idnits 2.17.1
draft-ietf-mile-rfc5070-bis-21.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
== There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
in the document. If these are example addresses, they should be changed.
-- The draft header indicates that this document obsoletes RFC5070, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== The document seems to lack the recommended RFC 2119 boilerplate, even if
it appears to use RFC 2119 keywords.
(The document does seem to have the reference to RFC 2119 which the
ID-Checklist requires).
== The document seems to contain a disclaimer for pre-RFC5378 work, but was
first submitted on or after 10 November 2008. The disclaimer is usually
necessary only for documents that revise or obsolete older RFCs, and that
take significant amounts of text from those RFCs. If you can contact all
authors of the source material and they are willing to grant the BCP78
rights to the IETF Trust, you can and should remove the disclaimer.
Otherwise, the disclaimer is needed and you can ignore this comment.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (May 10, 2016) is 2879 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: '0-9' is mentioned on line 7155, but not defined
== Missing Reference: '0-4' is mentioned on line 7155, but not defined
== Missing Reference: '0-5' is mentioned on line 7155, but not defined
== Missing Reference: 'O1' is mentioned on line 4882, but not defined
== Missing Reference: 'O2' is mentioned on line 4883, but not defined
== Missing Reference: 'O3' is mentioned on line 4872, but not defined
-- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX'
-- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217'
** Downref: Normative reference to an Informational RFC: RFC 2781
-- Possible downref: Non-RFC (?) normative reference: ref. 'ISO19770'
-- Obsolete informational reference (is this intentional?): RFC 5070
(Obsoleted by RFC 7970)
-- Obsolete informational reference (is this intentional?): RFC 5226
(Obsoleted by RFC 8126)
Summary: 1 error (**), 0 flaws (~~), 10 warnings (==), 7 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 MILE Working Group R. Danyliw
3 Internet-Draft CERT
4 Obsoletes: 5070 (if approved) May 10, 2016
5 Intended status: Standards Track
6 Expires: November 11, 2016
8 The Incident Object Description Exchange Format v2
9 draft-ietf-mile-rfc5070-bis-21
11 Abstract
13 The Incident Object Description Exchange Format (IODEF) defines a
14 data representation for security incident reports and cyber
15 indicators commonly exchanged by operational security teams for
16 mitigation and watch and warning. This document describes an updated
17 information model for the IODEF and provides an associated data model
18 specified with XML Schema. This new information and data model
19 obsoletes Request for Comment (RFC) 5070, "The Incident Object
20 Description Exchange Format".
22 Status of This Memo
24 This Internet-Draft is submitted in full conformance with the
25 provisions of BCP 78 and BCP 79.
27 Internet-Drafts are working documents of the Internet Engineering
28 Task Force (IETF). Note that other groups may also distribute
29 working documents as Internet-Drafts. The list of current Internet-
30 Drafts is at http://datatracker.ietf.org/drafts/current/.
32 Internet-Drafts are draft documents valid for a maximum of six months
33 and may be updated, replaced, or obsoleted by other documents at any
34 time. It is inappropriate to use Internet-Drafts as reference
35 material or to cite them other than as "work in progress."
37 This Internet-Draft will expire on November 11, 2016.
39 Copyright Notice
41 Copyright (c) 2016 IETF Trust and the persons identified as the
42 document authors. All rights reserved.
44 This document is subject to BCP 78 and the IETF Trust's Legal
45 Provisions Relating to IETF Documents
46 (http://trustee.ietf.org/license-info) in effect on the date of
47 publication of this document. Please review these documents
48 carefully, as they describe your rights and restrictions with respect
49 to this document. Code Components extracted from this document must
50 include Simplified BSD License text as described in Section 4.e of
51 the Trust Legal Provisions and are provided without warranty as
52 described in the Simplified BSD License.
54 This document may contain material from IETF Documents or IETF
55 Contributions published or made publicly available before November
56 10, 2008. The person(s) controlling the copyright in some of this
57 material may not have granted the IETF Trust the right to allow
58 modifications of such material outside the IETF Standards Process.
59 Without obtaining an adequate license from the person(s) controlling
60 the copyright in such materials, this document may not be modified
61 outside the IETF Standards Process, and derivative works of it may
62 not be created outside the IETF Standards Process, except to format
63 it for publication as an RFC or to translate it into languages other
64 than English.
66 Table of Contents
68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
69 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
70 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
71 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 6
72 1.4. Changelog . . . . . . . . . . . . . . . . . . . . . . . . 7
73 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8
74 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8
75 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
76 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
77 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
78 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10
79 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10
80 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 10
81 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10
82 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11
83 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
84 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
85 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 11
86 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 11
87 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12
88 2.13. Uniform Resource Locator strings . . . . . . . . . . . . 12
89 2.14. Identifiers and Identifier References . . . . . . . . . . 12
90 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 12
91 2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 13
92 2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 14
93 3. The IODEF Information Model . . . . . . . . . . . . . . . . . 17
94 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 17
95 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 18
96 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 22
97 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 22
98 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 23
99 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 24
100 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 25
101 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 25
102 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 27
103 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 28
104 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 29
105 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 32
106 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 33
107 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 34
108 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 35
109 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 36
110 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 38
111 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 39
112 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 40
113 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 41
114 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 43
115 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 45
116 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 47
117 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 49
118 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 50
119 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 51
120 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 52
121 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 54
122 3.14.1. Relating the Incident and EventData Classes . . . . 56
123 3.14.2. Recursive Definition of EventData . . . . . . . . . 56
124 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 57
125 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 60
126 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 61
127 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 64
128 3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 65
129 3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 66
130 3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 69
131 3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 72
132 3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 74
133 3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 75
134 3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 75
135 3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 77
136 3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 78
137 3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 78
138 3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 80
139 3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 81
140 3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 82
141 3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 84
142 3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 85
143 3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 86
144 3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 86
146 3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 87
147 3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 88
148 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 89
149 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91
150 3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91
151 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 92
152 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 93
153 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93
154 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 96
155 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96
156 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 97
157 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 103
158 3.29.5. Expressions with IndicatorExpression . . . . . . . . 104
159 3.29.6. ObservableReference Class . . . . . . . . . . . . . 106
160 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 106
161 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 107
162 4. Processing Considerations . . . . . . . . . . . . . . . . . . 108
163 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 108
164 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 109
165 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 109
166 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 109
167 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 110
168 5.1. Extending the Enumerated Values of Attributes . . . . . . 110
169 5.1.1. Private Extension of Enumerated Values . . . . . . . 111
170 5.1.2. Public Extension of Enumerated Values . . . . . . . . 111
171 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 111
172 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 113
173 6. Internationalization Issues . . . . . . . . . . . . . . . . . 114
174 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 115
175 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 115
176 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 116
177 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 117
178 9. Security Considerations . . . . . . . . . . . . . . . . . . . 157
179 9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 157
180 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 157
181 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 158
182 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 158
183 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 158
184 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 161
185 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 161
186 12.1. Normative References . . . . . . . . . . . . . . . . . . 161
187 12.2. Informative References . . . . . . . . . . . . . . . . . 164
188 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 165
190 1. Introduction
192 Organizations require help from other parties to mitigate malicious
193 activity targeting their network and to gain insight into potential
194 threats. This coordination might entail working with an ISP to
195 filter attack traffic, contacting a remote site to take down a
196 botnet, or sharing watch-lists of known malicious indicators in a
197 consortium.
199 The Incident Object Description Exchange Format (IODEF) is a format
200 for representing computer security information commonly exchanged
201 between Computer Security Incident Response Teams (CSIRTs). It
202 provides an XML representation for conveying:
204 o cyber intelligence to characterize threats;
206 o cyber incident reports to document particular cyber security
207 events or relationships between events;
209 o cyber event mitigation activity to proactively and reactively
210 mitigate activity; and
212 o meta-data so that these various classes of information can be
213 exchanged among parties.
215 The purpose of the IODEF is to enhance the operational capabilities
216 of CSIRTs. Adoption of the IODEF will improve the ability of a CSIRT
217 to resolve security incidents; understand cyber threats; and
218 coordinate response activities and proactive mitigations by
219 simplifying collaboration and data sharing with its partners. This
220 structured format provided by the IODEF allows for:
222 o machine-to-machine exchange of incident and cyber intelligence
223 data;
225 o automated processing of this data whereby allowing more rapid
226 execution of appropriate courses of action; and
228 o the development of an ecosystem of interoperable tools enabling
229 security operations.
231 Sharing and coordinating with other organizations is not strictly a
232 technical problem. There are numerous procedural, cultural, legal
233 and trust-related barriers to overcome. The IODEF does not attempt
234 to address them directly. However, operational implementations of
235 the IODEF will need to consider these challenges.
237 Section 1 provides the background for the IODEF. Sections 3 and 8
238 specify the IODEF information and data model respectively. The data
239 types used in this document are described in Section 2. Processing
240 considerations, extending the specification, internationalization and
241 security issues are covered in Sections 4, 5, 6 and 9 respectively.
242 Examples are listed in Section 7.
244 1.1. Terminology
246 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
247 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
248 document are to be interpreted as described in [RFC2119].
250 1.2. Notations
252 The IODEF is specified as an Extensible Markup Language (XML)
253 [W3C.XML] Schema [W3C.SCHEMA]. The normative IODEF data model is
254 found in the XML schema in Section 8. To aid in the understanding of
255 the data elements, Section 3 also depicts the underlying information
256 model using Unified Modeling Language (UML). This abstract
257 presentation of the IODEF is not normative.
259 For clarity in this document, the term "XML document" will be used
260 when referring generically to any instance of an XML document. The
261 term "IODEF document" will be used to refer to an XML document
262 conforming to the IODEF specification. The terms "schema" will be
263 used to refer to Section 8 of this document. The terms "data model"
264 and "schema" will be used interchangeably. The terms "class" and
265 "element" will be used to reference either the corresponding data
266 element in the UML-based information or XML Schema-based data models,
267 respectively.
269 1.3. About the IODEF Data Model
271 A number of considerations were made in the design of the IODEF data
272 model.
274 o The data model found in this document is an evolution of the one
275 previously specified in [RFC5070]. New fields were added to
276 represent additional information. [RFC5070] was developed
277 primarily to represent incident reports. This document builds
278 upon it by adding support for cyber indicators and revising it to
279 reflect the current challenges faced by CSIRTs. An attempt was
280 made to preserve backward compatibility but this was not possible
281 in all cases. See Section 4.4. This document obsoletes
282 [RFC5070].
284 o The IODEF is a transport format. Therefore, the data model may
285 not be the optimal archival or in-memory processing format.
287 o The IODEF is intended to be a framework to convey only commonly
288 exchanged information. It ensures that there are mechanisms for
289 extensibility to support organization-specific information and
290 techniques to reference information kept outside of the data
291 model.
293 o Not all commonly exchanged information has a well-defined format
294 or taxonomy. The IODEF attempts to strike a balance between
295 enforcing sufficient structure to allow automated processing and
296 supporting free-form content that enables maximum flexibility.
298 o The IODEF fits into a broader ecosystem of standards and
299 conventions. An attempt was made to harmonize the data model with
300 this context.
302 1.4. Changelog
304 A detailed list of additions made to the [RFC5070] data model are
305 enumerated in this section. See Section 4.4 for a list of
306 incompatible changes.
308 o Updated the data types (Section 2) to improve
309 internationalization, clarify ambiguity, and ensure consistency in
310 extensions.
312 o Added the observable-id attribute (Section 3.3.2) and
313 IndicatorData (Section 3.28) class (Section 3.28) to represent
314 indicators.
316 o Added the private-enum-name and -id attributes to the IODEF-
317 Document class (Section 3.1) to disambiguate private extensions.
319 o Updated the Incident class (Section 3.2) to represent additional
320 timing and workflow information.
322 o Added the ThreatActor (Section 3.7) and Campaign (Section 3.8)
323 classes to represent attack attribution information.
325 o Updated the Contact class (Section 3.9) and its children to
326 improve internationalization and represent additional information
327 about an entity.
329 o Updated the Method class (Section 3.11) to improve extensibility
330 through externally referenced resources.
332 o Added the Discovery class (Section 3.10) to describe how an
333 incident was discovered.
335 o Updated the Assessment class (Section 3.12) to enable more
336 descriptive characterizations of the impact of an incident.
338 o Updated the HistoryItem (Section 3.13.1) and Expectation
339 (Section 3.15) classes to support a reference to a course of
340 action.
342 o Updated the EventData class (Section 3.14) with additional meta-
343 data added to the Incident class.
345 o Updated the System (Section 3.17) class with additional meta-data.
347 o Updated the Counter class (Section 3.18.3) to support additional
348 rate metrics.
350 o Added the DomainData (Section 3.19), EmailData (Section 3.21),
351 WindowsRegistryKeysModified (Section 3.23), CertificateData
352 (Section 3.24) and FileData (Section 3.25) to improve the
353 description of an incident and support this data as indicators.
355 o Added the SignatureData (Section 3.27) and HashData classes
356 (Section 3.26) to represent digital signatures and hashes.
358 o Added support for public enumerated attribute extensions using
359 IANA registries (Section 5.1.2).
361 o Updated numerous enumerated attributes for completeness.
363 2. IODEF Data Types
365 The IODEF uses a number of simple and complex types. This section
366 describes these data types.
368 2.1. Integers
370 An integer is represented in the information model by the INTEGER
371 data type. Integer data MUST be encoded in Base 10.
373 The INTEGER data type is implemented in the data model as a
374 "xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES].
376 2.2. Real Numbers
378 A real (floating-point) number is represented in the information
379 model by the REAL data type. Real data MUST be encoded in Base 10.
381 The REAL data type is implemented in the data model as a "xs:float"
382 type per Section 3.2.4 of [W3C.SCHEMA.DTYPES].
384 2.3. Characters and Strings
386 A single character is represented in the information model by the
387 CHARACTER data type. A string is represented by the STRING data
388 type. Special characters MUST be encoded using entity references.
389 See Section 4.1.
391 The CHARACTER and STRING data types are implemented in the data model
392 as a "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
394 2.4. Multilingual Strings
396 A string that needs to be represented in a human-readable language
397 different than the default encoding of the document is represented in
398 the information model by the ML_STRING data type.
400 The ML_STRING data type is implemented in the data model as the
401 "iodef:MLStringType" type. This type extends the "xs:string" to
402 include two attributes.
404 +------------------------+
405 | iodef:MLStringType |
406 +------------------------+
407 | xs:string |
408 | |
409 | ENUM xml:lang |
410 | STRING translation-id |
411 +------------------------+
413 Figure 1: The iodef:MLStringType Type
415 The content of the class is a character string of type "xs:string"
416 whose language MAY be specified by the xml:lang attribute.
418 The attributes of the iodef:MLStringType type are:
420 xml:lang
421 Optional. ENUM. A language identifier per Section 2.12 of
422 [W3C.XML] whose values and format are described in [RFC5646]. The
423 interpretation of this code is described in Section 6.
425 translation-id
426 Optional. STRING. An identifier to relate other instances of
427 this class with the same parent as translations of this text. The
428 scope of this identifier is limited to all of the direct, peer
429 child classes of a given parent class.
431 Using this class enables representing translations of the same text
432 in multiple languages. Each translation is a distinct instance of
433 this class with a common parent. A group of classes each with a
434 translated instance of text is related by setting a common identifier
435 in the translation-id attribute. The language of a given class is
436 set by the xml:lang attribute. See Section 6 for more details on
437 representing translations of free-form text.
439 2.5. Binary Strings
441 Binary octets can be represented with two encodings.
443 2.5.1. Base64 Bytes
445 A binary octet encoded with Base64 is represented in the information
446 model by the BYTE data type. A sequence of these octets is of the
447 BYTE[] data type.
449 The BYTE and BYTE[] data types are implemented in the data model as a
450 "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES].
452 2.5.2. Hexadecimal Bytes
454 A binary octet encoded as a character tuple consistent of two
455 hexadecimal digits is represented in the information model by the
456 HEXBIN data type. A sequence of these octets is of the HEXBIN[] data
457 type.
459 The HEXBIN and HEXBIN[] data types are implemented in the data model
460 as a "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES].
462 2.6. Enumerated Types
464 An enumerated type is represented in the information model by the
465 ENUM data type. It is an ordered list of acceptable string values.
466 Each value has a representative keyword. Within the data model, the
467 enumerated type keywords are used as attribute values.
469 The ENUM data type is implemented in the data model as values of a
470 "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES].
472 2.7. Date-Time String
474 A date-time strings that describes a particular instant in time is
475 represented in the information model by the DATETIME data type.
476 Ranges are not supported.
478 The DATETIME data type is implemented in the data model as a
479 "xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES].
481 2.8. Timezone String
483 A timezone offset from UTC is represented in the information model by
484 the TIMEZONE data type. It is formatted according to the following
485 regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
487 The TIMEZONE data type is implemented in the data model as an
488 "iodef:TimezoneType" type.
490 2.9. Port Lists
492 A list of network ports is represented in the information model by
493 the PORTLIST data type. A PORTLIST consists of a comma-separated
494 list of numbers and ranges (N-M means ports N through M, inclusive).
495 It is formatted according to the following regular expression:
496 "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example,
497 "2,5-15,30,32,40-50,55-60".
499 The PORTLIST data type is implemented in the data model as an
500 "iodef:PortlistType" type.
