 | IndicatorExpression |
4694 +--------------------------+
4695 | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
4696 | STRING ext-operator |<>--{0..*}--[ Observable ]
4697 | |<>--{0..*}--[ ObservableReference ]
4698 | |<>--{0..*}--[ IndicatorReference ]
4699 | |<>--{0..*}--[ AdditionalData ]
4700 +--------------------------+
4702 Figure 65: The IndicatorExpression Class
4704 The aggregate classes of the IndicatorExpression class are:
4706 IndicatorExpression
4707 Zero or more. An expression composed of other observables or
4708 indicators. See Section 3.29.4.
4710 Observable
4711 Zero or more. A description of an observable. See
4712 Section 3.29.3.
4714 ObservableReference
4715 Zero or more. A reference to an observable. See Section 3.29.6.
4717 IndicatorReference
4718 Zero or more. A reference to an indicator. See Section 3.29.7.
4720 AdditionalData
4721 Zero or more. EXTENSION. Mechanism by which to extend the data
4722 model.
4724 The attributes of the IndicatorExpression class are:
4726 operator
4727 Optional. ENUM. The operator to be applied between the child
4728 elements. See Section 3.29.5 for parsing guidance. The default
4729 value is "and". These values are maintained in the
4730 "IndicatorExpression-operator" IANA registry per Section 10.2.
4732 1. not. negation operator.
4734 2. and. conjunction operator.
4736 3. or. disjunction operator.
4738 4. xor. exclusive disjunction operator.
4740 ext-operator
4741 Optional. STRING. A means by which to extend the operator
4742 attribute. See Section 5.1.1.
4744 3.29.5. Expressions with IndicatorExpression
4746 Boolean algebraic expressions can be used to specify relationships
4747 between observables and indicator. These expressions are constructed
4748 through the use of the operator attribute and parent-child
4749 relationships in IndicatorExpressions. These expressions should be
4750 parsed as follows:
4752 1. The operator specified by the operator attribute is applied
4753 between each of the child elements of the immediate parent
4754 IndicatorExpression element. If no operator attribute is
4755 specified, it should be assumed to be the conjunction operator
4756 (i.e., operator="and").
4758 2. A nested IndicatorExpression element with a parent
4759 IndicatorExpression is the equivalent of a parentheses in the
4760 expression.
4762 The following four examples in Figure 66 through Figure 69 illustrate
4763 these parsing rules:
4765 1 :
4766 2 [O1]: ..
4767 3 [O2]: ..
4768 4 :
4770 Equivalent expression: (O1 AND O2)
4772 Figure 66: Nested elements in an IndicatorExpression without an
4773 operator attribute specified
4775 1 :
4776 2 [O1]: ..
4777 3 [O2]: ..
4778 4 :
4780 Equivalent expression: (O1 OR O2)
4782 Figure 67: Nested elements in an IndicatorExpression with an operator
4783 attribute specified
4785 1 :
4786 2 :
4787 2 [O1]: ..
4788 3 [O2]: ..
4789 4 :
4790 2 [O3]: ..
4791 4 :
4793 Equivalent expression: ((O1 OR O2) OR O3)
4795 Figure 68: Nested elements with a recursive IndicatorExpression with
4796 an operator attribute specified
4798 1 :
4799 2 :
4800 2 [O1]: ..
4801 3 [O2]: ..
4802 4 :
4803 4 :
4805 Equivalent expression: (NOT (O1 AND O2))
4807 Figure 69: A recursive IndicatorExpression with an operator attribute
4808 specified
4810 Invalid algebraic expressions while valid XML, MUST not be specified.
4812 3.29.6. ObservableReference Class
4814 The ObservableReference describes a reference to an observable
4815 feature or phenomenon described elsewhere in the document.
4817 This class has no content.
4819 +-------------------------+
4820 | ObservableReference |
4821 +-------------------------+
4822 | EMPTY |
4823 | |
4824 | IDREF uid-ref |
4825 +-------------------------+
4827 Figure 70: The ObservableReference Class
4829 The ObservableReference class has no content.
4831 The attribute of the ObservableReference class is:
4833 uid-ref
4834 Required. IDREF. An identifier that serves as a reference to a
4835 class in the IODEF document. The referenced class will have this
4836 identifier set in its observable-id attribute.
4838 3.29.7. IndicatorReference Class
4840 The IndicatorReference describes a reference to an indicator. This
4841 reference may be to an indicator described in this IODEF document or
4842 in a previously exchanged IODEF document.
4844 +--------------------------+
4845 | IndicatorReference |
4846 +--------------------------+
4847 | EMPTY |
4848 | |
4849 | IDREF uid-ref |
4850 | STRING euid-ref |
4851 | STRING version |
4852 +--------------------------+
4854 Figure 71: The IndicatorReference Class
4856 The IndicatorReference class has no content.
4858 The attributes of the IndicatorReference class are:
4860 uid-ref
4861 Optional. IDREF. An identifier that references an Indicator
4862 class in the IODEF document. The referenced Indicator class will
4863 have this identifier set in its IndicatorID class.
4865 euid-ref
4866 Optional. STRING. An identifier that references an IndicatorID
4867 not in this IODEF document.