502 2.10. Postal Address
504 A postal address is represented in the information model by the
505 POSTAL data type. The format of the POSTAL data type is documented
506 in Section 2.23 of [RFC4519] as a free-form multi-line string
507 separated by the "$" character.
509 The POSTAL data type is implemented in the data model as an
510 "iodef:MLStringType" type.
512 2.11. Telephone Number
514 A telephone number is represented in the information model by the
515 PHONE data type. The format of the PHONE data type is documented in
516 Section 2.35 of [RFC4519].
518 The PHONE data type is implemented in the data model as a "xs:string"
519 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
521 2.12. Email String
523 An email address is represented in the information model by the EMAIL
524 data type. The format of the EMAIL data type is documented in
525 Section 3.4.1 [RFC5322].
527 The EMAIL data type is implemented in the data model as a "xs:string"
528 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
530 2.13. Uniform Resource Locator strings
532 A uniform resource locator (URL) is represented in the information
533 model by the URL data type. The format of the URL data type is
534 documented in [RFC3986].
536 The URL data type is implemented as a "xs:anyURI" type per
537 Section 3.2.17 of [W3C.SCHEMA.DTYPES].
539 2.14. Identifiers and Identifier References
541 An identifier unique to the IODEF document is represented in the
542 information model by the ID data type. A reference to this
543 identifier is represented by the IDREF data type.
545 The ID and IDREF data types are implemented in the model as "xs:ID"
546 and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of
547 [W3C.SCHEMA.DTYPES].
549 2.15. Software
551 A particular version of software is represented in the information
552 model by the SOFTWARE data type. This software can be described by
553 using a reference, a URL or with free-form text.
555 The SOFTWARE data type is implemented in the data model as the
556 "iodef:SoftwareType" type.
558 +--------------------+
559 | iodef:SoftwareType |
560 +--------------------+
561 | |<>--{0..1}--[ SoftwareReference ]
562 | |<>--{0..*}--[ URL ]
563 | |<>--{0..*}--[ Description ]
564 +--------------------+
566 Figure 2: The SoftwareType Type
568 The aggregate classes of the SoftwareType type are:
570 SoftwareReference
571 Zero or one. Reference to a software application. See
572 Section 2.15.1.
574 URL
575 Zero or more. URL. A URL to a resource describing the software.
577 Description
578 Zero or more. ML_STRING. A free-form text description of the
579 software.
581 At least one of these classes MUST be present.
583 The iodef:SoftwareType type has no attributes.
585 2.15.1. SoftwareReference Class
587 The SoftwareReference class is a reference to a particular version of
588 software.
590 +----------------------+
591 | SoftwareReference |
592 +----------------------+
593 | xs:any |
594 | |
595 | ENUM spec-name |
596 | STRING ext-spec-name |
597 | ENUM dtype |
598 | STRING ext-dtype |
599 +----------------------+
601 Figure 3: The SoftwareReference Class
603 The element content varies according to the value of the spec-name
604 attribute. It is defined in the data model as "xs:any" per
605 [W3C.SCHEMA].
607 The attributes of the SoftwareReference class are:
609 spec-name
610 Required. ENUM. Identifies the format and semantics of the
611 element body of this class. Formal standards and specifications
612 can be referenced as well as a free-form text description with a
613 user-provided data type. These values are maintained in the
614 "SoftwareReference-spec-id" IANA registry per Section 10.2
615 1. custom. The element content is free-form and of the data type
616 specified by the dtype attribute. If this value is selected,
617 then the dtype attribute MUST be set.
619 2. cpe. The element content describes a Common Platform
620 Enumeration (CPE) entry per [NIST.CPE].
622 3. swid. The element content describes a software identification
623 (SWID) tag per [ISO19770].
625 4. ext-value. A value used to indicate that this attribute is
626 extended and the actual value is provided using the
627 corresponding ext-* attribute. See Section 5.1.1.
629 ext-spec-name
630 Optional. STRING. A means by which to extend the spec-name
631 attribute. See Section 5.1.1.
633 dtype
634 Optional. ENUM. The data type of the element content. The
635 permitted values for this attribute are shown below. The default
636 value is "string". These values are maintained in the
637 "SoftwareReference-dtype" IANA registry per Section 10.2.
639 1. bytes. The element content is of type HEXBIN.
641 2. integer. The element content is of type INTEGER.
643 3. real. The element content is of type REAL.
645 4. string. The element content is of type STRING.
647 5. xml. The element content is XML. See Section 5.2.
649 6. ext-value. A value used to indicate that this attribute is
650 extended and the actual value is provided using the
651 corresponding ext-* attribute. See Section 5.1.1.
653 ext-dtype
654 Optional. STRING. A means by which to extend the dtype
655 attribute. See Section 5.1.1.
657 2.16. Extension
659 Information not otherwise represented in the IODEF can be added using
660 the EXTENSION data type. This data type is a generic extension
661 mechanism.
663 The EXTENSION data type is implemented in the data model as the
664 "iodef:ExtensionType" type.
666 The data type of an EXTENSION is described by the dtype attribute.
667 For simple information, atomic data types (e.g., integers, strings)
668 are supported. Their semantics are further described by the meaning
669 and formatid attributes. Encapsulating XML documents conforming to
670 another schema is also supported. A detailed discussion of extending
671 the schema can be found in Section 5. Additional coordination may be
672 required to ensure that a recipient of a document using this type can
673 parse and process it.
675 +------------------------+
676 | iodef:ExtensionType |
677 +------------------------+
678 | xs:any |
679 | |
680 | STRING name |
681 | ENUM dtype |
682 | STRING ext-dtype |
683 | STRING meaning |
684 | STRING formatid |
685 | ENUM restriction |
686 | STRING ext-restriction |
687 | ID observable-id |
688 +------------------------+
690 Figure 4: The iodef:ExtensionType Type
692 The element content of this type is the extension being added to the
693 data model. This content is defined in the data model as "xs:any"
694 per [W3C.SCHEMA].
696 The attributes of the iodef:ExtensionType type are:
698 name
699 Optional. STRING. A free-form name of the field or data element.
701 dtype
702 Required. ENUM. The data type of the element content. The
703 default value is "string". These values are maintained in the
704 "ExtensionType-dtype" IANA registry per Section 10.2.
706 1. boolean. The element content is of type BOOLEAN.
708 2. byte. The element content is of type BYTE.
710 3. bytes. The element content is of type HEXBIN.
712 4. character. The element content is of type CHARACTER.
714 5. date-time. The element content is of type DATETIME.
716 6. ntpstamp. Same as date-time.
718 7. integer. The element content is of type INTEGER.
720 8. portlist. The element content is of type PORTLIST.
722 9. real. The element content is of type REAL.
724 10. string. The element content is of type STRING.
726 11. file. The element content is a base64 encoded binary file
727 encoded as a BYTE[] type.
729 12. path. The element content is a file-system path encoded as a
730 STRING type.
732 13. frame. The element content is a layer-2 frame encoded as a
733 HEXBIN type.
735 14. packet. The element content is a layer-3 packet encoded as a
736 HEXBIN type.
738 15. ipv4-packet. The element content is an IPv4 packet encoded
739 as a HEXBIN type.
741 16. ipv6-packet. The element content is an IPv6 packet encoded
742 as a HEXBIN type.
744 17. url. The element content is of type URL.
746 18. csv. The element content is a common separated value (CSV)
747 list per Section 2 of [RFC4180] encoded as a STRING type.
749 19. winreg. The element content is a Windows registry key
750 encoded as a STRING type.
752 20. xml. The element content is XML. See Section 5.
754 21. ext-value. A value used to indicate that this attribute is
755 extended and the actual value is provided using the
756 corresponding ext-* attribute. See Section 5.1.1.
758 ext-dtype
759 Optional. STRING. A means by which to extend the dtype
760 attribute. See Section 5.1.1.
762 meaning
763 Optional. STRING. A free-form text description of the element
764 content.
766 formatid
767 Optional. STRING. An identifier referencing the format or
768 semantics of the element content.
770 restriction
771 Optional. ENUM. See Section 3.3.1.
773 ext-restriction
774 Optional. STRING. A means by which to extend the restriction
775 attribute. See Section 5.1.1.
777 observable-id
778 Optional. ID. See Section 3.3.2.
780 3. The IODEF Information Model
782 The specifics of the IODEF information model are discussed in this
783 section. Each class and its relationships with the other classes is
784 described. When necessary, clarifications are made about translating
785 this information model to the schema in Section 8.
787 3.1. IODEF-Document Class
789 The IODEF-Document class is the top level class in the IODEF data
790 model. All IODEF documents are an instance of this class.
792 +--------------------------+
793 | IODEF-Document |
794 +--------------------------+
795 | STRING version |<>--{1..*}--[ Incident ]
796 | ENUM xml:lang |<>--{0..*}--[ AdditionalData ]
797 | STRING format-id |
798 | STRING private-enum-name |
799 | STRING private-enum-id |
800 +--------------------------+
802 Figure 5: IODEF-Document Class
804 The aggregate classes of the IODEF-Document class are:
806 Incident
807 One or more. The information related to a single incident. See
808 Section 3.2.
810 AdditionalData
811 Zero or more. EXTENSION. Mechanism by which to extend the data
812 model.
814 The attributes of the IODEF-Document class are:
816 version
817 Required. STRING. The IODEF specification version number to
818 which this IODEF document conforms. The value of this attribute
819 MUST be "2.00"
821 xml:lang
822 Optional. ENUM. A language identifier per Section 2.12 of
823 [W3C.XML] whose values and form are described in [RFC5646]. The
824 interpretation of this code is described in Section 6.
826 format-id
827 Optional. STRING. A free-form string to convey processing
828 instructions to the recipient of the document. Its semantics must
829 be negotiated out-of-band.
831 private-enum-name
832 Optional. STRING. A globally unique identifier for the CSIRT
833 generating the document to deconflict private extensions used in
834 the document. The fully qualified domain name associated with the
835 CSIRT MUST be used as the identifier. See Section 5.3.
837 private-enum-id
838 Optional. STRING. An organizationally unique identifier for an
839 extension used in the document. If this attribute is set, the
840 private-enum-name MUST also be set. See Section 5.3.
842 3.2. Incident Class
844 The Incident class describes commonly exchanged information when
845 reporting or sharing derived analysis from security incidents.
847 +-------------------------+
848 | Incident |
849 +-------------------------+
850 | ENUM purpose |<>----------[ IncidentID ]
851 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
852 | ENUM status |<>--{0..*}--[ RelatedActivity ]
853 | STRING ext-status |<>--{0..1}--[ DetectTime ]
854 | ENUM xml:lang |<>--{0..1}--[ StartTime ]
855 | ENUM restriction |<>--{0..1}--[ EndTime ]
856 | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ]
857 | ID observable-id |<>--{0..1}--[ ReportTime ]
858 | |<>----------[ GenerationTime ]
859 | |<>--{0..*}--[ Description ]
860 | |<>--{0..*} [ Discovery ]
861 | |<>--{0..*}--[ Assessment ]
862 | |<>--{0..*}--[ Method ]
863 | |<>--{1..*}--[ Contact ]
864 | |<>--{0..*}--[ EventData ]
865 | |<>--{0..1}--[ IndicatorData ]
866 | |<>--{0..1}--[ History ]
867 | |<>--{0..*}--[ AdditionalData ]
868 +-------------------------+
870 Figure 6: The Incident Class
872 The aggregate classes of the Incident class are:
874 IncidentID
875 One. An incident tracking number assigned to this incident by the
876 CSIRT that generated the IODEF document. See Section 3.4.
878 AlternativeID
879 Zero or one. The incident tracking numbers used by other CSIRTs
880 to refer to the incident described in the document. See
881 Section 3.5.
883 RelatedActivity
884 Zero or more. Related activity and attribution of this activity.
885 See Section 3.6.
887 DetectTime
888 Zero or one. DATETIME. The time the incident was first detected.
890 StartTime
891 Zero or one. DATETIME. The time the incident started.
893 EndTime
894 Zero or one. DATETIME. The time the incident ended.
896 RecoveryTime
897 Zero or one. DATETIME. The time the site recovered from the
898 incident.
900 ReportTime
901 Zero or one. DATETIME. The time the incident was reported.
903 GenerationTime
904 One. DATETIME. The time the content in this Incident class was
905 generated.
907 Description
908 Zero or more. ML_STRING. A free-form text description of the
909 incident.
911 Discovery
912 Zero or more. The means by which this incident was detected. See
913 Section 3.10.
915 Assessment
916 Zero or more. A characterization of the impact of the incident.
917 See Section 3.12.
919 Method
920 Zero or more. The techniques used by the threat actor in the
921 incident. See Section 3.11.
923 Contact
924 One or more. Contact information for the parties involved in the
925 incident. See Section 3.9.
927 EventData
928 Zero or more. Description of the events comprising the incident.
929 See Section 3.14.
931 IndicatorData
932 Zero or one. Indicators from the analysis of an incident. See
933 Section 3.28.
935 History
936 Zero or one. A log of significant events or actions that occurred
937 during the course of handling the incident. See Section 3.13.
939 AdditionalData
940 Zero or more. EXTENSION. Mechanism by which to extend the data
941 model.
943 The attributes of the Incident class are:
945 purpose
946 Required. ENUM. The purpose attribute represents describes the
947 rational for document the information in this class. It is
948 closely related to the Expectation class (Section 3.15). These
949 values are maintained in the "Incident-purpose" IANA registry per
950 Section 10.2. This attribute is defined as an enumerated list:
952 1. traceback. The Incident was sent for trace-back purposes.
954 2. mitigation. The Incident was sent to request aid in
955 mitigating the described activity.
957 3. reporting. The Incident was sent to comply with reporting
958 requirements.
960 4. watch. The Incident was sent to convey indicators that should
961 be monitored.
963 5. other. The Incident was sent for purposes specified in the
964 Expectation class.
966 6. ext-value. A value used to indicate that this attribute is
967 extended and the actual value is provided using the
968 corresponding ext-* attribute. See Section 5.1.1.
970 ext-purpose
971 Optional. STRING. A means by which to extend the purpose
972 attribute. See Section 5.1.1.
974 status
975 Optional. ENUM. The status attribute conveys the state in a
976 workflow where the incident is currently found. These values are
977 maintained in the "Incident-status" IANA registry per
978 Section 10.2. This attribute is defined as an enumerated list:
980 1. new. The Incident is newly reported and has not been
981 actioned.
983 2. in-progress. The contents of this Incident are under
984 investigation.
986 3. forwarded. The Incident has been forwarded to another party
987 for handling.
989 4. resolved. The investigation into the activity in this
990 Incident has concluded.
992 5. future. The described activity has not yet been detected.
994 6. ext-value. A value used to indicate that this attribute is
995 extended and the actual value is provided using the
996 corresponding ext-* attribute. See Section 5.1.1.
998 ext-status
999 Optional. STRING. A means by which to extend the status
1000 attribute. See Section 5.1.1.
1002 xml:lang
1003 Optional. ENUM. A language identifier per Section 2.12 of
1004 [W3C.XML] whose values and form are described in [RFC5646]. The
1005 interpretation of this code is described in Section 6.
1007 restriction
1008 Optional. ENUM. See Section 3.3.1. The default value is
1009 "private".
1011 ext-restriction
1012 Optional. STRING. A means by which to extend the restriction
1013 attribute. See Section 5.1.1.
1015 observable-id
1016 Optional. ID. See Section 3.3.2.
1018 3.3. Common Attributes
1020 There are a number of recurring attributes used in the information
1021 model. They are documented in this section.
1023 3.3.1. restriction Attribute
1025 The restriction attribute indicates the disclosure guidelines to
1026 which the sender expects the recipient to adhere for the information
1027 represented in this class and its children. This guideline provides
1028 no security since there are no technical means to ensure that the
1029 recipient of the document handles the information as the sender
1030 requested.
1032 The value of this attribute is logically inherited by the children of
1033 this class. That is to say, the disclosure rules applied to this
1034 class, also apply to its children.
1036 It is possible to set a granular disclosure policy, since all of the
1037 high-level classes (i.e., children of the Incident class) have a
1038 restriction attribute. Therefore, a child can override the
1039 guidelines of a parent class, be it to restrict or relax the
1040 disclosure rules (e.g., a child has a weaker policy than an ancestor;
1041 or an ancestor has a weak policy, and the children selectively apply
1042 more rigid controls). The implicit value of the restriction
1043 attribute for a class that did not specify one can be found in the
1044 closest ancestor that did specify a value.
1046 This attribute is defined as an enumerated value with a default value
1047 of "private". Note that the default value of the restriction
1048 attribute is only defined in the context of the Incident class. In
1049 other classes where this attribute is used, no default is specified.
1051 These values are maintained in the "Restriction" IANA registry per
1052 Section 10.2.
1054 1. public. The information can be freely distributed without
1055 restriction.
1057 2. partner. The information may be shared within a closed
1058 community of peers, partners, or affected parties, but cannot be
1059 openly published.
1061 3. need-to-know. The information may be shared only within the
1062 organization with individuals that have a need to know.
1064 4. private. The information may not be shared.
1066 5. default. The information can be shared according to an
1067 information disclosure policy pre-arranged by the communicating
1068 parties.
1070 6. white. Same as 'public'.
1072 7. green. Same as 'partner'.
1074 8. amber. Same as 'need-to-know'.
1076 9. red. Same as 'private'.
1078 10. ext-value. A value used to indicate that this attribute is
1079 extended and the actual value is provided using the
1080 corresponding ext-* attribute. See Section 5.1.1.
1082 3.3.2. observable-id Attribute
1084 The observable-id attribute tags information in the document as an
1085 observable so that it can be referenced later in the description of
1086 an indicator. The value of this attribute is a unique identifier in
1087 the scope of the document. It is used by the ObservableReference
1088 class to enumerate observables when defining an indicator with the
1089 IndicatorData class.
1091 3.4. IncidentID Class
1093 The IncidentID class represents a tracking number that is unique in
1094 the context of the CSIRT. It serves as an identifier for an incident
1095 or a document identifier when sharing indicators. This identifier
1096 would serve as an index into a CSIRT's incident handling or knowledge
1097 management system.
1099 The combination of the name attribute and the string in the element
1100 content MUST be a globally unique identifier describing the activity.
1101 Documents generated by a given CSIRT MUST NOT reuse the same value
1102 unless they are referencing the same incident.
1104 +------------------------+
1105 | IncidentID |
1106 +------------------------+
1107 | STRING |
1108 | |
1109 | STRING name |
1110 | STRING instance |
1111 | ENUM restriction |
1112 | STRING ext-restriction |
1113 +------------------------+
1115 Figure 7: The IncidentID Class
1117 The content of the class is an incident identifier of type STRING.
1119 The attributes of the IncidentID class are:
1121 name
1122 Required. STRING. An identifier describing the CSIRT that
1123 created the document. In order to have a globally unique CSIRT
1124 name, the fully qualified domain name associated with the CSIRT
1125 MUST be used.
1127 instance
1128 Optional. STRING. An identifier referencing a subset of the
1129 named incident.
1131 restriction
1132 Optional. ENUM. See Section 3.3.1.
1134 ext-restriction
1135 Optional. STRING. A means by which to extend the restriction
1136 attribute. See Section 5.1.1.
1138 3.5. AlternativeID Class
1140 The AlternativeID class lists the tracking numbers used by CSIRTs,
1141 other than the one generating the document, to refer to the identical
1142 activity described in the IODEF document. A tracking number listed
1143 as an AlternativeID references the same incident detected by another
1144 CSIRT. The tracking numbers of the CSIRT that generated the IODEF
1145 document must never be considered an AlternativeID.
1147 +------------------------+
1148 | AlternativeID |
1149 +------------------------+
1150 | ENUM restriction |<>--{1..*}--[ IncidentID ]
1151 | STRING ext-restriction |
1152 +------------------------+
1154 Figure 8: The AlternativeID Class
1156 The aggregate class of the AlternativeID class is:
1158 IncidentID
1159 One or more. The tracking number of another CSIRT. See
1160 Section 3.4.
1162 The attributes of the AlternativeID class are:
1164 restriction
1165 Optional. ENUM. See Section 3.3.1.
1167 ext-restriction
1168 Optional. STRING. A means by which to extend the restriction
1169 attribute. See Section 5.1.1.
1171 3.6. RelatedActivity Class
1173 The RelatedActivity class relates the information described in the
1174 rest of the document to previously observed incidents or activity;
1175 and allows attribution to a specific actor or campaign.
1177 +------------------------+
1178 | RelatedActivity |
1179 +------------------------+
1180 | ENUM restriction |<>--{0..*}--[ IncidentID ]
1181 | STRING ext-restriction |<>--{0..*}--[ URL ]
1182 | |<>--{0..*}--[ ThreatActor ]
1183 | |<>--{0..*}--[ Campaign ]
1184 | |<>--{0..*}--[ IndicatorID ]
1185 | |<>--{0..1}--[ Confidence ]
1186 | |<>--{0..*}--[ Description ]
1187 | |<>--{0..*}--[ AdditionalData ]
1188 +------------------------+
1190 Figure 9: RelatedActivity Class
1192 The aggregate classes of the RelatedActivity class are:
1194 IncidentID
1195 Zero or more. The tracking number of a related incident. See
1196 Section 3.4.
1198 URL
1199 Zero or more. URL. A URL to activity related to this incident.
1201 ThreatActor
1202 Zero or more. The threat actor to whom the incident activity is
1203 attributed. See Section 3.7.
1205 Campaign
1206 Zero or more. The campaign of a given threat actor to whom the
1207 described activity is attributed. See Section 3.8.
1209 IndicatorID
1210 Zero or more. A reference to a related indicator. See
1211 Section 3.4.
1213 Confidence
1214 Zero or one. An estimate of the confidence in attributing this
1215 RelatedActivity to the events described in the document. See
1216 Section 3.12.5.
1218 Description
1219 Zero or more. ML_STRING. A description of how these
1220 relationships were derived.
1222 AdditionalData
1223 Zero or more. EXTENSION. A mechanism by which to extend the data
1224 model.
1226 The RelatedActivity class MUST have at least one instance of any of
1227 the following child classes: IncidentID, URL, ThreatActor, Campaign,
1228 Description or AdditionalData.
1230 The attributes of the RelatedActivity class are:
1232 restriction
1233 Optional. ENUM. See Section 3.3.1.
1235 ext-restriction
1236 Optional. STRING. A means by which to extend the restriction
1237 attribute. See Section 5.1.1.
1239 3.7. ThreatActor Class
1241 The ThreatActor class describes a threat actor.
1243 +------------------------+
1244 | ThreatActor |
1245 +------------------------+
1246 | ENUM restriction |<>--{0..*}--[ ThreatActorID ]
1247 | STRING ext-restriction |<>--{0..*}--[ URL ]
1248 | |<>--{0..*}--[ Description ]
1249 | |<>--{0..*}--[ AdditionalData ]
1250 +------------------------+
1252 Figure 10: ThreatActor Class
1254 The aggregate classes of the ThreatActor class are:
1256 ThreatActorID
1257 Zero or more. STRING. An identifier for the threat actor.
1259 URL
1260 Zero or more. URL. A URL to a reference describing the threat
1261 actor.
1263 Description
1264 Zero or more. ML_STRING. A description of the threat actor.
1266 AdditionalData
1267 Zero or more. EXTENSION. A mechanism by which to extend the data
1268 model.
1270 The ThreatActor class MUST have at least one instance of a child
1271 class.
1273 The attributes of the ThreatActor class are:
1275 restriction
1276 Optional. ENUM. See Section 3.3.1.
1278 ext-restriction
1279 Optional. STRING. A means by which to extend the restriction
1280 attribute. See Section 5.1.1.
1282 3.8. Campaign Class
1284 The Campaign class describes a campaign of attacks by a threat actor.
1286 +------------------------+
1287 | Campaign |
1288 +------------------------+
1289 | ENUM restriction |<>--{0..*}--[ CampaignID ]
1290 | STRING ext-restriction |<>--{0..*}--[ URL ]
1291 | |<>--{0..*}--[ Description ]
1292 | |<>--{0..*}--[ AdditionalData ]
1293 +------------------------+
1295 Figure 11: Campaign Class
1297 The aggregate classes of the Campaign class are:
1299 CampaignID
1300 Zero or more. STRING. An identifier for the campaign.
1302 URL
1303 Zero or more. URL. A URL to a reference describing the campaign.
1305 Description
1306 Zero or more. ML_STRING. A description of the campaign.
1308 AdditionalData
1309 Zero or more. EXTENSION. A mechanism by which to extend the data
1310 model.
1312 The Campaign class MUST have at least one instance of a child class.
1314 The attributes of the Campaign class are:
1316 restriction
1317 Optional. ENUM. See Section 3.3.1.
1319 ext-restriction
1320 Optional. STRING. A means by which to extend the restriction
1321 attribute. See Section 5.1.1.
1323 3.9. Contact Class
1325 The Contact class describes contact information for organizations and
1326 personnel involved in the incident. This class allows for the naming
1327 of the involved party, specifying contact information for them, and
1328 identifying their role in the incident.
1330 People and organizations are treated interchangeably as contacts; one
1331 can be associated with the other using the recursive definition of
1332 the class (the Contact class is aggregated into the Contact class).
1333 The 'type' attribute disambiguates the type of contact information
1334 being provided.
1336 The recursive definition of Contact provides a way to relate
1337 information without requiring the explicit use of identifiers or
1338 duplication of data. A complete point of contact is derived by a
1339 particular traversal from the root Contact class to the leaf Contact
1340 class. Each child Contact class logically inherits contact
1341 information from its ancestors.
1343 +------------------------+
1344 | Contact |
1345 +------------------------+
1346 | ENUM role |<>--{0..*}--[ ContactName ]
1347 | STRING ext-role |<>--{0..*}--[ ContactTitle ]
1348 | ENUM type |<>--{0..*}--[ Description ]
1349 | STRING ext-type |<>--{0..*}--[ RegistryHandle ]
1350 | ENUM restriction |<>--{0..*}--[ PostalAddress ]
1351 | STRING ext-restriction |<>--{0..*}--[ Email ]
1352 | |<>--{0..*}--[ Telephone ]
1353 | |<>--{0..1}--[ Timezone ]
1354 | |<>--{0..*}--[ Contact ]
1355 | |<>--{0..*}--[ AdditionalData ]
1356 +------------------------+
1358 Figure 12: The Contact Class
1360 The aggregate classes of the Contact class are:
1362 ContactName
1363 Zero or more. ML_STRING. The name of the contact. The contact
1364 may either be an organization or a person. The type attribute
1365 disambiguates the semantics.
1367 ContactTitle
1368 Zero or more. ML_STRING. The title for the individual named in
1369 the ContactName.
1371 Description
1372 Zero or more. ML_STRING. A free-form text description of the
1373 contact.
1375 RegistryHandle
1376 Zero or more. A handle name into the registry of the contact.
1377 See Section 3.9.1.
1379 PostalAddress
1380 Zero or more. The postal address of the contact. See
1381 Section 3.9.2.
1383 Email
1384 Zero or more. The email address of the contact. See
1385 Section 3.9.3.
1387 Telephone
1388 Zero or more. The telephone number of the contact. See
1389 Section 3.9.4.
1391 Timezone
1392 Zero or one. TIMEZONE. The timezone in which the contact
1393 resides.
1395 Contact
1396 Zero or more. A recursive definition of the Contact class. This
1397 definition can be used to group common data pertaining to multiple
1398 points of contact and is especially useful when listing multiple
1399 contacts at the same organization.
1401 AdditionalData
1402 Zero or more. EXTENSION. A mechanism by which to extend the data
1403 model.
1405 At least one of the aggregate classes MUST be present in an instance
1406 of the Contact class.
1408 The attributes of the Contact class are:
1410 role
1411 Required. ENUM. Indicates the role the contact fulfills. These
1412 values are maintained in the "Contact-role" IANA registry per
1413 Section 10.2.
1415 1. creator. The entity that generate the document.
1417 2. reporter. The entity that reported the information.
1419 3. admin. An administrative contact or business owner for an
1420 asset or organization.
1422 4. tech. An entity responsible for the day-to-day management of
1423 technical issues for an asset or organization.
1425 5. provider. An external hosting provider for an asset.
1427 6. zone. An entity with authority over a DNS zone.
1429 7. user. An end-user of an asset or part of an organization.
1431 8. billing. An entity responsible for billing issues for an
1432 asset or organization.
1434 9. legal. An entity responsible for legal issue related to an
1435 asset or organization.
1437 10. irt. An entity responsible for handling security issues for
1438 an asset or organization.
1440 11. abuse. An entity responsible for handling abuse originating
1441 from an asset or organization.
1443 12. cc. An entity that is to be kept informed about the events
1444 related to an asset or organization.
1446 13. cc-irt. A CSIRT or information sharing organization
1447 coordinating activity related to an asset or organization.
1449 14. leo. A law enforcement organization supporting the
1450 investigation of activity affecting an asset or organization.
1452 15. vendor. The vendor that produces an asset.
1454 16. vendor-support. A vendor that provides services.
1456 17. victim. A victim in the incident.
1458 18. victim-notified. A victim in the incident who has been
1459 notified.
1461 19. ext-value. A value used to indicate that this attribute is
1462 extended and the actual value is provided using the
1463 corresponding ext-* attribute. See Section 5.1.1.
1465 ext-role
1466 Optional. STRING. A means by which to extend the role attribute.
1467 See Section 5.1.1.
1469 type
1470 Required. ENUM. Indicates the type of contact being described.
1471 This attribute is defined as an enumerated list. These values are
1472 maintained in the "Contact-type" IANA registry per Section 10.2.
1474 1. person. The information for this contact references an
1475 individual.
1477 2. organization. The information for this contact references an
1478 organization.
1480 3. ext-value. A value used to indicate that this attribute is
1481 extended and the actual value is provided using the
1482 corresponding ext-* attribute. See Section 5.1.1.
1484 ext-type
1485 Optional. STRING. A means by which to extend the type attribute.
1486 See Section 5.1.1.
1488 restriction
1489 Optional. ENUM. See Section 3.3.1.
1491 ext-restriction
1492 Optional. STRING. A means by which to extend the restriction
1493 attribute. See Section 5.1.1.
1495 3.9.1. RegistryHandle Class
1497 The RegistryHandle class represents a handle into an Internet
1498 registry or community-specific database.
1500 +---------------------+
1501 | RegistryHandle |
1502 +---------------------+
1503 | STRING |
1504 | |
1505 | ENUM registry |
1506 | STRING ext-registry |
1507 +---------------------+
1509 Figure 13: The RegistryHandle Class
1511 The content of the class is a handle into a registry of type STRING.
1513 The attributes of the RegistryHandle class are:
1515 registry
1516 Required. ENUM. The database to which the handle belongs. These
1517 values are maintained in the "RegistryHandle-registry" IANA
1518 registry per Section 10.2. The possible values are:
1520 1. internic. Internet Network Information Center
1522 2. apnic. Asia Pacific Network Information Center
1524 3. arin. American Registry for Internet Numbers
1526 4. lacnic. Latin-American and Caribbean IP Address Registry
1528 5. ripe. Reseaux IP Europeens
1530 6. afrinic. African Internet Numbers Registry
1532 7. local. A database local to the CSIRT
1534 8. ext-value. A value used to indicate that this attribute is
1535 extended and the actual value is provided using the
1536 corresponding ext-* attribute. See Section 5.1.1.
1538 ext-registry
1539 Optional. STRING. A means by which to extend the registry
1540 attribute. See Section 5.1.1.
1542 3.9.2. PostalAddress Class
1544 The PostalAddress class specifies an postal address and associated
1545 annotation.
1547 +--------------------+
1548 | PostalAddress |
1549 +--------------------+
1550 | ENUM type |<>----------[ PAddress ]
1551 | STRING ext-type |<>--{0..*}--[ Description ]
1552 +--------------------+
1554 Figure 14: The PostalAddress Class
1556 The aggregate classes of the PostalAddress class are:
1558 PAddress
1559 One. POSTAL. A postal address.
1561 Description
1562 Zero or more. ML_STRING. A free-form text description of the
1563 address.
1565 The attributes of the PostalAddress class are:
1567 type
1568 Optional. ENUM. Categorizes the type of address described in the
1569 PAddress class. These values are maintained in the
1570 "PostalAddress-type" IANA registry per Section 10.2.
1572 1. street. An address describing a physical location.
1574 2. mailing. An address to which correspondence should be sent.
1576 3. ext-value. A value used to indicate that this attribute is
1577 extended and the actual value is provided using the
1578 corresponding ext-* attribute. See Section 5.1.1.
1580 ext-type
1581 Optional. STRING. A means by which to extend the type attribute.
1582 See Section 5.1.1.
1584 3.9.3. Email Class
1586 The Email class specifies an email address and associated annotation.
1588 +--------------------+
1589 | Email |
1590 +--------------------+
1591 | ENUM type |<>----------[ EmailTo ]
1592 | STRING ext-type |<>--{0..*}--[ Description ]
1593 +--------------------+
1595 Figure 15: The Email Class
1597 The aggregate classes of the Email class are:
1599 EmailTo
1600 One. EMAIL. An email address.
1602 Description
1603 Zero or more. ML_STRING. A free-form text description of the
1604 email address.
1606 The attributes of the Email class are:
1608 type
1609 Optional. ENUM. Categorizes the type of email address described
1610 in the EmailTo class. These values are maintained in the "Email-
1611 type" IANA registry per Section 10.2.
1613 1. direct. A email address of an individual.
1615 2. hotline. A email address regularly monitored for operational
1616 purposes.
1618 3. ext-value. A value used to indicate that this attribute is
1619 extended and the actual value is provided using the
1620 corresponding ext-* attribute. See Section 5.1.1.
1622 ext-type
1623 Optional. STRING. A means by which to extend the type attribute.
1624 See Section 5.1.1.
1626 3.9.4. Telephone Class
1628 The Telephone class describes a telephone number and associated
1629 annotation.
1631 +--------------------+
1632 | Telephone |
1633 +--------------------+
1634 | ENUM type |<>----------[ TelephoneNumber ]
1635 | STRING ext-type |<>--{0..*}--[ Description ]
1636 +--------------------+
1638 Figure 16: The Telephone Class
1640 The aggregate classes of the Telephone class are:
1642 TelephoneNumber
1643 One. PHONE. A telephone number.
1645 Description
1646 Zero or more. ML_STRING. A free-form text description of the
1647 phone number.
1649 The attributes of the Telephone class are:
1651 type
1652 Optional. ENUM. Categorizes the type of telephone number
1653 described in the TelephoneNumber class. These values are
1654 maintained in the "Telephone-type" IANA registry per Section 10.2.