4869 version
4870 Optional. STRING. A version number of an indicator.
4872 Either the uid-ref or the euid-ref attribute MUST be set.
4874 3.29.8. AttackPhase Class
4876 The AttackPhase class describes a particular phase of an attack
4877 lifecycle.
4879 +------------------------+
4880 | AttackPhase |
4881 +------------------------+
4882 | |<>--{0..*}--[ AttackPhaseID ]
4883 | |<>--{0..*}--[ URL ]
4884 | |<>--{0..*}--[ Description ]
4885 | |<>--{0..*}--[ AdditionalData ]
4886 +------------------------+
4888 Figure 72: AttackPhase Class
4890 The aggregate classes of the AttackPhase class are:
4892 AttackPhaseID
4893 Zero or more. STRING. An identifier for the phase of the attack.
4895 URL
4896 Zero or more. URL. A URL to a resource describing this phase of
4897 the attack.
4899 Description
4900 Zero or more. ML_STRING. A free-form text description of this
4901 phase of the attack.
4903 AdditionalData
4904 Zero or more. EXTENSION. A mechanism by which to extend the data
4905 model.
4907 AttackPhase MUST have at least one instance of a child class.
4909 The AttackPhase class has no attributes.
4911 4. Processing Considerations
4913 This section provides additional requirements and guidance on
4914 creating and processing IODEF documents.
4916 4.1. Encoding
4918 Every IODEF document MUST begin with an XML declaration and MUST
4919 specify the XML version used. The character encoding MUST also be
4920 explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16
4921 [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD
4922 NOT be used. The IODEF conforms to all XML data encoding conventions
4923 and constraints.
4925 The XML declaration with no character encoding will read as follows:
4927
4929 When a character encoding is specified, the XML declaration will read
4930 as follows:
4932
4934 Where "charset" is the name of the character encoding as registered
4935 with the Internet Assigned Numbers Authority (IANA), see [RFC2978].
4937 The following characters have special meaning in XML and MUST be
4938 escaped with their entity reference equivalent: "&", "<", ">", "\""
4939 (double quotation mark), and "'" (apostrophe). These entity
4940 references are "&", "<", ">", """, and "'"
4941 respectively.
4943 4.2. IODEF Namespace
4945 The IODEF schema declares a namespace of
4946 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS].
4947 Each IODEF document MUST include a valid reference to the IODEF
4948 schema using the "xsi:schemaLocation" attribute. An example of such
4949 a declaration would look as follows:
4951
4956 4.3. Validation
4958 IODEF documents MUST be well-formed XML. It is RECOMMENDED that
4959 recipients validate the document against the schema described in
4960 Section 8. However, mere conformance to this schema is not
4961 sufficient for a semantically valid IODEF document. The text of
4962 Section 3 describes further formatting and constraints; some that
4963 cannot be conveniently encoded in the schema. These MUST must also
4964 be considered by an IODEF implementation. Furthermore, the
4965 enumerated values present in this document are a static list that
4966 will be incomplete over time as select attributes can be extended by
4967 a corresponding IANA registry per Section 10.2. Therefore, the
4968 schema to validate a given document MUST be dynamically generated
4969 from these registry values.
4971 4.4. Incompatibilities with v1
4973 The IODEF data model in this document makes a number of changes to
4974 [RFC5070]. These changes were largely additive -- classes and
4975 enumerated values were added. However, some incompatibilities
4976 between [RFC5070] and this new specification were introduced. These
4977 incompatibilities are as follows:
4979 o The IODEF-Document@version attribute is set to "2.0".
4981 o Attributes with enumerated values can now also be extended with
4982 IANA registries.
4984 o All iodef:MLStringType classes use xml:lang. IODEF-Document also
4985 uses xml:lang.
4987 o The Service@ip_protocol attribute was renamed to @ip-protocol.
4989 o The Node/NodeName class was removed in favor of representing
4990 domain names with Node/DomainData/Name class. The Node/DataTime
4991 class was also removed so that the Node/DomainData/
4992 DateDomainWasChecked class can represent the time at which the
4993 name to address resolution occurred.
4995 o The Node/NodeRole class was moved to System/NodeRole.
4997 o The Reference class is now defined by [RFC-ENUM].
4999 o The data previously represented in the Impact class is now in the
5000 SystemImpact and IncidentCategory classes. The Impact class has
5001 been removed.
5003 o The semantics of Counter@type are now represented in Counter@unit.
5005 o The IODEF-Document@formatid attribute has been renamed to @format-
5006 id.
5008 o Incident/ReportTime is no longer mandatory. However,
5009 GenerationTime is.
5011 o The Fax class was removed and is now represented by a generic
5012 Telephone class.
5014 o The Telephone, Email and PostalAddress classes were redefined from
5015 improved internationalization.
5017 5. Extending the IODEF
5019 In order to support the dynamic nature of security operations, the
5020 IODEF data model will need to continue to evolve. This section
5021 discusses how new data elements can be incorporated into the IODEF.
5022 There is support to ad additional enumerated values and new classes.
5023 Adding additional attributes to existing classes is not supported.
5025 These extension mechanisms are designed so that adding new data
5026 elements is possible without requiring a modifications to this
5027 document. Extensions can be implemented publicly or privately. With
5028 proven value, well documented extensions can be incorporated into
5029 future versions of the specification.