1656 1. wired. A number of a wire-line (land-line) phone.
1658 2. mobile. A number of a mobile phone.
1660 3. fax. A number to a fax machine.
1662 4. hotline. A number to a regularly monitored operational
1663 hotline.
1665 5. ext-value. A value used to indicate that this attribute is
1666 extended and the actual value is provided using the
1667 corresponding ext-* attribute. See Section 5.1.1.
1669 ext-type
1670 Optional. STRING. A means by which to extend the type attribute.
1671 See Section 5.1.1.
1673 3.10. Discovery Class
1675 The Discovery class describes how an incident was detected.
1677 +------------------------+
1678 | Discovery |
1679 +------------------------+
1680 | ENUM source |<>--{0..*}--[ Description ]
1681 | STRING ext-source |<>--{0..*}--[ Contact ]
1682 | ENUM restriction |<>--{0..*}--[ DetectionPattern ]
1683 | STRING ext-restriction |
1684 +------------------------+
1686 Figure 17: The Discovery Class
1688 The aggregate classes of the Discovery class are:
1690 Description
1691 Zero or more. ML_STRING. A free-form text description of how
1692 this incident was detected.
1694 Contact
1695 Zero or more. Contact information for the party that discovered
1696 the incident. See Section 3.9.
1698 DetectionPattern
1699 Zero or more. Describes an application-specific configuration
1700 that detected the incident. See Section 3.10.1.
1702 The attributes of the Discovery class are:
1704 source
1705 Optional. ENUM. Categorizes the techniques used to discover the
1706 incident. These values are partially derived from Table 3-1 of
1707 [NIST800.61rev2]. These values are maintained in the "Discovery-
1708 source" IANA registry per Section 10.2.
1710 1. nidps. Network Intrusion Detection or Prevention system.
1712 2. hips. Host-based Intrusion Prevention system.
1714 3. siem. Security Information and Event Management System.
1716 4. av. Antivirus or and antispam software.
1718 5. third-party-monitoring. Contracted third-party monitoring
1719 service.
1721 6. incident. The activity was discovered while investigating an
1722 unrelated incident.
1724 7. os-log. Operating system logs.
1726 8. application-log. Application logs.
1728 9. device-log. Network device logs.
1730 10. network-flow. Network flow analysis.
1732 11. passive-dns. Passive DNS analysis.
1734 12. investigation. Manual investigation initiated based on
1735 notification of a new vulnerability or exploit.
1737 13. audit. Security audit.
1739 14. internal-notification. A party within the organization
1740 reported the activity
1742 15. external-notification. A party outside of the organization
1743 reported the activity.
1745 16. leo. A law enforcement organization notified the victim
1746 organization.
1748 17. partner. A customer or business partner reported the
1749 activity to the victim organization.
1751 18. actor. The threat actor directly or indirectly reported this
1752 activity to the victim organization.
1754 19. unknown. Unknown detection approach.
1756 20. ext-value. A value used to indicate that this attribute is
1757 extended and the actual value is provided using the
1758 corresponding ext-* attribute. See Section 5.1.1.
1760 ext-source
1761 Optional. STRING. A means by which to extend the source
1762 attribute. See Section 5.1.1.
1764 restriction
1765 Optional. ENUM. See Section 3.3.1.
1767 ext-restriction
1768 Optional. STRING. A means by which to extend the restriction
1769 attribute. See Section 5.1.1.
1771 3.10.1. DetectionPattern Class
1773 The DetectionPattern class describes a configuration or signature
1774 that can be used by an IDS/IPS, SIEM, anti-virus, end-point
1775 protection, network analysis, malware analysis, or host forensics
1776 tool to identify a particular phenomenon. This class requires the
1777 identification of the target application and allows the configuration
1778 to be described in either free-form or machine readable form.
1780 +------------------------+
1781 | DetectionPattern |
1782 +------------------------+
1783 | ENUM restriction |<>----------[ Application ]
1784 | STRING ext-restriction |<>--{0..*}--[ Description ]
1785 | |<>--{0..*}--[ DetectionConfiguration ]
1786 +------------------------+
1788 Figure 18: The DetectionPattern Class
1790 The aggregate classes of the DetectionPattern class are:
1792 Application
1793 One. SOFTWARE. The application for which the
1794 DetectionConfiguration or Description is being provided.
1796 Description
1797 Zero or more. ML_STRING. A free-form text description of how to
1798 use the Application or provided DetectionConfiguration.
1800 DetectionConfiguration
1801 Zero or more. STRING. A machine consumable configuration to find
1802 a pattern of activity.
1804 Either an instance of the Description or DetectionConfiguration class
1805 MUST be present.
1807 The attributes of the DetectionPattern class are:
1809 restriction
1810 Optional. ENUM. See Section 3.3.1.
1812 ext-restriction
1813 Optional. STRING. A means by which to extend the restriction
1814 attribute. See Section 5.1.1.
1816 3.11. Method Class
1818 The Method class describes the tactics, techniques, procedures or
1819 weakness used by the threat actor in an incident. This class
1820 consists of both a list of references describing the attack methods
1821 and weaknesses and a free-form text description.
1823 +------------------------+
1824 | Method |
1825 +------------------------+
1826 | ENUM restriction |<>--{0..*}--[ Reference ]
1827 | STRING ext-restriction |<>--{0..*}--[ Description ]
1828 | |<>--{0..*}--[ sci:AttackPattern ]
1829 | |<>--{0..*}--[ sci:Vulnerability ]
1830 | |<>--{0..*}--[ sci:Weakness ]
1831 | |<>--{0..*}--[ AdditionalData ]
1832 +------------------------+
1834 Figure 19: The Method Class
1836 The aggregate classes of the Method class are:
1838 Reference
1839 Zero or more. A reference to a vulnerability, malware sample,
1840 advisory, or analysis of an attack technique. See Section 3.11.1.
1842 Description
1843 Zero or more. ML_STRING. A free-form text description of
1844 techniques, tactics, or procedures used by the threat actor.
1846 sci:AttackPattern
1847 Zero or more. A reference to an pattern of attack or exploitation
1848 per [RFC-SCI]
1850 sci:Vulnerability
1851 Zero or more. A reference to a vulnerability per [RFC-SCI]
1853 sci:Weakness
1854 Zero or more. A reference to the exploited weakness per [RFC-SCI]
1856 AdditionalData
1857 Zero or more. EXTENSION. A mechanism by which to extend the data
1858 model.
1860 An instance of one of these child MUST be present.
1862 The attributes of the Method class are:
1864 restriction
1865 Optional. ENUM. See Section 3.3.1.
1867 ext-restriction
1868 Optional. STRING. A means by which to extend the restriction
1869 attribute. See Section 5.1.1.
1871 3.11.1. Reference Class
1873 The Reference class is an external reference to relevant information
1874 such a vulnerability, IDS alert, malware sample, advisory, or attack
1875 technique.
1877 +-------------------------+
1878 | Reference |
1879 +-------------------------+
1880 | ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
1881 | |<>--{0..*}--[ URL ]
1882 | |<>--{0..*}--[ Description ]
1883 +-------------------------+
1885 Figure 20: The Reference Class
1887 The aggregate classes of the Reference class are:
1889 enum:ReferenceName
1890 Zero or one. Reference identifier per [RFC-ENUM].
1892 URL
1893 Zero or more. URL. A URL to a reference.
1895 Description
1896 Zero or more. ML_STRING. A free-form text description of this
1897 reference.
1899 At least one of these classes MUST be present.
1901 The attribute of the Reference class is:
1903 observable-id
1904 Optional. ID. See Section 3.3.2.
1906 3.12. Assessment Class
1908 The Assessment class describes the repercussions of the incident to
1909 the victim.
1911 +-------------------------+
1912 | Assessment |
1913 +-------------------------+
1914 | ENUM occurrence |<>--{0..*}--[ IncidentCategory ]
1915 | ENUM restriction |<>--{0..*}--[ SystemImpact ]
1916 | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ]
1917 | ID observable-id |<>--{0..*}--[ TimeImpact ]
1918 | |<>--{0..*}--[ MonetaryImpact ]
1919 | |<>--{0..*}--[ IntendedImpact ]
1920 | |<>--{0..*}--[ Counter ]
1921 | |<>--{0..*}--[ MitigatingFactor ]
1922 | |<>--{0..*}--[ Cause ]
1923 | |<>--{0..1}--[ Confidence ]
1924 | |<>--{0..*}--[ AdditionalData ]
1925 +-------------------------+
1927 Figure 21: Assessment Class
1929 The aggregate classes of the Assessment class are:
1931 IncidentCategory
1932 Zero or more. ML_STRING. A free-form text description
1933 categorizing the type of Incident.
1935 SystemImpact
1936 Zero or more. A technical characterization of the impact of the
1937 incident activity on the victim's enterprise. See Section 3.12.1.
1939 BusinessImpact
1940 Zero or more. Impact of the incident activity on the business
1941 functions of the victim organization. See Section 3.12.2.
1943 TimeImpact
1944 Zero or more. A characterization of the victim organization due
1945 to the incident activity as a function of time. See
1946 Section 3.12.3.
1948 MonetaryImpact
1949 Zero or more. The financial loss due to the incident activity.
1950 See Section 3.12.4.
1952 IntendedImpact
1953 Zero or more. The intended outcome to the victim sought by the
1954 threat actor. Defined identically to the BusinessImpact defined
1955 in Section 3.12.2, but describes intent rather than the realized
1956 impact.
1958 Counter
1959 Zero or more. A counter with which to summarize the magnitude of
1960 the activity. See Section 3.18.3.
1962 MitigatingFactor
1963 Zero or more. ML_STRING. A description of a mitigating factor
1964 relative to the impact on the victim organization.
1966 Cause
1967 Zero or more. ML_STRING. A description of an underlying cause of
1968 the impact.
1970 Confidence
1971 Zero or one. An estimate of confidence in the impact assessment.
1972 See Section 3.12.5.
1974 AdditionalData
1975 Zero or more. EXTENSION. A mechanism by which to extend the data
1976 model.
1978 A least one instance of the possible five impact classes (i.e.,
1979 SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or
1980 IntendedImpact) MUST be present.
1982 The attributes of the Assessment class are:
1984 occurrence
1985 Optional. ENUM. Specifies whether the assessment is describing
1986 actual or potential outcomes.
1988 1. actual. This assessment describes activity that has occurred.
1990 2. potential. This assessment describes potential activity that
1991 might occur.
1993 restriction
1994 Optional. ENUM. See Section 3.3.1.
1996 ext-restriction
1997 Optional. STRING. A means by which to extend the restriction
1998 attribute. See Section 5.1.1.
2000 observable-id
2001 Optional. ID. See Section 3.3.2.
2003 3.12.1. SystemImpact Class
2005 The SystemImpact class describes the technical impact of the incident
2006 to the systems on the network.
2008 +-----------------------+
2009 | SystemImpact |
2010 +-----------------------+
2011 | ENUM severity |<>--{0..*}--[ Description ]
2012 | ENUM completion |
2013 | ENUM type |
2014 | STRING ext-type |
2015 +-----------------------+
2017 Figure 22: SystemImpact Class
2019 The aggregate class of the SystemImpact class is:
2021 Description
2022 Zero or more. ML_STRING. A free-form text description of the
2023 impact to the system.
2025 The attributes of the SystemImpact class are:
2027 severity
2028 Optional. ENUM. An estimate of the relative severity of the
2029 activity. The permitted values are shown below. There is no
2030 default value.
2032 1. low. Low severity
2034 2. medium. Medium severity
2036 3. high. High severity
2038 completion
2039 Optional. ENUM. An indication whether the described activity was
2040 successful. The permitted values are shown below. There is no
2041 default value.
2043 1. failed. The attempted activity was not successful.
2045 2. succeeded. The attempted activity succeeded.
2047 type
2048 Required. ENUM. Classifies the impact. The permitted values are
2049 shown below. The default value is "unknown". These values are
2050 maintained in the "SystemImpact-type" IANA registry per
2051 Section 10.2.
2053 1. takeover-account. Control was taken of a given account.
2055 2. takeover-service. Control was taken of a given service.
2057 3. takeover-system. Control was taken of a given system.
2059 4. cps-manipulation. A cyber physical system was manipulated.
2061 5. cps-damage. A cyber physical system was damaged.
2063 6. availability-data. Access to particular data was degraded or
2064 denied.
2066 7. availability-account. Access to an account was degraded or
2067 denied.
2069 8. availability-service. Access to a service was degraded or
2070 denied.
2072 9. availability-system. Access to a system was degraded or
2073 denied.
2075 10. damaged-system. Hardware on a system was irreparably
2076 damaged.
2078 11. damaged-data. Data on a system was deleted.
2080 12. breach-proprietary. Sensitive or proprietary information was
2081 accessed or exfiltrated.
2083 13. breach-privacy. Personally identifiable information was
2084 accessed or exfiltrated.
2086 14. breach-credential. Credential information was accessed or
2087 exfiltrated.
2089 15. breach-configuration. System configuration or data inventory
2090 was access or exfiltrated.
2092 16. integrity-data. Data on the system was modified.
2094 17. integrity-configuration. Application or system configuration
2095 was modified.
2097 18. integrity-hardware. Firmware of a hardware component was
2098 modified.
2100 19. traffic-redirection. Network traffic on the system was
2101 redirected
2103 20. monitoring-traffic. Network traffic emerging from a host or
2104 enclave was monitored.
2106 21. monitoring-host. System activity (e.g., running processes,
2107 keystrokes) were monitored.
2109 22. policy. Activity violated the system owner's acceptable use
2110 policy.
2112 23. unknown. The impact is unknown.
2114 24. ext-value. A value used to indicate that this attribute is
2115 extended and the actual value is provided using the
2116 corresponding ext-* attribute. See Section 5.1.1.
2118 ext-type
2119 Optional. STRING. A means by which to extend the type attribute.
2120 See Section 5.1.1.
2122 3.12.2. BusinessImpact Class
2124 The BusinessImpact class describes and characterizes the degree to
2125 which the function of the organization was impacted by the Incident.
2127 +-------------------------+
2128 | BusinessImpact |
2129 +-------------------------+
2130 | ENUM severity |<>--{0..*}--[ Description ]
2131 | STRING ext-severity |
2132 | ENUM type |
2133 | STRING ext-type |
2134 +-------------------------+
2136 Figure 23: BusinessImpact Class
2138 The aggregate class of the BusinessImpact class is:
2140 Description
2141 Zero or more. ML_STRING. A free-form text description of the
2142 impact to the organization.
2144 The attributes of the BusinessImpact class are:
2146 severity
2147 Optional. ENUM. Characterizes the severity of the incident on
2148 business functions. The permitted values are shown below. They
2149 were derived from Table 3-2 of [NIST800.61rev2]. The default
2150 value is "unknown". These values are maintained in the
2151 "BusinessImpact-severity" IANA registry per Section 10.2.
2153 1. none. No effect to the organization's ability to provide all
2154 services to all users.
2156 2. low. Minimal effect as the organization can still provide all
2157 critical services to all users but has lost efficiency.
2159 3. medium. The organization has lost the ability to provide a
2160 critical service to a subset of system users.
2162 4. high. The organization is no longer able to provide some
2163 critical services to any users.
2165 5. unknown. The impact is not known.
2167 6. ext-value. A value used to indicate that this attribute is
2168 extended and the actual value is provided using the
2169 corresponding ext-* attribute. See Section 5.1.1.
2171 ext-severity
2172 Optional. STRING. A means by which to extend the severity
2173 attribute. See Section 5.1.1.
2175 type
2176 Required. ENUM. Characterizes the effect this incident had on
2177 the business. The permitted values are shown below. The default
2178 value is "unknown". These values are maintained in the
2179 "BusinessImpact-type" IANA registry per Section 10.2.
2181 1. breach-proprietary. Sensitive or proprietary information was
2182 accessed or exfiltrated.
2184 2. breach-privacy. Personally identifiable information was
2185 accessed or exfiltrated.
2187 3. breach-credential. Credential information was accessed or
2188 exfiltrated.
2190 4. loss-of-integrity. Sensitive or proprietary information was
2191 changed or deleted.
2193 5. loss-of-service. Service delivery was disrupted.
2195 6. theft-financial. Money was stolen.
2197 7. theft-service. Services were misappropriated.
2199 8. degraded-reputation. The reputation of the organization's
2200 brand was diminished.
2202 9. asset-damage. A cyber-physical system was damaged.
2204 10. asset-manipulation. A cyber-physical system was manipulated.
2206 11. legal. The incident resulted in legal or regulatory action.
2208 12. extortion. The incident resulted in actors extorting the
2209 victim organization.
2211 13. unknown. The impact is unknown.
2213 14. ext-value. A value used to indicate that this attribute is
2214 extended and the actual value is provided using the
2215 corresponding ext-* attribute. See Section 5.1.1.
2217 ext-type
2218 Optional. STRING. A means by which to extend the type attribute.
2219 See Section 5.1.1.
2221 3.12.3. TimeImpact Class
2223 The TimeImpact class describes the impact of the incident on an
2224 organization as a function of time. It provides a way to convey down
2225 time and recovery time.