5031 5.1. Extending the Enumerated Values of Attributes
5033 Additional enumerated values can be added to select attributes either
5034 through the use of specially marked attributes with the "ext-" prefix
5035 or through a set of corresponding IANA registries. The former
5036 approach allows for the extension to remain private. The latter
5037 approach is public.
5039 5.1.1. Private Extension of Enumerated Values
5041 The data model supports adding new enumerated values to an attribute
5042 without public registration. For each attribute that supports this
5043 extension technique, there is a corresponding attribute in the same
5044 element whose name is identical but with a prefix of "ext-". This
5045 special attribute is referred to as the extension attribute. The
5046 attribute being extended is referred to as an extensible attribute.
5047 For example, an extensible attribute named "foo" will have a
5048 corresponding extension attribute named "ext-foo". An element may
5049 have many extensible attributes.
5051 In addition to a corresponding extension attribute, each extensible
5052 attribute has "ext-value" as one its possible enumerated values.
5054 Selection of this particular value in an extensible attribute signals
5055 that the extension attribute contains data. Otherwise, this "ext-
5056 value" value has no meaning.
5058 In order to add a new enumerated value to an extensible attribute,
5059 the value of this attribute MUST be set to "ext-value", and the new
5060 desired value MUST be set in the corresponding extension attribute.
5061 For example, extending the type attribute of the SystemImpact class
5062 would look as follows:
5064
5066 A given extension attribute MUST NOT be set unless the corresponding
5067 extensible attribute has been set to "ext-value".
5069 5.1.2. Public Extension of Enumerated Values
5071 The data model also supports publicly extending select enumerated
5072 attributes. A new entry can be added by registering a new entry in
5073 the appropriate IANA registry. Section 10.2 provides a mapping
5074 between the extensible attributes and their corresponding registry.
5075 Section 4.3 discusses the XML Validation implications of this type of
5076 extension. All extensible attributes that support private extensions
5077 also support public extensions.
5079 5.2. Extending Classes
5081 Classes of the EXTENSION (iodef:ExtensionType) type can extend the
5082 data model. They provide the ability to have new atomic or XML-
5083 encoded data elements in all of the top-level classes of the Incident
5084 class and a few of the complex subordinate classes. As there are
5085 multiple instances of the extensible classes in the data model, there
5086 is discretion on where to add a new data element. It is RECOMMENDED
5087 that the extension be placed in the most closely related class to the
5088 new information.
5090 Extensions using the atomic data types (i.e., all values of the dtype
5091 attributes other than "xml") MUST:
5093 1. Set the element content to the desired value, and
5095 2. Set the dtype attribute to correspond to the data type of the
5096 element content.
5098 The following guidelines exist for extensions using XML (i.e.,
5099 dtype="xml"):
5101 1. The element content of the extensible class MUST be set to the
5102 desired value and the dtype attribute MUST be set to "xml".
5104 2. The extension schema MUST declare a separate namespace. It is
5105 RECOMMENDED that these extensions have the prefix "iodef-". This
5106 recommendation makes readability of the document easier by
5107 allowing the reader to infer which namespaces relate to IODEF by
5108 inspection.
5110 3. It is RECOMMENDED that extension schemas follow the naming
5111 convention of the IODEF data model. This too improves the
5112 readability of extended IODEF documents. The names of all
5113 elements SHOULD be capitalized. For elements with composed
5114 names, a capital letter SHOULD be used for each word. Attribute
5115 names SHOULD be in lower case. Attributes with composed names
5116 SHOULD be separated by a hyphen.
5118 4. Implementations that encounter an unrecognized element in a
5119 supported namespace MUST reject the document as a syntax error.
5121 5. There are security and performance implications in requiring
5122 implementations to dynamically download schemas at run time.
5123 Therefore, implementations SHOULD NOT download schemas at runtime
5124 unless the appropriate precautions are taken. Implementations
5125 also need to contend with the potential of significant network
5126 and processing issues.
5128 6. Some adopters of the IODEF may have private schema definitions
5129 that are not publicly available. Thus implementations may
5130 encounter IODEF documents with references to private schemas that
5131 may not be resolvable. Hence, IODEF document recipients MUST be
5132 prepared for a schema definition in an IODEF document never to
5133 resolve.
5135 The following schema and XML document excerpt provide a template for
5136 an extension schema and its use in the IODEF document.
5138 This example schema defines a namespace of "iodef-extension1" and a
5139 single element named "newdata".
5141
5145 attributeFormDefault="unqualified"
5146 elementFormDefault="qualified">
5147
5151
5152
5154 The following XML excerpt demonstrates the use of the above schema as
5155 an extension to the IODEF.
5157
5164
5165 ...
5166
5167
5168 Field that could not be represented elsewhere
5169
5170
5171
5172
5199 If an unrecognized private extension is encountered in processing,
5200 the recipient MAY reject the entire document as a syntax error.
5202 6. Internationalization Issues
5204 Internationalization and localization is of specific concern to the
5205 IODEF as it facilitates operational coordination with a diverse set
5206 of partners. The IODEF implements internationalization by relying on
5207 XML constructs and through explicit design choices in the data model.
5209 Since the IODEF is implemented as an XML Schema, it supports
5210 different character encodings, such as UTF-8 and UTF-16, possible
5211 with XML. Additionally, each IODEF document MUST specify the
5212 language in which its content is encoded. The language can be
5213 specified with the attribute "xml:lang" (per Section 2.12 of
5214 [W3C.XML]) in the top-level element (i.e., IODEF-Document) and
5215 letting all other elements inherit that definition. All IODEF
5216 classes with a free-form text definition (i.e., all those defined
5217 with type iodef:MLStringType) can also specify a language different
5218 from the rest of the document.