2227 +---------------------+
2228 | TimeImpact |
2229 +---------------------+
2230 | REAL |
2231 | |
2232 | ENUM severity |
2233 | ENUM metric |
2234 | STRING ext-metric |
2235 | ENUM duration |
2236 | STRING ext-duration |
2237 +---------------------+
2239 Figure 24: TimeImpact Class
2241 The content of the class is of type REAL and specifies an amount of
2242 time. The duration attribute provides units for this content; and
2243 the metric attribute explains what this content is measuring.
2245 The attributes of the TimeImpact class are:
2247 severity
2248 Optional. ENUM. An estimate of the relative severity of the
2249 activity. The permitted values are shown below. There is no
2250 default value.
2252 1. low. Low severity
2254 2. medium. Medium severity
2256 3. high. High severity
2258 metric
2259 Required. ENUM. Defines the meaning of the value in the element
2260 content. These values are maintained in the "TimeImpact-metric"
2261 IANA registry per Section 10.2.
2263 1. labor. Total staff-time to recovery from the activity (e.g.,
2264 2 employees working 4 hours each would be 8 hours).
2266 2. elapsed. Elapsed time from the beginning of the recovery to
2267 its completion (i.e., wall-clock time).
2269 3. downtime. Duration of time for which some provided service(s)
2270 was not available.
2272 4. ext-value. A value used to indicate that this attribute is
2273 extended and the actual value is provided using the
2274 corresponding ext-* attribute. See Section 5.1.1.
2276 ext-metric
2277 Optional. STRING. A means by which to extend the metric
2278 attribute. See Section 5.1.1.
2280 duration
2281 Optional. ENUM. Defines the unit of time for the value in the
2282 element content. The default value is "hour". These values are
2283 maintained in the "TimeImpact-duration" IANA registry per
2284 Section 10.2.
2286 1. second. The unit of the element content is seconds.
2288 2. minute. The unit of the element content is minutes.
2290 3. hour. The unit of the element content is hours.
2292 4. day. The unit of the element content is days.
2294 5. month. The unit of the element content is months.
2296 6. quarter. The unit of the element content is quarters.
2298 7. year. The unit of the element content is years.
2300 8. ext-value. A value used to indicate that this attribute is
2301 extended and the actual value is provided using the
2302 corresponding ext-* attribute. See Section 5.1.1.
2304 ext-duration
2305 Optional. STRING. A means by which to extend the duration
2306 attribute. See Section 5.1.1.
2308 3.12.4. MonetaryImpact Class
2310 The MonetaryImpact class describes the financial impact of the
2311 activity on an organization. For example, this impact may consider
2312 losses due to the cost of the investigation or recovery, diminished
2313 productivity of the staff, or a tarnished reputation that will affect
2314 future opportunities.
2316 +------------------+
2317 | MonetaryImpact |
2318 +------------------+
2319 | REAL |
2320 | |
2321 | ENUM severity |
2322 | STRING currency |
2323 +------------------+
2325 Figure 25: MonetaryImpact Class
2327 The content of the class is of type REAL and specifies a quantity of
2328 money. The currency attribute defines the currently of this value.
2330 The attributes of the MonetaryImpact class are:
2332 severity
2333 Optional. ENUM. An estimate of the relative severity of the
2334 activity. The permitted values are shown below. There is no
2335 default value.
2337 1. low. Low severity
2339 2. medium. Medium severity
2341 3. high. High severity
2343 currency
2344 Optional. STRING. Defines the currency in which the value in the
2345 element content is expressed. The permitted values are defined in
2346 "Codes for the representation of currencies and funds" of
2347 [ISO4217]. There is no default value.
2349 3.12.5. Confidence Class
2351 The Confidence class represents an estimate of the validity and
2352 accuracy of data expressed in the document. This estimate can be
2353 expressed as a category or a numeric calculation.
2355 +-------------------+
2356 | Confidence |
2357 +-------------------+
2358 | REAL |
2359 | |
2360 | ENUM rating |
2361 | STRING ext-rating |
2362 +-------------------+
2364 Figure 26: Confidence Class
2366 The content of the class is of type REAL and specifies a numerical
2367 assessment in the confidence of the data when the value of the rating
2368 attribute is "numeric". Otherwise, this element MUST be empty.
2370 The attributes of the Confidence class are:
2372 rating
2373 Required. ENUM. A qualitative assessment of confidence. These
2374 values are maintained in the "Confidence-rating" IANA registry per
2375 Section 10.2
2377 1. low. Low confidence.
2379 2. medium. Medium confidence.
2381 3. high. High confidence.
2383 4. numeric. The element content contains a number that conveys
2384 the confidence of the data. The semantics of this number
2385 outside the scope of this specification.
2387 5. unknown. The confidence rating value is not known.
2389 6. ext-value. A value used to indicate that this attribute is
2390 extended and the actual value is provided using the
2391 corresponding ext-* attribute. See Section 5.1.1.
2393 ext-rating
2394 Optional. STRING. A means by which to extend the rating
2395 attribute. See Section 5.1.1.
2397 3.13. History Class
2399 The History class is a log of the significant events or actions
2400 performed by the involved parties during the course of handling the
2401 incident.
2403 The level of detail maintained in this log is left up to the
2404 discretion of those handling the incident.
2406 +------------------------+
2407 | History |
2408 +------------------------+
2409 | ENUM restriction |<>--{1..*}--[ HistoryItem ]
2410 | STRING ext-restriction |
2411 +------------------------+
2413 Figure 27: The History Class
2415 The aggregate classes of the History class are:
2417 HistoryItem
2418 One or more. An entry in the history log of significant events or
2419 actions performed by the involved parties. See Section 3.13.1.
2421 The attributes of the History class are:
2423 restriction
2424 Optional. ENUM. See Section 3.3.1.
2426 ext-restriction
2427 Optional. STRING. A means by which to extend the restriction
2428 attribute. See Section 5.1.1.
2430 3.13.1. HistoryItem Class
2432 The HistoryItem class is an entry in the History (Section 3.13) log
2433 that documents a particular action or event that occurred in the
2434 course of handling the incident. The details of the entry are a
2435 free-form text description, but each can be categorized with the type
2436 attribute.
2438 +-------------------------+
2439 | HistoryItem |
2440 +-------------------------+
2441 | ENUM action |<>----------[ DateTime ]
2442 | STRING ext-action |<>--{0..1}--[ IncidentID ]
2443 | ENUM restriction |<>--{0..1}--[ Contact ]
2444 | STRING ext-restriction |<>--{0..*}--[ Description ]
2445 | ID observable-id |<>--{0..*}--[ DefinedCOA ]
2446 | |<>--{0..*}--[ AdditionalData ]
2447 +-------------------------+
2449 Figure 28: HistoryItem Class
2451 The aggregate classes of the HistoryItem class are:
2453 DateTime
2454 One. DATETIME. A timestamp of this entry in the history log.
2456 IncidentID
2457 Zero or One. In a history log created by multiple parties, the
2458 IncidentID provides a mechanism to specify which CSIRT created a
2459 particular entry and references this organization's tracking
2460 number. When a single organization is maintaining the log, this
2461 class can be ignored. See Section 3.4.
2463 Contact
2464 Zero or One. Provides contact information for the entity that
2465 performed the action documented in this class. See Section 3.9.
2467 Description
2468 Zero or more. ML_STRING. A free-form text description of the
2469 action or event.
2471 DefinedCOA
2472 Zero or more. STRING. An identifier meaningful to the sender and
2473 recipient of this document that references a course of action.
2474 This class MUST be present if the action attribute is set to
2475 "defined-coa".
2477 AdditionalData
2478 Zero or more. EXTENSION. A mechanism by which to extend the data
2479 model.
2481 The attributes of the HistoryItem class are:
2483 action
2484 Required. ENUM. Classifies a performed action or occurrence
2485 documented in this history log entry. As activity will likely
2486 have been instigated either through a previously conveyed
2487 expectation or internal investigation. This attribute is
2488 identical to the action attribute of the Expectation class. The
2489 difference is only one of tense. When an action is in this class,
2490 it has been completed. See Section 3.15.
2492 ext-action
2493 Optional. STRING. A means by which to extend the action
2494 attribute. See Section 5.1.1.
2496 restriction
2497 Optional. ENUM. See Section 3.3.1.
2499 ext-restriction
2500 Optional. STRING. A means by which to extend the restriction
2501 attribute. See Section 5.1.1.
2503 observable-id
2504 Optional. ID. See Section 3.3.2.
2506 3.14. EventData Class
2508 The EventData class is a container class to organize data about
2509 events that occurred during an incident.
2511 +-------------------------+
2512 | EventData |
2513 +-------------------------+
2514 | ENUM restriction |<>--{0..*}--[ Description ]
2515 | STRING ext-restriction |<>--{0..1}--[ DetectTime ]
2516 | ID observable-id |<>--{0..1}--[ StartTime ]
2517 | |<>--{0..1}--[ EndTime ]
2518 | |<>--{0..1}--[ RecoveryTime ]
2519 | |<>--{0..1}--[ ReportTime ]
2520 | |<>--{0..*}--[ Contact ]
2521 | |<>--{0..*}--[ Discovery ]
2522 | |<>--{0..1}--[ Assessment ]
2523 | |<>--{0..*}--[ Method ]
2524 | |<>--{0..*}--[ Flow ]
2525 | |<>--{0..*}--[ Expectation ]
2526 | |<>--{0..1}--[ Record ]
2527 | |<>--{0..*}--[ EventData ]
2528 | |<>--{0..*}--[ AdditionalData ]
2529 +-------------------------+
2531 Figure 29: The EventData Class
2533 The aggregate classes of the EventData class are:
2535 Description
2536 Zero or more. ML_STRING. A free-form text description of the
2537 event.
2539 DetectTime
2540 Zero or one. DATETIME. The time the event was detected.
2542 StartTime
2543 Zero or one. DATETIME. The time the event started.
2545 EndTime
2546 Zero or one. DATETIME. The time the event ended.
2548 RecoveryTime
2549 Zero or one. DATETIME. The time the site recovered from the
2550 event.
2552 ReportTime
2553 One. DATETIME. The time the event was reported.
2555 Contact
2556 Zero or more. Contact information for the parties involved in the
2557 event. See Section 3.9.
2559 Discovery
2560 Zero or more. The means by which the event was detected. See
2561 Section 3.10.
2563 Assessment
2564 Zero or one. The impact of the event on the victim and the
2565 actions taken. See Section 3.12.
2567 Method
2568 Zero or more. The technique used by the threat actor in the
2569 event. See Section 3.11.
2571 Flow
2572 Zero or more. A description of the systems or networks involved.
2573 See Section 3.16.
2575 Expectation
2576 Zero or more. The expected action to be performed by the
2577 recipient for the described event. See Section 3.15.
2579 Record
2580 Zero or one. Supportive data (e.g., log files) that provides
2581 additional information about the event. See Section 3.22.
2583 EventData
2584 Zero or more. A recursive definition of the EventData class. See
2585 Section 3.14.2 for an explanation on using this class.
2587 AdditionalData
2588 Zero or more. EXTENSION. An extension mechanism for data not
2589 explicitly represented in the data model.
2591 At least one of the aggregate classes MUST be present in an instance
2592 of the EventData class.
2594 The attributes of the EventData class are:
2596 restriction
2597 Optional. ENUM. See Section 3.3.1. The default value is
2598 "default".
2600 ext-restriction
2601 Optional. STRING. A means by which to extend the restriction
2602 attribute. See Section 5.1.1.
2604 observable-id
2605 Optional. ID. See Section 3.3.2.
2607 3.14.1. Relating the Incident and EventData Classes
2609 There is substantial overlap in the child classes aggregated in the
2610 Incident and EventData classes. Nevertheless, the semantics of these
2611 classes are quite different. The Incident class provides summary
2612 information about the entire incident, while the EventData class
2613 provides information about the individual events comprising the
2614 incident. In the common case, the EventData class will provide more
2615 specific information for the general description provided in the
2616 Incident class. However, in the case where the summarized
2617 information in the Incident class conflicts the detailed information
2618 in an EventData class the more specific EventData class MUST
2619 supersede the more generic information provided in Incident class.
2621 3.14.2. Recursive Definition of EventData
2623 The EventData class is container for the properties of an event in an
2624 incident. These properties include: the hosts involved, impact of
2625 the incident activity on the hosts, forensic logs, etc. The
2626 recursive definition of EventData allows for the grouping of related
2627 information with common properties. This approach eliminates the
2628 need for explicit identifiers to relate information or duplicate it.
2629 Instead, the relative depth (nesting) of a class is used to group
2630 (relate) information.
2632 For example, consider a case where two hosts experience different
2633 impacts during an incident. However, these two hosts have common
2634 contact information. A depiction of how this situation would be
2635 represented can be found in Figure 30. EventData (2) and (3) group
2636 each of the two hosts with their unique impact. EventData (1)
2637 describes the common Contact class these two hosts share.
2639 +------------------+
2640 | EventData (1) |
2641 +------------------+
2642 | |<>----[ Contact ]
2643 | |
2644 | |<>----[ EventData (2) ]<>----[ Flow ]
2645 | | [ ]<>----[ Assessment ]
2646 | |
2647 | |<>----[ EventData (3) ]<>----[ Flow ]
2648 | | [ ]<>----[ Assessment ]
2649 +------------------+
2651 Figure 30: Recursion in the EventData Class
2653 3.15. Expectation Class
2655 The Expectation class conveys to the recipient of the IODEF document
2656 the actions the sender is requesting.
2658 +-------------------------+
2659 | Expectation |
2660 +-------------------------+
2661 | ENUM action |<>--{0..*}--[ Description ]
2662 | STRING ext-action |<>--{0..*}--[ DefinedCOA ]
2663 | ENUM severity |<>--{0..1}--[ StartTime ]
2664 | ENUM restriction |<>--{0..1}--[ EndTime ]
2665 | STRING ext-restriction |<>--{0..1}--[ Contact ]
2666 | ID observable-id |
2667 +-------------------------+
2669 Figure 31: The Expectation Class
2671 The aggregate classes of the Expectation class are:
2673 Description
2674 Zero or more. ML_STRING. A free-form text description of the
2675 desired action(s).
2677 DefinedCOA
2678 Zero or more. STRING. A unique identifier meaningful to the
2679 sender and recipient of this document that references a course of
2680 action. This class MUST be present if the action attribute is set
2681 to "defined-coa".
2683 StartTime
2684 Zero or one. DATETIME. The time at which the sender would like
2685 the action performed. A timestamp that is earlier than the
2686 ReportTime specified in the Incident class denotes that the sender
2687 would like the action performed as soon as possible. The absence
2688 of this element indicates no expectations of when the recipient
2689 would like the action performed.
2691 EndTime
2692 Zero or one. DATETIME. The time by which the sender expects the
2693 recipient to complete the action. If the recipient cannot
2694 complete the action before EndTime, the recipient MUST NOT carry
2695 out the action. Because of transit delays and clock drift the
2696 sender MUST be prepared for the recipient to have carried out the
2697 action, even if it completes past EndTime.
2699 Contact
2700 Zero or one. The entity expected to perform the action. See
2701 Section 3.9.
2703 The attributes of the Expectation class are:
2705 action
2706 Optional. ENUM. Classifies the type of action requested. The
2707 default value of "other". These values are maintained in the
2708 "Expectation-action" IANA registry per Section 10.2.
2710 1. nothing. No action is requested. Do nothing with the
2711 information.
2713 2. contact-source-site. Contact the site(s) identified as the
2714 source of the activity.
2716 3. contact-target-site. Contact the site(s) identified as the
2717 target of the activity.
2719 4. contact-sender. Contact the originator of the document.
2721 5. investigate. Investigate the systems(s) listed in the event.
2723 6. block-host. Block traffic from the machine(s) listed as
2724 sources the event.
2726 7. block-network. Block traffic from the network(s) lists as
2727 sources in the event.
2729 8. block-port. Block the port listed as sources in the event.
2731 9. rate-limit-host. Rate-limit the traffic from the machine(s)
2732 listed as sources in the event.
2734 10. rate-limit-network. Rate-limit the traffic from the
2735 network(s) lists as sources in the event.
2737 11. rate-limit-port. Rate-limit the port(s) listed as sources in
2738 the event.
2740 12. redirect-traffic. Redirect traffic from the intended
2741 recipient for further analysis.
2743 13. honeypot. Redirect traffic from systems listed in the event
2744 to a honeypot for further analysis.
2746 14. upgrade-software. Upgrade or patch the software or firmware
2747 on an asset listed in the event.
2749 15. rebuild-asset. Reinstall the operating system or
2750 applications on an asset listed in the event.
2752 16. harden-asset. Change the configuration an asset listed in
2753 the event to reduce the attack surface.
2755 17. remediate-other. Remediate the activity in a way other than
2756 by rate limiting or blocking.
2758 18. status-triage. Confirm receipt and begin triaging the
2759 incident.
2761 19. status-new-info. Notify the sender when new information is
2762 received for this incident.
2764 20. watch-and-report. Watch for the described activity or
2765 indicators; and notify the sender when seen.
2767 21. training. Train user to identify or mitigate the described
2768 threat.
2770 22. defined-coa. Perform a predefined course of action (COA).
2771 The COA is named in the DefinedCOA class.
2773 23. other. Perform a custom action described in the Description
2774 class.
2776 24. ext-value. A value used to indicate that this attribute is
2777 extended and the actual value is provided using the
2778 corresponding ext-* attribute. See Section 5.1.1.
2780 ext-action
2781 Optional. STRING. A means by which to extend the action
2782 attribute. See Section 5.1.1.