5220 The data model supports multiple translations of free-form text. All
5221 ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality
5222 to their parent. This allows the identical text translated into
5223 different languages to be encoded in different instances of the same
5224 class with a common parent. This design also enables the creation of
5225 a single document containing all the translations. The IODEF
5226 implementation SHOULD extract the appropriate language relevant to
5227 the recipient.
5229 Related instances of a given iodef:MLStringType class that are
5230 translations of each other are identified by a common identifier set
5231 in the translation-id attribute. The example below shows three
5232 instances of a Description class expressed in three different
5233 languages. The relationship between these three instances of the
5234 Description class is conveyed by the common value of "1" in the
5235 translation-id attribute.
5237
5239 ...
5240 English
5242 Englisch
5244 Anglais
5247 The IODEF balances internationalization support with the need for
5248 interoperability. While the IODEF supports different languages, the
5249 data model also relies heavily on standardized enumerated attributes
5250 that can crudely approximate the contents of the document. With this
5251 approach, a CSIRT should be able to make some sense of an IODEF
5252 document it receives even if the free-form text data elements are
5253 written in a language unfamiliar to the recipient.
5255 7. Examples
5257 This section provides example of IODEF documents. These examples do
5258 not represent the full capabilities of the data model or the the only
5259 way to encode particular information.
5261 7.1. Minimal Example
5263 A document containing only the mandatory elements and attributes.
5265
5266
5267
5273
5274 492382
5275 2015-07-18T09:00:00-05:00
5276
5277
5278 contact@csirt.example.com
5279
5280
5281
5282
5283
5285 7.2. Indicators from a Campaign
5287 An example of C2 domains from a given campaign.
5289
5290
5291
5297
5298 897923
5299
5300
5301
5302 TA-12-AGGRESSIVE-BUTTERFLY
5303
5304 Aggressive Butterfly
5305
5306
5307 C-2015-59405
5308 Orange Giraffe
5309
5310
5311 2015-10-02T11:18:00-05:00
5312 Summarizes the Indicators of Compromise
5313 for the Orange Giraffe campaign of the Aggressive
5314 Butterfly crime gang.
5315
5316
5317
5318
5319
5320 CSIRT for example.com
5321
5322 contact@csirt.example.com
5323
5324
5325
5326
5327
5328 G90823490
5329
5330 C2 domains
5331 2014-12-02T11:18:00-05:00
5332
5333
5334
5335 kj290023j09r34.example.com
5336 09ijk23jfj0k8.example.net
5337 klknjwfjiowjefr923.example.org
5338 oimireik79msd.example.org
5339
5340
5341
5342
5343
5344
5345
5347 8. The IODEF Data Model (XML Schema)
5349
5350
5359
5362
5365
5368
5370
5371
5372 Incident Object Description Exchange Format v2.0, RFC5070bis
5373
5374
5375
5380
5381
5382
5383
5384
5386
5387
5388
5389
5390
5392
5394
5395
5396
5401
5402
5403
5404
5405
5406
5408
5409
5410
5411
5412
5413
5414
5416
5418
5420
5422
5423
5425
5426
5427
5429
5430
5432
5434
5435
5437
5438
5441
5443
5444
5445
5446
5447
5448
5449
5450
5451
5452
5453
5454
5455
5456
5457
5458
5459
5460
5461
5462
5463
5464
5465
5466
5471
5472
5473
5474
5475
5476
5478
5480
5482
5483
5484
5485
5490
5491
5492
5493
5494
5495
5497
5499
5500
5501
5506
5507
5508
5509
5511
5513
5515
5517
5519
5520
5522
5525
5526
5528
5530
5531
5532
5533
5534
5535
5537
5538
5540
5542
5543
5545
5547
5548
5549
5550
5551
5552
5553
5555
5557
5559
5561
5562
5564
5566
5567
5568
5569
5575
5576
5577
5578
5580
5582
5584
5586
5588
5590
5592
5593
5595
5597
5598
5600
5602
5604
5606
5608
5610
5611
5612
5613
5614
5615
5616
5617
5618
5619
5620
5621
5622
5623
5624
5625
5626
5627
5628
5629
5630
5631
5632
5633
5634
5635
5636
5637
5638
5639
5640
5641
5642
5643
5644
5645
5646
5647
5648
5650
5652
5653
5654
5655
5656
5657
5658
5659
5660
5661
5662
5663
5664
5665
5666
5667
5668
5669
5670
5671
5672
5674
5675
5677
5678
5679
5680
5681
5682
5683
5684
5685
5686
5687
5688
5689
5690
5691
5692
5694
5695
5697
5698
5699
5700
5701
5702
5703
5704
5705
5706
5707
5708
5709
5710
5711
5712
5713
5714
5716
5717
5719
5720
5721
5722
5723
5724
5725
5726
5727
5728
5729
5734
5735
5736
5737
5738
5739
5740
5741
5742
5747
5748
5749
5750
5751
5752
5754
5756
5757
5758
5759
5760
5761
5762
5763
5764
5767
5769
5771
5772
5774
5776
5778
5780
5781
5782
5783
5784
5789
5790
5791
5792
5794
5796
5797
5798
5799
5800
5802
5804
5805
5807
5809
5810
5811
5812
5817
5818
5819
5820
5822
5824
5826
5827
5830
5832
5834
5836
5837
5838
5839
5840
5841
5842
5843
5844
5845
5846
5847
5848
5849
5850
5851
5852
5853
5854
5855
5856
5857
5858
5859
5860
5861
5862
5863
5864
5865
5866
5868
5871
5872
5874
5876
5877
5878
5883
5884
5885
5886
5888
5890
5892
5894
5896
5898
5899
5901
5903
5904
5905
5910
5911
5912
5913
5914
5916
5918
5919
5920
5921
5922
5927
5928
5929
5930
5932
5933
5934
5935
5936
5937
5938
5939
5941
5943
5945
5946
5948
5949
5950
5951
5952
5953
5954
5955
5956
5957
5960
5962
5963
5964
5965
5966
5967
5968
5969
5970
5971
5972
5973
5975
5976
5978
5981
5984
5985
5986
5987
5988
5989
5990
5991
5992
5993
5994
5995
5996
5997
5998
5999
6000
6001
6002
6003
6004
6005
6006
6007
6008
6009
6010
6011
6012
6013
6014
6015
6016
6017
6018
6019
6020
6021
6022
6023
6025
6026
6028
6030
6033
6034
6035
6036
6037
6038
6039
6040
6041
6042
6043
6044
6045
6046
6047
6048
6049
6050
6051
6052
6053
6054
6055
6056
6057
6058
6059
6060
6061
6062
6063
6064
6065
6066
6067
6068
6070
6072
6073
6075
6076
6077
6078
6079
6080
6081
6082
6083
6084
6085
6086
6087
6088
6089
6090
6091
6092
6093
6094
6095
6096
6097
6098
6099
6101
6103
6105
6106
6107
6108
6109
6110
6111
6112
6113
6114
6115
6116
6121
6122
6123
6124
6126
6127
6128
6129
6130
6131
6133
6135
6136
6138
6140
6142
6143
6145
6147
6148
6150
6152
6154
6155
6156
6161
6162
6163
6164
6165
6166
6167
6168
6173
6174
6175
6176
6177
6179
6181
6183
6185
6188
6190
6192
6193
6194
6196
6197
6199
6203
6205
6207
6209
6211
6212
6213
6214
6215
6216
6217
6218
6219
6220
6221
6222
6223
6224
6225
6226
6227
6228
6229
6230
6231
6232
6233
6234
6235
6240
6241
6242
6243
6244
6246
6248
6249
6250
6252
6254
6255
6256
6257
6258
6259
6260
6261
6264
6266
6267
6268
6270
6271
6272
6273
6274
6275
6276
6277
6278
6279
6280
6281
6282
6283
6284
6285
6286
6287
6288
6289
6290
6291
6292
6293
6294
6296
6297
6300
6302
6303
6304
6305
6306
6307
6308
6309
6310
6311
6312
6313
6314
6315
6316
6317
6318
6319
6320
6321
6322
6323
6324
6325
6326
6327
6328
6329
6330
6331
6332
6333
6334
6335
6336
6337
6338
6339
6340
6341
6342
6343
6344
6345
6346
6347
6348
6349
6350
6351
6352
6353
6354
6355
6356
6357
6358
6359
6360
6361
6362
6367
6368
6369
6370
6371
6372
6373
6374
6375
6376
6377
6378
6379
6380
6381
6382
6384
6385
6386
6387
6388
6389
6390
6391
6392
6393
6394
6395
6397
6398
6399
6400
6402
6403
6404
6405
6406
6408
6410
6411
6412
6413
6414
6415
6420
6421
6422
6423
6424
6426
6428
6430
6432
6434
6435
6437
6438
6439
6440
6441
6442
6443
6444
6445
6446
6447
6448
6449
6450
6451
6452
6453
6454
6455
6456
6457
6458
6459
6460
6461
6462
6463
6464
6465
6470
6471
6472
6473
6475
6476
6477
6478
6480
6481
6482
6483
6484
6485
6486
6487
6488
6489
6490
6491
6492
6493
6494
6495
6496
6497
6502
6503
6504
6505
6506
6508
6510
6512
6514
6516
6518
6519
6521
6523
6525
6527
6528
6529
6530
6531
6532
6533
6534
6535
6536
6537
6538
6539
6540
6541
6542
6543
6544
6545
6546
6547
6548
6549
6550
6551
6552
6553
6554
6555
6556
6557
6558
6559
6560
6561
6562
6563
6564
6565
6566
6567
6568
6569
6570
6571
6572
6573
6575
6576
6577
6578
6579
6584
6585
6586
6587
6589
6590
6592
6594
6595
6596
6597
6598
6599
6600
6602
6603
6605
6606
6608
6610
6612
6614
6616
6617
6619
6621
6622
6623
6624
6625
6626
6627
6628
6631
6633
6635
6638
6640
6642
6643
6644
6645
6646
6647
6648
6649
6650
6651
6652
6653
6654
6655
6656
6657
6658
6659
6660
6661
6662
6667
6668
6669
6670
6671
6672
6673
6674
6675
6676
6677
6678
6679
6680
6681
6683
6686
6687
6688
6689
6690
6691
6692
6693
6694
6695
6696
6697
6698
6699
6700
6701
6706
6707
6708
6709
6711
6712
6714
6716
6717
6718
6719
6720
6721
6722
6723
6724
6725
6727
6728
6729
6730
6732
6733
6735
6736
6737
6738
6739
6740
6741
6742
6747
6748
6749
6750
6751
6753
6755
6756
6758