2784 severity
2785 Optional. ENUM. Indicates the desired priority of the action.
2786 This attribute is an enumerated list with no default value, and
2787 the semantics of these relative measures are context dependent.
2789 1. low. Low priority
2791 2. medium. Medium priority
2793 3. high. High priority
2795 restriction
2796 Optional. ENUM. See Section 3.3.1. The default value is
2797 "default".
2799 ext-restriction
2800 Optional. STRING. A means by which to extend the restriction
2801 attribute. See Section 5.1.1.
2803 observable-id
2804 Optional. ID. See Section 3.3.2.
2806 3.16. Flow Class
2808 The Flow class describes the systems and networks involved in the
2809 incident; and the relationships between them.
2811 +------------------+
2812 | Flow |
2813 +------------------+
2814 | |<>--{1..*}--[ System ]
2815 +------------------+
2817 Figure 32: The Flow Class
2819 The aggregate class of the Flow class is:
2821 System
2822 One or More. A host or network involved in an event. See
2823 Section 3.17.
2825 The Flow class has no attributes.
2827 3.17. System Class
2829 The System class describes a system or network involved in an event.
2831 +------------------------+
2832 | System |
2833 +------------------------+
2834 | ENUM category |<>----------[ Node ]
2835 | STRING ext-category |<>--{0..*}--[ NodeRole ]
2836 | STRING interface |<>--{0..*}--[ Service ]
2837 | ENUM spoofed |<>--{0..*}--[ OperatingSystem ]
2838 | ENUM virtual |<>--{0..*}--[ Counter ]
2839 | ENUM ownership |<>--{0..*}--[ AssetID ]
2840 | STRING ext-ownership |<>--{0..*}--[ Description ]
2841 | ENUM restriction |<>--{0..*}--[ AdditionalData ]
2842 | STRING ext-restriction |
2843 +------------------------+
2845 Figure 33: The System Class
2847 The aggregate classes of the System class are:
2849 Node
2850 One. A host or network involved in the incident. See
2851 Section 3.18.
2853 NodeRole
2854 Zero or more. The intended purpose of the system. See
2855 Section 3.18.2.
2857 Service
2858 Zero or more. A network service running on the system. See
2859 Section 3.20.
2861 OperatingSystem
2862 Zero or more. SOFTWARE. The operating system running on the
2863 system.
2865 Counter
2866 Zero or more. A counter with which to summarize properties of
2867 this host or network. See Section 3.18.3.
2869 AssetID
2870 Zero or more. STRING. An asset identifier for the System.
2872 Description
2873 Zero or more. ML_STRING. A free-form text description of the
2874 System.
2876 AdditionalData
2877 Zero or more. EXTENSION. A mechanism by which to extend the data
2878 model.
2880 The attributes of the System class are:
2882 category
2883 Optional. ENUM. Classifies the role the host or network played
2884 in the incident. These values are maintained in the "System-
2885 category" IANA registry per Section 10.2.
2887 1. source. The System was the source of the event.
2889 2. target. The System was the target of the event.
2891 3. intermediate. The System was an intermediary in the event.
2893 4. sensor. The System was a sensor monitoring the event.
2895 5. infrastructure. The System was an infrastructure node of
2896 IODEF document exchange.
2898 6. ext-value. A value used to indicate that this attribute is
2899 extended and the actual value is provided using the
2900 corresponding ext-* attribute. See Section 5.1.1.
2902 ext-category
2903 Optional. STRING. A means by which to extend the category
2904 attribute. See Section 5.1.1.
2906 interface
2907 Optional. STRING. Specifies the interface on which the event(s)
2908 on this System originated. If the Node class specifies a network
2909 rather than a host, this attribute has no meaning.
2911 spoofed
2912 Optional. ENUM. An indication of confidence in whether this
2913 System was the true target or attacking host. The permitted
2914 values for this attribute are shown below. The default value is
2915 "unknown".
2917 1. unknown. The accuracy of the category attribute value is
2918 unknown.
2920 2. yes. The category attribute value is likely incorrect. In
2921 the case of a source, the System is likely a decoy; with a
2922 target, the System was likely not the intended victim.
2924 3. no. The category attribute value is believed to be correct.
2926 virtual
2927 Optional. ENUM. Indicates whether this System is a virtual or
2928 physical device. The default value is "unknown".
2930 1. yes. The System is a virtual device.
2932 2. no. The System is a physical device.
2934 3. unknown. It is not known if the System is virtual.
2936 ownership
2937 Optional. ENUM. Describes the ownership of this System relative
2938 to the victim in the incident. These values are maintained in the
2939 "System-ownership" IANA registry per Section 10.2.
2941 1. organization. Corporate or enterprise-owned.
2943 2. personal. Personally-owned by an employee or affiliate of the
2944 corporation or enterprise.
2946 3. partner. Owned by a partner of the corporation or enterprise.
2948 4. customer. Owned by a customer of the corporation or
2949 enterprise.
2951 5. no-relationship. Owned by an entity that has no known
2952 relationship with victim organization.
2954 6. unknown. Ownership is unknown.
2956 7. ext-value. A value used to indicate that this attribute is
2957 extended and the actual value is provided using the
2958 corresponding ext-* attribute. See Section 5.1.1.
2960 ext-ownership
2961 Optional. STRING. A means by which to extend the ownership
2962 attribute. See Section 5.1.1.
2964 restriction
2965 Optional. ENUM. See Section 3.3.1.
2967 ext-restriction
2968 Optional. STRING. A means by which to extend the restriction
2969 attribute. See Section 5.1.1.
2971 3.18. Node Class
2973 The Node class identifies a system, asset or network; and its
2974 location.
2976 +---------------+
2977 | Node |
2978 +---------------+
2979 | |<>--{0..*}--[ DomainData ]
2980 | |<>--{0..*}--[ Address ]
2981 | |<>--{0..1}--[ PostalAddress ]
2982 | |<>--{0..*}--[ Location ]
2983 | |<>--{0..*}--[ Counter ]
2984 +---------------+
2986 Figure 34: The Node Class
2988 The aggregate classes of the Node class are:
2990 DomainData
2991 Zero or more. The domain (DNS) information associated with this
2992 Node. If an Address is not provided, at least one DomainData MUST
2993 be specified. See Section 3.19.
2995 Address
2996 Zero or more. The hardware, network, or application address of
2997 the Node. If a DomainData is not provided, at least one Address
2998 MUST be specified. See Section 3.18.1.
3000 PostalAddress
3001 Zero or one. POSTAL. The postal address of the node.
3003 Location
3004 Zero or more. ML_STRING. A free-form text description of the
3005 physical location of the Node. This description may provide a
3006 more detailed description of where in the PostalAddress this Node
3007 is found (e.g., room number, rack number, slot number in a
3008 chassis).
3010 Counter
3011 Zero or more. A counter with which to summarizes properties of
3012 this host or network. See Section 3.18.3.
3014 The Node class has no attributes.
3016 3.18.1. Address Class
3018 The Address class represents a hardware (layer-2), network (layer-3),
3019 or application (layer-7) address.
3021 +-------------------------+
3022 | Address |
3023 +-------------------------+
3024 | STRING |
3025 | |
3026 | ENUM category |
3027 | STRING ext-category |
3028 | STRING vlan-name |
3029 | INTEGER vlan-num |
3030 | ID observable-id |
3031 +-------------------------+
3033 Figure 35: The Address Class
3035 The content of the class is an address of type STRING whose semantics
3036 are determined by the category attribute.
3038 The attributes of the Address class are:
3040 category
3041 Required. ENUM. The type of address represented. The default
3042 value is "ipv6-addr". These values are maintained in the
3043 "Address-category" IANA registry per Section 10.2.
3045 1. asn. Autonomous System Number.
3047 2. atm. Asynchronous Transfer Mode (ATM) address.
3049 3. e-mail. Email address (RFC 822).
3051 4. ipv4-addr. IPv4 host address in dotted-decimal notation
3052 (a.b.c.d).
3054 5. ipv4-net. IPv4 network address in dotted-decimal notation,
3055 slash, significant bits (i.e., a.b.c.d/nn).
3057 6. ipv4-net-mask. IPv4 network address in dotted-decimal
3058 notation, slash, network mask in dotted-decimal notation
3059 (i.e., a.b.c.d/w.x.y.z).
3061 7. ipv6-addr. IPv6 host address.
3063 8. ipv6-net. IPv6 network address, slash, significant bits.
3065 9. ipv6-net-mask. IPv6 network address, slash, network mask.
3067 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f).
3069 11. site-uri. A URL or URI for a resource.
3071 12. ext-value. A value used to indicate that this attribute is
3072 extended and the actual value is provided using the
3073 corresponding ext-* attribute. See Section 5.1.1.
3075 ext-category
3076 Optional. STRING. A means by which to extend the category
3077 attribute. See Section 5.1.1.
3079 vlan-name
3080 Optional. STRING. The name of the Virtual LAN to which the
3081 address belongs.
3083 vlan-num
3084 Optional. STRING. The number of the Virtual LAN to which the
3085 address belongs.
3087 observable-id
3088 Optional. ID. See Section 3.3.2.
3090 3.18.2. NodeRole Class
3092 The NodeRole class describes the function performed by or role of a
3093 particular system, asset or network.
3095 +-----------------------+
3096 | NodeRole |
3097 +-----------------------+
3098 | ENUM category |<>--{0..*}--[ Description ]
3099 | STRING ext-category |
3100 +-----------------------+
3102 Figure 36: The NodeRole Class
3104 The aggregate class of the NodeRole class is:
3106 Description
3107 Zero or more. ML_STRING. A free-form text description of the
3108 role of the system.
3110 The attributes of the NodeRole class are:
3112 category
3113 Required. ENUM. Function or role of a node. These values are
3114 maintained in the "NodeRole-category" IANA registry per
3115 Section 10.2.
3117 1. client. Client computer.
3119 2. client-enterprise. Client computer on the enterprise
3120 network.
3122 3. client-partner. Client computer on network of a partner.
3124 4. client-remote. Client computer remotely connected to the
3125 enterprise network.
3127 5. client-kiosk. Client computer serving as a kiosk.
3129 6. client-mobile. Mobile device.
3131 7. server-internal. Server with internal services.
3133 8. server-public. Server with public services.
3135 9. www. WWW server.
3137 10. mail. Mail server.
3139 11. webmail. Web mail server.
3141 12. messaging. Messaging server (e.g., NNTP, IRC, IM).
3143 13. streaming. Streaming-media server.
3145 14. voice. Voice server (e.g., SIP, H.323).
3147 15. file. File server.
3149 16. ftp. FTP server.
3151 17. p2p. Peer-to-peer node.
3153 18. name. Name server (e.g., DNS, WINS).
3155 19. directory. Directory server (e.g., LDAP, finger, whois).
3157 20. credential. Credential server (e.g., domain controller,
3158 Kerberos).
3160 21. print. Print server.
3162 22. application. Application server.
3164 23. database. Database server.
3166 24. backup. Backup server.
3168 25. dhcp. DHCP server.
3170 26. assessment. Assessment server (e.g., vulnerability scanner,
3171 end-point assessment).
3173 27. source-control. Source code control server.
3175 28. config-management. Configuration management server.
3177 29. monitoring. Security monitoring server (e.g., IDS).
3179 30. infra. Infrastructure server (e.g., router, firewall, DHCP).
3181 31. infra-firewall. Firewall.
3183 32. infra-router. Router.
3185 33. infra-switch. Switch.
3187 34. camera. Camera and video system.
3189 35. proxy. Proxy server.
3191 36. remote-access. Remote access server.
3193 37. log. Log server (e.g., syslog).
3195 38. virtualization. Server running virtual machines.
3197 39. pos. Point-of-sale device.
3199 40. scada. Supervisory control and data acquisition (SCADA)
3200 system.
3202 41. scada-supervisory. Supervisory system for a SCADA.
3204 42. sinkhole. Traffic sinkhole destination.
3206 43. honeypot. Honeypot server.
3208 44. anonymization. Anonymization server (e.g., Tor node).
3210 45. c2-server. Malicious command and control server.
3212 46. malware-distribution. Server that distributes malware
3214 47. drop-server. Server to which exfiltrated content is
3215 uploaded.
3217 48. hop-point. Intermediary server used to get to a victim.
3219 49. reflector. A system used in a reflector attack.
3221 50. phishing-site. Site hosting phishing content.
3223 51. spear-phishing-site. Site hosting spear-phishing content.
3225 52. recruiting-site. Site to recruit.
3227 53. fraudulent-site. Fraudulent site.
3229 54. ext-value. A value used to indicate that this attribute is
3230 extended and the actual value is provided using the
3231 corresponding ext-* attribute. See Section 5.1.1.
3233 ext-category
3234 Optional. STRING. A means by which to extend the category
3235 attribute. See Section 5.1.1.
3237 3.18.3. Counter Class
3239 The Counter class summarizes multiple occurrences of an event or
3240 conveys counts or rates of various features.
3242 The complete semantics of this class are context dependent based on
3243 the class in which it is aggregated.
3245 +---------------------+
3246 | Counter |
3247 +---------------------+
3248 | REAL |
3249 | |
3250 | ENUM type |
3251 | STRING ext-type |
3252 | ENUM unit |
3253 | STRING ext-unit |
3254 | STRING meaning |
3255 | ENUM duration |
3256 | STRING ext-duration |
3257 +---------------------+
3259 Figure 37: The Counter Class
3261 The content of the class is a value of type REAL whose meaning and
3262 units are determined by the type and duration attributes,
3263 respectively. If the duration attribute is present, the element
3264 content is a rather. Otherwise, it is a simple counter.
3266 The attributes of the Counter class are:
3268 type
3269 Required. ENUM. Specifies the type of counter specified in the
3270 element content. These values are maintained in the "Counter-
3271 type" IANA registry per Section 10.2.
3273 1. count. The Counter class value is a counter.
3275 2. peak. The Counter class value is a peak value.
3277 3. average. The Counter class value is an average.
3279 4. ext-value. A value used to indicate that this attribute is
3280 extended and the actual value is provided using the
3281 corresponding ext-* attribute. See Section 5.1.1.
3283 ext-type
3284 Optional. STRING. A means by which to extend the type attribute.
3285 See Section 5.1.1.
3287 unit
3288 Required. ENUM. Specifies the units of the element content.
3289 These values are maintained in the "Counter-unit" IANA registry
3290 per Section 10.2.
3292 1. byte. Bytes transferred.
3294 2. mbit. Megabits (Mbits) transfered.
3296 3. packet. Packets.
3298 4. flow. Network flow records.
3300 5. session. Sessions.
3302 6. alert. Notifications generated by another system (e.g., IDS
3303 or SIM).
3305 7. message. Messages (e.g., mail messages).
3307 8. event. Events.
3309 9. host. Hosts.
3311 10. site. Site.
3313 11. organization. Organizations.
3315 12. ext-value. A value used to indicate that this attribute is
3316 extended and the actual value is provided using the
3317 corresponding ext-* attribute. See Section 5.1.1.
3319 ext-unit
3320 Optional. STRING. A means by which to extend the unit attribute.
3321 See Section 5.1.1.
3323 meaning
3324 Optional. STRING. A free-form text description of the metric
3325 represented by the Counter.
3327 duration
3328 Optional. ENUM. If present, the Counter class represents a rate.
3329 This attribute specifies unit of time over which the rate whose
3330 units are specified in the unit attribute is being conveyed. This
3331 attribute is the the denominator of the rate (where the unit
3332 attribute specified the nominator). The possible values of this
3333 attribute are defined in the duration attribute of Section 3.12.3
3335 ext-duration
3336 Optional. STRING. A means by which to extend the duration
3337 attribute. See Section 5.1.1.
3339 3.19. DomainData Class
3341 The DomainData class describes a domain name and meta-data associated
3342 with this domain.
3344 +--------------------------+
3345 | DomainData |
3346 +--------------------------+
3347 | ENUM system-status |<>----------[ Name ]
3348 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
3349 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
3350 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
3351 | ID observable-id |<>--{0..*}--[ RelatedDNS ]
3352 | |<>--{0..*}--[ Nameservers ]
3353 | |<>--{0..1}--[ DomainContacts ]
3354 +--------------------------+
3356 Figure 38: The DomainData Class
3358 The aggregate classes of the DomainData class are:
3360 Name
3361 One. STRING. The domain name of a system.
3363 DateDomainWasChecked
3364 Zero or one. DATETIME. A timestamp of when the domain listed in
3365 the Name class was resolved.
3367 RegistrationDate
3368 Zero or one. DATETIME. A timestamp of when domain listed in Name
3369 class was registered.
3371 ExpirationDate
3372 Zero or one. DATETIME. A timestamp of when the domain listed in
3373 Name class is set to expire.
3375 RelatedDNS
3376 Zero or more. EXTENSION. Additional DNS records associated with
3377 this domain.
3379 Nameservers
3380 Zero or more. The name servers identified for the domain listed
3381 in Name class. See Section 3.19.1.
3383 DomainContacts
3384 Zero or one. Contact information for the domain listed in Name
3385 class supplied by the registrar or through a whois query.
3387 The attributes of the DomainData class are:
3389 system-status
3390 Required. ENUM. Assesses the domain's involvement in the event.
3391 These values are maintained in the "DomainData-system-status" IANA
3392 registry per Section 10.2.
3394 1. spoofed. This domain was spoofed.