6759
6760
6761
6762
6763
6764
6765
6766
6767
6768
6769
6770
6771
6772
6773
6774
6775
6776
6777
6778
6779
6780
6782
6784
6785
6786
6787
6788
6789
6790
6792
6793
6795
6796
6797
6798
6799
6804
6805
6806
6807
6808
6809
6810
6811
6816
6817
6818
6819
6820
6821
6823
6825
6826
6827
6828
6829
6830
6831
6832
6834
6835
6836
6837
6838
6843
6844
6845
6846
6848
6849
6850
6851
6852
6853
6854
6855
6857
6859
6860
6861
6862
6864
6865
6866
6867
6868
6869
6870
6872
6874
6876
6877
6879
6881
6882
6883
6884
6885
6886
6887
6888
6890
6891
6892
6893
6894
6895
6896
6897
6898
6899
6901
6903
6904
6905
6906
6907
6908
6909
6910
6911
6913
6914
6915
6916
6917
6918
6919
6921
6923
6924
6925
6926
6927
6928
6930
6932
6933
6934
6935
6936
6937
6938
6940
6941
6943
6944
6945
6946
6947
6948
6949
6950
6951
6952
6953
6954
6955
6956
6957
6958
6959
6960
6961
6962
6963
6964
6965
6966
6967
6968
6969
6970
6971
6972
6973
6974
6975
6977
6978
6979
6980
6981
6982
6984
6985
6986
6987
6988
6989
6990
6991
6992
6993
6994
6995
6996
6998
6999
7002
7004
7005
7006
7007
7008
7009
7010
7011
7012
7013
7014
7015
7016
7017
7018
7019
7020
7021
7022
7023
7024
7026
7027
7028
7029
7030
7032
7033
7035
7037
7038
7039
7040
7041
7046
7047
7048
7049
7054
7055
7056
7057
7058
7059
7060
7061
7062
7064
7065
7066
7067
7068
7069
7070
7071
7072
7073
7074
7075
7076
7077
7078
7079
7080
7082
7084
7085
7087
7088
7089
7090
7092
7094
7095
7096
7097
7098
7099
7101
7103
7104
7105
7106
7107
7108
7110
7111
7114
7116
7119
7120
7121
7122
7123
7124
7125
7126
7127
7128
7129
7130
7131
7132
7133
7134
7135
7136
7137
7138
7139
7140
7145
7146
7147
7148
7149
7150
7151
7152
7153
7154
7155
7156
7157
7158
7159
7160
7161
7162
7163
7164
7165
7166
7167
7168
7169
7170
7171
7172
7173
7174
7175
7176
7177
7178
7179
7180
7181
7182
7183
7184
7185
7186
7187
7188
7189
7190
7191
7192
7193
7194
7195
7196
7197
7198
7199
7200
7201
7202
7203
7204
7205
7206
7207
7208
7209
7210
7211
7212
7213
7214
7215
7216
7217
7218
7219
7220
7221
7222
7223
7224
7225
7226
7227
7228
7229
7230
7231
7232
7233
7234
7235
7236
7237
7239 9. Security Considerations
7241 The IODEF data model does not directly introduce security issues.
7242 However, as the data encoded by the IODEF might be considered
7243 sensitive by the parties exchanging it or by those described by it,
7244 care needs to be taken to ensure appropriate handling during the
7245 document exchange, subsequent processing or archiving.
7247 The contents of an IODEF document may include a request for action.
7248 An IODEF implementation may also initiate courses of action based on
7249 the document contents. For these reasons, care must be taken by
7250 IODEF implementations to properly authenticate the sender and
7251 receiver of the document. The recipient must also ascribe
7252 appropriate confidence to the data prior to action.
7254 The underlying messaging format and protocol used to exchange
7255 instances of the IODEF MUST provide appropriate guarantees of
7256 confidentiality, integrity, and authenticity. The use of a
7257 standardized security protocol is encouraged. The Real-time Inter-
7258 network Defense (RID) protocol [RFC6545] and its associated transport
7259 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.
7261 Executable content could be embedded into the IODEF document directly
7262 or through an extension. The IODEF implementation MUST handle this
7263 content with care to prevent unintentional automated execution.
7265 In order to suggest data processing and handling guidelines of the
7266 encoded information, the IODEF allows a document sender to convey a
7267 privacy policy using the restriction attribute. The various
7268 instances of this attribute allow different data elements of the
7269 document to be covered by dissimilar policies. While flexible, it
7270 must be stressed that this approach only serves as a guideline from
7271 the sender, as the recipient is free to ignore it.
7273 10. IANA Considerations
7275 This document registers a namespace, an XML schema, and a number of
7276 registries that map to enumerated values defined in the data model.
7278 10.1. Namespace and Schema
7280 This document uses URNs to describe an XML namespace and schema
7281 conforming to a registry mechanism described in [RFC3688]
7283 Registration for the IODEF namespace:
7285 o URI: urn:ietf:params:xml:ns:iodef-2.0
7287 o Registrant Contact: See the first author of the "Author's Address"
7288 section of this document.
7290 o XML: None. Namespace URIs do not represent an XML specification.
7292 Registration for the IODEF XML schema:
7294 o URI: urn:ietf:params:xml:schema:iodef-2.0
7296 o Registrant Contact: See the first author of the "Author's Address"
7297 section of this document.
7299 o XML: See Section 8 of this document.
7301 10.2. Enumerated Value Registries
7303 This document creates 33 identically structured registries to be
7304 managed by IANA:
7306 o Name of the parent registry: "Incident Object Description Exchange
7307 Format v2 (IODEF)"
7309 o URL of the registry: http://www.iana.org/assignments/iodef2
7311 o Namespace format: A registry entry consists of:
7313 * Value. An enumerated value for a given IODEF attribute.
7315 * Description. A short description of the enumerated value.
7317 * Reference. An optional list of URIs to further describe the
7318 value.
7320 o Allocation policy: Expert Review per [RFC5226]
7322 The registries to be created are named in the "Registry Name" column
7323 of Table 1. The initial values for the Value and Description fields
7324 of a given registry are listed in the "IV (Value)" and "IV
7325 (Description)" columns respectively. The "IV (Value)" points to a
7326 given schema type per Section 8. Each enumerated value in the schema
7327 gets a corresponding entry in a given registry. The "IV
7328 (Description)" points to a section in the text of this document that
7329 describes each enumerated value. The initial value of the Reference
7330 field of every registry entry described below should be this
7331 document.
7333 +-----------------------+---------------------------+---------------+
7334 | Registry Name | IV (Value) | IV |
7335 | | | (Description) |
7336 +-----------------------+---------------------------+---------------+
7337 | Restriction | iodef-restriction-type | Section 3.3.1 |
7338 | | | |
7339 | Incident-purpose | incident-purpose-type | Section 3.2 |
7340 | | | |
7341 | Incident-status | incident-status-type | Section 3.2 |
7342 | | | |
7343 | Contact-role | contact-role-type | Section 3.9 |
7344 | | | |
7345 | Contact-type | contact-type-type | Section 3.9 |
7346 | | | |
7347 | RegistryHandle- | registryhandle-registry- | Section 3.9.1 |
7348 | registry | type | |
7349 | | | |
7350 | Telephone-type | telephone-type-type | Section 3.9.4 |
7351 | | | |
7352 | Email-type | email-type-type | Section 3.9.3 |
7353 | | | |
7354 | Expectation-action | action-type | Section 3.15 |
7355 | | | |
7356 | Discovery-source | discovery-source-type | Section 3.10 |
7357 | | | |
7358 | SystemImpact-type | systemimpact-type-type | Section |
7359 | | | 3.12.1 |
7360 | | | |
7361 | BusinessImpact- | businessimpact-severity- | Section |
7362 | severity | type | 3.12.2 |
7363 | | | |
7364 | BusinessImpact-type | businessimpact-type-type | Section |
7365 | | | 3.12.2 |
7366 | | | |
7367 | TimeImpact-metrics | timeimpact-metric-type | Section |
7368 | | | 3.12.3 |
7369 | | | |
7370 | TimeImpact-duration | duration-type | Section |
7371 | | | 3.12.3 |
7372 | | | |
7373 | Confidence-rating | confidence-rating-type | Section |
7374 | | | 3.12.5 |
7375 | | | |
7376 | NodeRole-category | noderole-category-type | Section |
7377 | | | 3.18.2 |
7378 | | | |
7379 | System-category | system-category-type | Section 3.17 |
7380 | | | |
7381 | System-ownership | system-ownership-type | Section 3.17 |
7382 | | | |
7383 | Address-category | address-category-type | Section |
7384 | | | 3.18.1 |
7385 | | | |
7386 | Counter-type | counter-type-type | Section |
7387 | | | 3.18.3 |
7388 | | | |
7389 | Counter-unit | counter-unit-type | Section |
7390 | | | 3.18.3 |
7391 | | | |
7392 | DomainData-system- | domaindata-system-status- | Section 3.19 |
7393 | status | type | |
7394 | | | |
7395 | DomainData-domain- | domaindata-domain-status- | Section 3.19 |
7396 | status | type | |
7397 | | | |
7398 | RecordPattern-type | recordpattern-type-type | Section |
7399 | | | 3.22.2 |
7400 | | | |
7401 | RecordPattern- | recordpattern-offsetunit- | Section |
7402 | offsetunit | type | 3.22.2 |
7403 | | | |
7404 | Key-registryaction | key-registryaction-type | Section |
7405 | | | 3.23.1 |
7406 | | | |
7407 | HashData-scope | hashdata-scope-type | Section 3.26 |
7408 | | | |
7409 | BulkObservable-type | bulkobservable-type-type | Section |
7410 | | | 3.29.3.1 |
7411 | | | |
7412 | IndicatorExpression- | indicatorexpression- | Section |
7413 | operator | operator-type | 3.29.4 |
7414 | | | |
7415 | ExtensionType-dtype | dtype-type | Section 2.16 |
7416 | | | |
7417 | SoftwareReference- | softwarereference-spec- | Section |
7418 | spec-id | id-type | 2.15.1 |
7419 | | | |
7420 | SoftwareReference- | softwarereference-dtype- | Section |
7421 | dtype | type | 2.15.1 |
7422 +-----------------------+---------------------------+---------------+
7424 Table 1: IANA Enumerated Value Registries
7426 11. Acknowledgments
7428 Thanks to Paul Stockler for his editorial leadership in the
7429 transition of RFC5070bis to this document.