3396 2. fraudulent. This domain was operated with fraudulent
3397 intentions.
3399 3. innocent-hacked. This domain was compromised by a third
3400 party.
3402 4. innocent-hijacked. This domain was deliberately hijacked.
3404 5. unknown. No categorization for this domain known.
3406 6. ext-value. A value used to indicate that this attribute is
3407 extended and the actual value is provided using the
3408 corresponding ext-* attribute. See Section 5.1.1.
3410 ext-system-status
3411 Optional. STRING. A means by which to extend the system-status
3412 attribute. See Section 5.1.1.
3414 domain-status
3415 Required. ENUM. Categorizes the registry status of the domain at
3416 the time the document was generated. These values and their
3417 associated descriptions are derived from Section 3.2.2 of
3418 [RFC3982]. These values are maintained in the "DomainData-domain-
3419 status" IANA registry per Section 10.2.
3421 1. reservedDelegation. The domain is permanently inactive.
3423 2. assignedAndActive. The domain is in a normal state.
3425 3. assignedAndInactive. The domain has an assigned registration
3426 but the delegation is inactive.
3428 4. assignedAndOnHold. The domain is in dispute.
3430 5. revoked. The domain is in the process of being purged from
3431 the database.
3433 6. transferPending. The domain is pending a change in
3434 authority.
3436 7. registryLock. The domain is on hold by the registry.
3438 8. registrarLock. Same as "registryLock".
3440 9. other. The domain has a known status but it is not one of
3441 the redefined enumerated values.
3443 10. unknown. The domain has an unknown status.
3445 11. ext-value. A value used to indicate that this attribute is
3446 extended and the actual value is provided using the
3447 corresponding ext-* attribute. See Section 5.1.1.
3449 ext-domain-status
3450 Optional. STRING. A means by which to extend the domain-status
3451 attribute. See Section 5.1.1.
3453 observable-id
3454 Optional. ID. See Section 3.3.2.
3456 3.19.1. Nameservers Class
3458 The Nameservers class describes the name servers associated with a
3459 given domain.
3461 +--------------------+
3462 | Nameservers |
3463 +--------------------+
3464 | |<>----------[ Server ]
3465 | |<>--{1..*}--[ Address ]
3466 +--------------------+
3468 Figure 39: The Nameservers Class
3470 The aggregate classes of the Nameservers class are:
3472 Server
3473 One. STRING. The domain name of the name server.
3475 Address
3476 One or more. The address of the name server. The value of the
3477 category attribute MUST be either "ipv4-addr" or "ipv6-addr". See
3478 Section 3.18.1.
3480 The Nameservers class has no attributes.
3482 3.19.2. DomainContacts Class
3484 The DomainContacts class describes the contact information for a
3485 given domain provided either by the registrar or through a whois
3486 query.
3488 This contact information can be explicitly described through a
3489 Contact class or a reference can be provided to a domain with
3490 identical contact information. Either a single SameDomainContact
3491 MUST be present or one or more Contact classes.
3493 +--------------------+
3494 | DomainContacts |
3495 +--------------------+
3496 | |<>--{0..1}--[ SameDomainContact ]
3497 | |<>--{1..*}--[ Contact ]
3498 +--------------------+
3500 Figure 40: The DomainContacts Class
3502 The aggregate classes of the DomainContacts class are:
3504 SameDomainContact
3505 Zero or one. STRING. A domain name already cited in this
3506 document or through previous exchange that contains the identical
3507 contact information as the domain name in question. The domain
3508 contact information associated with this domain should be used
3509 instead of an explicit definition with the Contact class.
3511 Contact
3512 One or more. Contact information for the domain. See
3513 Section 3.9.
3515 The DomainContacts class has no attributes.
3517 3.20. Service Class
3519 The Service class describes a network service. The service is
3520 described by protocol, port, protocol header field and application
3521 providing or using the service.
3523 +-------------------------+
3524 | Service |
3525 +-------------------------+
3526 | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
3527 | ID observable-id |<>--{0..1}--[ Port ]
3528 | |<>--{0..1}--[ Portlist ]
3529 | |<>--{0..1}--[ ProtoCode ]
3530 | |<>--{0..1}--[ ProtoType ]
3531 | |<>--{0..1}--[ ProtoField ]
3532 | |<>--{0..1}--[ ApplicationHeader ]
3533 | |<>--{0..1}--[ EmailData ]
3534 | |<>--{0..1}--[ Application ]
3535 +-------------------------+
3537 Figure 41: The Service Class
3539 The aggregate classes of the Service class are:
3541 ServiceName
3542 Zero or one. A protocol name.
3544 Port
3545 Zero or one. INTEGER. A port number.
3547 Portlist
3548 Zero or one. PORTLIST. A list of port numbers.
3550 ProtoCode
3551 Zero or one. INTEGER. A transport layer (layer 4) protocol-
3552 specific code field (e.g., ICMP code field).
3554 ProtoType
3555 Zero or one. INTEGER. A transport layer (layer 4) protocol
3556 specific type field (e.g., ICMP type field).
3558 ProtoField
3559 Zero or one. INTEGER. A transport layer (layer 4) protocol
3560 specific flag field (e.g., TCP flag field).
3562 ApplicationHeader
3563 Zero or one. A protocol header. See Section 3.20.2.
3565 EmailData
3566 Zero or one. Headers associated with an email message. See
3567 Section 3.21.
3569 Application
3570 Zero or one. SOFTWARE. The application acting as either the
3571 client or server for the service.
3573 At least one of these classes MUST be present.
3575 When a given System classes with category="source" and another with
3576 category="target" are aggregated into a single Flow class, and each
3577 of these System classes has a Service and Portlist class, an implicit
3578 relationship between these Portlists exists. If N ports are listed
3579 for a System@category="source", and M ports are listed for
3580 System@category="target", the number of ports in N must be equal to
3581 M. Likewise, the ports MUST be listed in an identical sequence such
3582 that the n-th port in the source corresponds to the n-th port of the
3583 target. If N is greater than 1, a given instance of a Flow class
3584 MUST only have a single instance of a System@category="source" and
3585 System@category="target".
3587 The attributes of the Service class are:
3589 ip-protocol
3590 Optional. INTEGER. The IANA assigned IP protocol number per
3591 [IANA.Protocols] The attribute MUST be set if a Port, Portlist,
3592 ProtoCode, ProtoType, ProtoField class is present.
3594 observable-id
3595 Optional. ID. See Section 3.3.2.
3597 3.20.1. ServiceName Class
3599 The ServiceName class identifies an application protocol. It can be
3600 described by referencing an IANA registered protocol, a URL or with
3601 free-form text.
3603 +--------------------+
3604 | ServiceName |
3605 +--------------------+
3606 | |<>--{0..1}--[ IANAService ]
3607 | |<>--{0..*}--[ URL ]
3608 | |<>--{0..*}--[ Description ]
3609 +--------------------+
3611 Figure 42: The ServiceName Class
3613 The aggregate classes of the ServiceName class are:
3615 IANAService
3616 Zero or one. STRING. The name of the service per the "Service
3617 Name" field of the [IANA.Ports] registry.
3619 URL
3620 Zero or more. URL. A URL to a resource describing the service.
3622 Description
3623 Zero or more. ML_STRING. A free-form text description of the
3624 service.
3626 At least one of these classes MUST be present.
3628 The ServiceName class has no attributes.
3630 3.20.2. ApplicationHeader Class
3632 The ApplicationHeader class describes arbitrary fields from a
3633 protocol header and its corresponding value.
3635 +--------------------------+
3636 | ApplicationHeader |
3637 +--------------------------+
3638 | |<>--{1..*}--[ ApplicationHeaderField ]
3639 +--------------------------+
3641 Figure 43: The ApplicationHeader Class
3643 The aggregate class of the ApplicationHeader class is:
3645 ApplicationHeaderField
3646 One or more. EXTENSION. A field name and value in a protocol
3647 header. The 'name' attribute MUST be set to the field name. The
3648 field value MUST be set in the element content.
3650 The ApplicationHeader class has no attributes.
3652 3.21. EmailData Class
3654 The EmailData class describes headers from an email message and
3655 cryptographic hash and signatures applied to it.
3657 +-------------------------+
3658 | EmailData |
3659 +-------------------------+
3660 | ID observable-id |<>--{0..*}--[ EmailTo ]
3661 | |<>--{0..1}--[ EmailFrom ]
3662 | |<>--{0..1}--[ EmailSubject ]
3663 | |<>--{0..1}--[ EmailX-Mailer ]
3664 | |<>--{0..*}--[ EmailHeaderField ]
3665 | |<>--{0..1}--[ EmailHeaders ]
3666 | |<>--{0..1}--[ EmailBody ]
3667 | |<>--{0..1}--[ EmailMessage ]
3668 | |<>--{0..*}--[ HashData ]
3669 | |<>--{0..*}--[ SignatureData ]
3670 +-------------------------+
3672 Figure 44: EmailData Class
3674 The aggregate classes of the EmailData class are:
3676 EmailTo
3677 Zero or more. EMAIL. The value of the "To:" header field
3678 (Section 3.6.3 of [RFC5322]) in an email.
3680 EmailFrom
3681 Zero or one. EMAIL. The value of the "From:" header field
3682 (Section 3.6.2 of [RFC5322]) in an email.
3684 EmailSubject
3685 Zero or one. STRING. The value of the "Subject:" header field in
3686 an email. See Section 3.6.4 of [RFC5322].
3688 EmailX-Mailer
3689 Zero or one. STRING. The value of the "X-Mailer:" header field
3690 in an email.
3692 EmailHeaderField
3693 Zero or more. EXTENSION. The header name and value of an
3694 arbitrary header field of the email message. The 'name' attribute
3695 MUST be set to header name. The header value MUST be set in the
3696 element body. The dtype attribute MUST be set to "string".
3698 EmailHeaders
3699 Zero or one. STRING. The headers of an email message.
3701 EmailBody
3702 Zero or one. STRING. The body of an email message.
3704 EmailMessage
3705 Zero or one. STRING. The headers and body of an email message.
3707 HashData
3708 Zero or more. Hash(es) associated with this email message. See
3709 Section 3.26.
3711 SignatureData
3712 Zero or more. Signature(s) associated with this email message.
3713 See Section 3.27.
3715 The attribute of the EmailData class is:
3717 observable-id
3718 Optional. ID. See Section 3.3.2.
3720 3.22. Record Class
3722 The Record class is a container class for log and audit data that
3723 provides supportive information about the events in an incident. The
3724 source of this data will often be the output of monitoring tools.
3725 These logs substantiate the activity described in the document.
3727 +------------------------+
3728 | Record |
3729 +------------------------+
3730 | ENUM restriction |<>--{1..*}--[ RecordData ]
3731 | STRING ext-restriction |
3732 +------------------------+
3734 Figure 45: Record Class
3736 The aggregate classes of the Record class are:
3738 RecordData
3739 One or more. Log or audit data generated by a particular tool.
3740 Separate instances of the RecordData class SHOULD be used for each
3741 type of log. See Section 3.22.1.
3743 The attributes of the Record class are:
3745 restriction
3746 Optional. ENUM. See Section 3.3.1.
3748 ext-restriction
3749 Optional. STRING. A means by which to extend the restriction
3750 attribute. See Section 5.1.1.
3752 3.22.1. RecordData Class
3754 The RecordData class describes or references log or audit data from a
3755 given type of tool and provides a means to annotate the output.
3757 +------------------------+
3758 | RecordData |
3759 +------------------------+
3760 | ENUM restriction |<>--{0..1}--[ DateTime ]
3761 | STRING ext-restriction |<>--{0..*}--[ Description ]
3762 | ID observable-id |<>--{0..1}--[ Application ]
3763 | |<>--{0..*}--[ RecordPattern ]
3764 | |<>--{0..*}--[ RecordItem ]
3765 | |<>--{0..*}--[ URL ]
3766 | |<>--{0..*}--[ FileData ]
3767 | |<>--{0..*}--
3768 | | [ WindowsRegistryKeysModified ]
3769 | |<>--{0..*}--[ CertificateData ]
3770 | |<>--{0..*}--[ AdditionalData ]
3771 +------------------------+
3773 Figure 46: The RecordData Class
3775 The aggregate classes of the RecordData class are:
3777 DateTime
3778 Zero or one. DATETIME. A timestamp of the data found in the
3779 RecordItem or URL classes.
3781 Description
3782 Zero or more. ML_STRING. A free-form text description of the
3783 data provided in the RecordItem or URL classes.
3785 Application
3786 Zero or one. SOFTWARE. Identifies the tool used to generate the
3787 data in the RecordItem or URL classes.
3789 RecordPattern
3790 Zero or more. A search string to precisely find the relevant data
3791 in the RecordItem or URL classes. See Section 3.22.2.
3793 RecordItem
3794 Zero or more. EXTENSION. Log, audit, or forensic data to support
3795 the conclusions made during the course of analyzing the incident.
3797 URL
3798 Zero or more. URL. A URL reference to a log or audit data.
3800 FileData
3801 Zero or one. The files involved in the incident. See
3802 Section 3.25.
3804 WindowsRegistryKeysModified
3805 Zero or more. The registry keys that were involved in the
3806 incident. See Section 3.23.
3808 CertificateData
3809 Zero or more. The certificates that were involved in the
3810 incident. See Section 3.24.
3812 AdditionalData
3813 Zero or more. EXTENSION. An extension mechanism for data not
3814 explicitly represented in the data model.
3816 At least one of the following classes MUST be present: RecordItem,
3817 URL, FileData, WindowsRegistryKeysModified, CertificateData or
3818 AdditionalData.
3820 The attributes of the RecordData class are:
3822 restriction
3823 Optional. ENUM. See Section 3.3.1.
3825 ext-restriction
3826 Optional. STRING. A means by which to extend the restriction
3827 attribute. See Section 5.1.1.
3829 observable-id
3830 Optional. ID. See Section 3.3.2.
3832 3.22.2. RecordPattern Class
3834 The RecordPattern class describes where in the log data provided or
3835 referenced in RecordData class relevant information can be found. It
3836 provides a way to reference subsets of information, identified by a
3837 pattern, in a large log file, audit trail, or forensic data.
3839 +-----------------------+
3840 | RecordPattern |
3841 +-----------------------+
3842 | STRING |
3843 | |
3844 | ENUM type |
3845 | STRING ext-type |
3846 | INTEGER offset |
3847 | ENUM offsetunit |
3848 | STRING ext-offsetunit |
3849 | INTEGER instance |
3850 +-----------------------+
3852 Figure 47: The RecordPattern Class
3854 The content of the class is of type STRING and specifies a search
3855 pattern.
3857 The attributes of the RecordPattern class are:
3859 type
3860 Required. ENUM. Describes the type of pattern being specified in
3861 the element content. The default is "regex". These values are
3862 maintained in the "RecordPattern-type" IANA registry per
3863 Section 10.2.
3865 1. regex. regular expression as defined by POSIX Extended
3866 Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].
3868 2. binary. Binhex encoded binary pattern, per the HEXBIN data
3869 type.
3871 3. xpath. XML Path (XPath) [W3C.XPATH]
3873 4. ext-value. A value used to indicate that this attribute is
3874 extended and the actual value is provided using the
3875 corresponding ext-* attribute. See Section 5.1.1.
3877 ext-type
3878 Optional. STRING. A means by which to extend the type attribute.
3879 See Section 5.1.1.
3881 offset
3882 Optional. INTEGER. Amount of units (determined by the offsetunit
3883 attribute) to seek into the RecordItem data before matching the
3884 pattern.
3886 offsetunit
3887 Optional. ENUM. Describes the units of the offset attribute.
3888 The default is "line". These values are maintained in the
3889 "RecordPattern-offsetunit" IANA registry per Section 10.2.
3891 1. line. Offset is a count of lines.
3893 2. byte. Offset is a count of bytes.
3895 3. ext-value. A value used to indicate that this attribute is
3896 extended and the actual value is provided using the
3897 corresponding ext-* attribute. See Section 5.1.1.
3899 ext-offsetunit
3900 Optional. STRING. A means by which to extend the offsetunit
3901 attribute. See Section 5.1.1.
3903 instance
3904 Optional. INTEGER. Number of times to apply the specified
3905 pattern.
3907 3.23. WindowsRegistryKeysModified Class
3909 The WindowsRegistryKeysModified class describes Windows operating
3910 system registry keys and the operations that were performed on them.
3911 This class was derived from [RFC5901].
3913 +-----------------------------+
3914 | WindowsRegistryKeysModified |
3915 +-----------------------------+
3916 | ID observable-id |<>--{1..*}--[ Key ]
3917 +-----------------------------+
3919 Figure 48: The WindowsRegistryKeysModified Class
3921 The aggregate classes of the WindowsRegistryKeysModified class are:
3923 Key
3924 One or more. The Window registry key. See Section 3.23.1.
3926 The attribute of the WindowsRegistryKeysModified class is:
3928 observable-id
3929 Optional. ID. See Section 3.3.2.
3931 3.23.1. Key Class
3933 The Key class describes a Windows operating system registry key name
3934 and value pair, and the operation performed on it.
3936 +---------------------------+
3937 | Key |
3938 +---------------------------+
3939 | ENUM registryaction |<>----------[ KeyName ]
3940 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
3941 | ID observable-id |
3942 +---------------------------+
3944 Figure 49: The Key Class
3946 The aggregate classes of the Key class are:
3948 KeyName
3949 One. STRING. The name of a Windows operating system registry key
3950 (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
3952 KeyValue
3953 Zero or one. STRING. The value of the registry key identified in
3954 the KeyName class encoded per the .reg file format [KB310516].