7431 Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi
7432 Takahashi, David Waltermire and Sean Turner as the MILE working group
7433 chairs, secretary or area directors for providing feedback and
7434 coordination of this document.
7436 Thanks to the following individuals (listed alphabetically) who
7437 provided feedback during the meetings, on the mailing list or through
7438 implementation experience: Jerome Athias, David Black, Eric Burger,
7439 Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris
7440 Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam
7441 Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio
7442 Suzuki and Nik Teague.
7444 12. References
7446 12.1. Normative References
7448 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language
7449 (XML) 1.0 (Second Edition)", W3C Recommendation , October
7450 2000, .
7452 [W3C.SCHEMA]
7453 World Wide Web Consortium, "XML XML Schema Part 1:
7454 Structures Second Edition", W3C Recommendation , October
7455 2004, .
7457 [W3C.SCHEMA.DTYPES]
7458 World Wide Web Consortium, "XML Schema Part 2: Datatypes
7459 Second Edition", W3C Recommendation , October 2004,
7460 .
7462 [W3C.XMLNS]
7463 World Wide Web Consortium, "Namespaces in XML", W3C
7464 Recommendation , January 1999,
7465 .
7467 [W3C.XPATH]
7468 World Wide Web Consortium, "XML Path Language (XPath)
7469 2.0", W3C Candidate Recommendation , June 2006,
7470 .
7472 [W3C.XMLSIG]
7473 World Wide Web Consortium, "XML Signature Syntax and
7474 Processing 2.0", W3C Candidate Recommendation , June 2008,
7475 .
7477 [IEEE.POSIX]
7478 Institute of Electrical and Electronics Engineers,
7479 "Information Technology - Portable Operating System
7480 Interface (POSIX) - Part 1: Base Definitions",
7481 IEEE 1003.1, June 2001.
7483 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
7484 Requirement Levels", RFC 2119, March 1997.
7486 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of
7487 Languages", RFC 5646, September 2009.
7489 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
7490 Resource Identifiers (URI): Generic Syntax", RFC 3986,
7491 January 2005`.
7493 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration
7494 Procedures", BCP 2978, October 2000.
7496 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519,
7497 June 2006.
7499 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October
7500 2008.
7502 [RFC-ENUM]
7503 Montville, A. and D. Black, "IODEF Enumeration Reference
7504 Format", RFC 7495, January 2015.
7506 [RFC-SCI] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
7507 Incident Object Description Exchange Format (IODEF)
7508 Extension for Structured Cybersecurity Information",
7509 RFC 7203, April 2014.
7511 [ISO4217] International Organization for Standardization,
7512 "International Standard: Codes for the representation of
7513 currencies and funds, ISO 4217:2001", ISO 4217:2001,
7514 August 2001.
7516 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January
7517 2004.
7519 [IANA.Ports]
7520 Internet Assigned Numbers Authority, "Service Name and
7521 Transport Protocol Port Number Registry", January 2014,
7522 .
7525 [IANA.Protocols]
7526 Internet Assigned Numbers Authority, "Assigned Internet
7527 Protocol Numbers", January 2014,
7528 .
7531 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
7532 10646", RFC 3629, November 2003.
7534 [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
7535 10646", RFC 2781, February 2000.
7537 [IANA.Media]
7538 Internet Assigned Numbers Authority, "Media Types", March
7539 2015, .
7542 12.2. Informative References
7544 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
7545 Object Description Exchange Format", RFC 5070, December
7546 2007.
7548 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
7549 RFC 6545, April 2012.
7551 [RFC6546] Trammell, B., "Transport of Real-time Inter-network
7552 Defense (RID) Messages over HTTP/TLS", RFC 6546, April
7553 2012.
7555 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
7556 Class for Reporting Phishing", RFC 5901, July 2010.
7558 [NIST800.61rev2]
7559 Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
7560 "NIST Special Publication 800-61 Revision 2: Computer
7561 Security Incident Handling Guide", January 2012,
7562 .
7565 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
7566 Type for the Internet Registry Information Service
7567 (IRIS)", RFC 3982, January 2005.
7569 [KB310516]
7570 Microsoft Corporation, "How to add, modify, or delete
7571 registry subkeys and values by using a registration
7572 entries (.reg) file", December 2007.
7574 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-
7575 Separated Values (CSV) File", RFC 4180, October 2005.
7577 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
7578 IANA Considerations Section in RFCs", RFC 5226, May 2008.
7580 Author's Address
7582 Roman Danyliw
7583 CERT - Carnegie Mellon University
7584 Pittsburgh, PA
7585 USA
7587 EMail: rdd@cert.org