3956 The attributes of the Key class are:
3958 registryaction
3959 Optional. ENUM. The type of action taken on the registry key.
3960 These values are maintained in the "Key-registryaction" IANA
3961 registry per Section 10.2.
3963 1. add-key. Registry key added.
3965 2. add-value. Value added to a registry key.
3967 3. delete-key. Registry key deleted.
3969 4. delete-value. Value deleted from a registry key.
3971 5. modify-key. Registry key modified.
3973 6. modify-value. Value modified in a registry key.
3975 7. ext-value. A value used to indicate that this attribute is
3976 extended and the actual value is provided using the
3977 corresponding ext-* attribute. See Section 5.1.1.
3979 ext-registryaction
3980 Optional. STRING. A means by which to extend the registryaction
3981 attribute. See Section 5.1.1.
3983 observable-id
3984 Optional. ID. See Section 3.3.2.
3986 3.24. CertificateData Class
3988 The CertificateData class describes X.509 certificates.
3990 +------------------------+
3991 | CertificateData |
3992 +------------------------+
3993 | ENUM restriction |<>--{1..*}--[ Certificate ]
3994 | STRING ext-restriction |
3995 | ID observable-id |
3996 +------------------------+
3998 Figure 50: The CertificateData Class
4000 The aggregate classes of the CertificateData class are:
4002 Certificate
4003 One or more. A description of an X.509 certificate or certificate
4004 chain. See Section 3.24.1.
4006 The attributes of the CertificateData class are:
4008 restriction
4009 Optional. ENUM. See Section 3.3.1.
4011 ext-restriction
4012 Optional. STRING. A means by which to extend the restriction
4013 attribute. See Section 5.1.1.
4015 observable-id
4016 Optional. ID. See Section 3.3.2.
4018 3.24.1. Certificate Class
4020 The Certificate class describes a given X.509 certificate or
4021 certificate chain.
4023 +--------------------------+
4024 | Certificate |
4025 +--------------------------+
4026 | ID observable-id |<>----------[ ds:X509Data ]
4027 | |<>--{0..*}--[ Description ]
4028 +--------------------------+
4030 Figure 51: The Certificate Class
4032 The aggregate classes of the Certificate class are:
4034 ds:X509Data
4035 One. A given X.509 certificate or chain. See Section 4.4.4 of
4036 [W3C.XMLSIG].
4038 Description
4039 Zero or more. ML_STRING. A free-form text description explaining
4040 the context of this certificate.
4042 The attributes of the Certificate class are:
4044 observable-id
4045 Optional. ID. See Section 3.3.2.
4047 3.25. FileData Class
4049 The FileData class describes a file or set of files.
4051 +------------------------+
4052 | FileData |
4053 +------------------------+
4054 | ENUM restriction |<>--{1..*}--[ File ]
4055 | STRING ext-restriction |
4056 | ID observable-id |
4057 +------------------------+
4059 Figure 52: The FileData Class
4061 The aggregate classes of the FileData class are:
4063 File
4064 One or more. A description of a file. See Section 3.25.1.
4066 The attributes of the FileData class are:
4068 restriction
4069 Optional. ENUM. See Section 3.3.1.
4071 ext-restriction
4072 Optional. STRING. A means by which to extend the restriction
4073 attribute. See Section 5.1.1.
4075 observable-id
4076 Optional. ID. See Section 3.3.2.
4078 3.25.1. File Class
4080 The File class describes a file; its associated meta data; and
4081 cryptographic hashes and signatures applied to it.
4083 +-----------------------+
4084 | File |
4085 +-----------------------+
4086 | ID observable-id |<>--{0..1}--[ FileName ]
4087 | |<>--{0..1}--[ FileSize ]
4088 | |<>--{0..1}--[ FileType ]
4089 | |<>--{0..*}--[ URL ]
4090 | |<>--{0..1}--[ HashData ]
4091 | |<>--{0..1}--[ SignatureData ]
4092 | |<>--{0..1}--[ AssociatedSoftware ]
4093 | |<>--{0..*}--[ FileProperties ]
4094 +-----------------------+
4096 Figure 53: The File Class
4098 The aggregate classes of the File class are:
4100 FileName
4101 Zero or One. STRING. The name of the file.
4103 FileSize
4104 Zero or One. INTEGER. The size of the file in bytes.
4106 FileType
4107 Zero or One. STRING. The type of file per the IANA Media Types
4108 Registry [IANA.Media]. Valid values correspond to the text in the
4109 "Template" column (e.g., "application/pdf").
4111 URL
4112 Zero or more. URL. A URL reference to the file.
4114 HashData
4115 Zero or One. Hash(es) associated with this file. See
4116 Section 3.26.
4118 SignatureData
4119 Zero or One. Signature(s) associated with this file. See
4120 Section 3.27.
4122 AssociatedSoftware
4123 Zero or One. SOFTWARE. The software application or operating
4124 system to which this file belongs or by which it can be processed.
4126 FileProperties
4127 Zero or more. EXTENSION. Mechanism by which to extend the data
4128 model to describe properties of the file.
4130 The attributes of the File class are:
4132 observable-id
4133 Optional. ID. See Section 3.3.2.
4135 3.26. HashData Class
4137 The HashData class describes different types of hashes on an given
4138 object (e.g., file, part of a file, email).
4140 +--------------------------+
4141 | HashData |
4142 +--------------------------+
4143 | ENUM scope |<>--{0..1}--[ HashTargetID ]
4144 | |<>--{0..*}--[ Hash ]
4145 | |<>--{0..*}--[ FuzzyHash ]
4146 +--------------------------+
4148 Figure 54: The HashData Class
4150 The aggregate classes of the HashData class are:
4152 HashTargetID
4153 Zero or One. STRING. An identifier that references a subset of
4154 the object being hashed. The semantics of this identifier are
4155 specified by the scope attribute.
4157 Hash
4158 Zero or more. The hash of an object. See Section 3.26.1.
4160 FuzzyHash
4161 Zero or more. The fuzzy hash of an object. See Section 3.26.2.
4163 At least one instance of either Hash or FuzzyHash MUST be present.
4165 The attribute of the HashData class is:
4167 scope
4168 Required. ENUM. Describes on which part of the object the hash
4169 should be applied. These values are maintained in the "HashData-
4170 scope" IANA registry per Section 10.2.
4172 1. file-contents. A hash computed over the entire contents of a
4173 file.
4175 2. file-pe-section. A hash computed on a given section of a
4176 Windows Portable Executable (PE) file. If set to this value,
4177 the HashTargetID class MUST identify the section being hashed.
4178 A section is identified by an ordinal number (starting at 1)
4179 corresponding to the the order in which the given section
4180 header was defined in the Section Table of the PE file header.
4182 3. file-pe-iat. A hash computed on the Import Address
4183 Table (IAT) of a PE file. As IAT hashes are often tool
4184 dependent, if this value is set, the Application class of
4185 either the Hash or FuzzyHash classes MUST specify the tool
4186 used to generate the hash.
4188 4. file-pe-resource. A hash computed on a given resource in a PE
4189 file. If set to this value, the HashTargetID class MUST
4190 identify the resource being hashed. A resource is identified
4191 by an ordinal number (starting at 1) corresponding to the
4192 order in which the given resource is declared in the Resource
4193 Directory of the Data Dictionary in the PE file header.
4195 5. file-pdf-object. A hash computed on a given object in a
4196 Portable Document Format (PDF) file. If set to this value,
4197 the HashTargetID class MUST identify the object being hashed.
4198 This object is identified by its offset in the PDF file.
4200 6. email-hash. A hash computed over the headers and body of an
4201 email message.
4203 7. email-headers-hash. A hash computed over all of the headers
4204 of an email message.
4206 8. email-body-hash. A hash computed over the body of an email
4207 message.
4209 9. ext-value. A value used to indicate that this attribute is
4210 extended and the actual value is provided using the
4211 corresponding ext-* attribute. See Section 5.1.1.
4213 ext-scope
4214 Optional. STRING. A means by which to extend the scope
4215 attribute. See Section 5.1.1.
4217 3.26.1. Hash Class
4219 The Hash class describes a cryptographic hash value; the algorithm
4220 and application used to generate it; and the canonicalization method
4221 applied to the object being hashed.
4223 +----------------+
4224 | Hash |
4225 +----------------+
4226 | |<>----------[ ds:DigestMethod ]
4227 | |<>----------[ ds:DigestValue ]
4228 | |<>--{0..1}--[ ds:CanonicalizationMethod ]
4229 | |<>--{0..1}--[ Application ]
4230 +----------------+
4232 Figure 55: The Hash Class
4234 The aggregate classes of the Hash class are:
4236 ds:DigestMethod
4237 One. The hash algorithm used to generate the hash. See
4238 Section 4.3.3.5 of [W3C.XMLSIG]
4240 ds:DigestValue
4241 One. The computed hash value. See Section 4.3.3.6 of
4242 [W3C.XMLSIG].
4244 ds:CanonicalizationMethod
4245 Zero or one. The canonicalization method used on the object being
4246 hashed. See Section 4.3.1 of [W3C.XMLSIG].
4248 Application
4249 Zero or One. SOFTWARE. The application used to calculate the
4250 hash.
4252 The HashData class has no attributes.
4254 3.26.2. FuzzyHash Class
4256 The FuzzyHash class describes a fuzzy hash and the application used
4257 to generate it.
4259 +--------------------------+
4260 | FuzzyHash |
4261 +--------------------------+
4262 | |<>--{1..*}--[ FuzzyHashValue ]
4263 | |<>--{0..1}--[ Application ]
4264 | |<>--{0..*}--[ AdditionalData ]
4265 +--------------------------+
4267 Figure 56: The FuzzyHash Class
4269 The aggregate classes of the FuzzyHash class are:
4271 FuzzyHashValue
4272 One or more. EXTENSION. The computed fuzzy hash value.
4274 Application
4275 Zero or one. SOFTWARE. The application used to calculate the
4276 hash.
4278 AdditionalData
4279 Zero or more. EXTENSION. Mechanism by which to extend the data
4280 model.
4282 The FuzzyData class has no attributes.
4284 3.27. SignatureData Class
4286 The SignatureData class describes different types of digital
4287 signatures on an object.
4289 +--------------------------+
4290 | SignatureData |
4291 +--------------------------+
4292 | |<>--{1..*}--[ ds:Signature ]
4293 +--------------------------+
4295 Figure 57: The SignatureData Class
4297 The aggregate class of the SignatureData class is:
4299 Signature
4300 One or more. An given signature. See Section 4.2 of [W3C.XMLSIG]
4302 The SignatureData class has no attributes.
4304 3.28. IndicatorData Class
4306 The IndicatorData class describes cyber indicators and meta-data
4307 associated with them.
4309 +--------------------------+
4310 | IndicatorData |
4311 +--------------------------+
4312 | |<>--{1..*}--[ Indicator ]
4313 +--------------------------+
4315 Figure 58: The IndicatorData Class
4317 The aggregate class of the IndicatorData class is:
4319 Indicator
4320 One or more. A description of an indicator. See Section 3.29.
4322 The IndicatorData class has no attributes.
4324 3.29. Indicator Class
4326 The Indicator class describes a cyber indicator. An indicator
4327 consists of observable features and phenomenon that aid in the
4328 forensic or proactive detection of malicious activity; and associated
4329 meta-data. An indicator can be described outright; by referencing or
4330 composing previously defined indicators; or by referencing
4331 observables described in the incident report found in this document.
4333 +------------------------+
4334 | Indicator |
4335 +------------------------+
4336 | ENUM restriction |<>----------[ IndicatorID ]
4337 | STRING ext-restriction |<>--{0..*}--[ AlternativeIndicatorID ]
4338 | |<>--{0..*}--[ Description ]
4339 | |<>--{0..1}--[ StartTime ]
4340 | |<>--{0..1}--[ EndTime ]
4341 | |<>--{0..1}--[ Confidence ]
4342 | |<>--{0..*}--[ Contact ]
4343 | |<>--{0..1}--[ Observable ]
4344 | |<>--{0..1}--[ ObservableReference ]
4345 | |<>--{0..1}--[ IndicatorExpression ]
4346 | |<>--{0..1}--[ IndicatorReference ]
4347 | |<>--{0..*}--[ NodeRole ]
4348 | |<>--{0..*}--[ AttackPhase ]
4349 | |<>--{0..*}--[ Reference ]
4350 | |<>--{0..*}--[ AdditionalData ]
4351 +------------------------+
4353 Figure 59: The Indicator Class
4355 The aggregate classes of the Indicator class are:
4357 IndicatorID
4358 One. An identifier for this indicator. See Section 3.29.1
4360 AlternativeIndicatorID
4361 Zero or more. An alternative identifier for this indicator. See
4362 Section 3.29.2
4364 Description
4365 Zero or more. ML_STRING. A free-form text description of the
4366 indicator.
4368 StartTime
4369 Zero or one. DATETIME. A timestamp of the start of the time
4370 period during which this indicator is valid.
4372 EndTime
4373 Zero or one. DATETIME. A timestamp of the end of the time period
4374 during which this indicator is valid.
4376 Confidence
4377 Zero or one. An estimate of the confidence in the quality of the
4378 indicator. See Section 3.12.5.
4380 Contact
4381 Zero or more. Contact information for this indicator. See
4382 Section 3.9.
4384 Observable
4385 Zero or one. An observable feature or phenomenon of this
4386 indicator. See Section 3.29.3.
4388 ObservableReference
4389 Zero or one. A reference to an observable feature or phenomenon
4390 defined elsewhere in the document. See Section 3.29.6.
4392 IndicatorExpression
4393 Zero or one. A composition of observables. See Section 3.29.4.
4395 IndicatorReference
4396 Zero or one. A reference to an indicator. See Section 3.29.7.
4398 NodeRole
4399 Zero or more. The role of the system in the attack should this
4400 indicator be matched to it. See Section 3.18.2.
4402 AttackPhase
4403 Zero or more. The phase in an attack lifecycle during which this
4404 indicator might be seen. See Section 3.29.8.
4406 Reference
4407 Zero or more. A reference to additional information relevant to
4408 this indicator. See Section 3.11.1.
4410 AdditionalData
4411 Zero or more. EXTENSION. Mechanism by which to extend the data
4412 model.
4414 The Indicator class MUST have exactly one instance of an Observable,
4415 IndicatorExpression, ObservableReference, or IndicatorReference
4416 class.
4418 The StartTime and EndTime classes can be used to define an interval
4419 during which the indicator is valid. If both classes are present,
4420 the indicator is consider valid only during the described interval.
4421 If neither class is provided, the indicator is considered valid
4422 during any time interval. If only a StartTime is provided, the
4423 indicator is valid anytime after this timestamp. If only an EndTime
4424 is provided, the indicator is valid anytime prior to this timestamp.
4426 The attributes of the Indicator class are:
4428 restriction
4429 Optional. ENUM. See Section 3.3.1.
4431 ext-restriction
4432 Optional. STRING. A means by which to extend the restriction
4433 attribute. See Section 5.1.1.
4435 3.29.1. IndicatorID Class
4437 The IndicatorID class identifies an indicator with a globally unique
4438 identifier. The combination of the name and version attributes, and
4439 the element content form this identifier. Indicators generated by
4440 given CSIRT MUST NOT reuse the same value unless they are referencing
4441 the same indicator.
4443 +------------------+
4444 | IndicatorID |
4445 +------------------+
4446 | ID |
4447 | |
4448 | STRING name |
4449 | STRING version |
4450 +------------------+
4452 Figure 60: The IndicatorID Class
4454 The content of the class is of type ID and specifies an identifier
4455 for an indicator.
4457 The attributes of the IndicatorID class are:
4459 name
4460 Required. STRING. An identifier describing the CSIRT that
4461 created the indicator. In order to have a globally unique CSIRT
4462 name, the fully qualified domain name associated with the CSIRT
4463 MUST be used. This format is identical to the IncidentID@name
4464 attribute in Section 3.4.
4466 version
4467 Required. STRING. A version number of an indicator.
4469 3.29.2. AlternativeIndicatorID Class
4471 The AlternativeIndicatorID class lists alternative identifiers for an
4472 indicator.
4474 +-------------------------+
4475 | AlternativeIndicatorID |
4476 +-------------------------+
4477 | ENUM restriction |<>--{1..*}--[ IndicatorReference ]
4478 | STRING ext-restriction |
4479 +-------------------------+
4481 Figure 61: The AlternativeIndicatorID Class
4483 The aggregate class of the AlternativeIndicatorID class is:
4485 IndicatorReference
4486 One or more. A reference to an indicator. See Section 3.29.7
4488 The attributes of the AlternativeIndicatorID class are:
4490 restriction
4491 Optional. ENUM. See Section 3.3.1.
4493 ext-restriction
4494 Optional. STRING. A means by which to extend the restriction
4495 attribute. See Section 5.1.1.
4497 3.29.3. Observable Class
4499 The Observable class describes a feature and phenomenon that can be
4500 observed or measured for the purposes of detecting malicious
4501 behavior.
4503 +------------------------+
4504 | Observable |
4505 +------------------------+
4506 | ENUM restriction |<>--{0..1}--[ Address ]
4507 | STRING ext-restriction |<>--{0..1}--[ DomainData ]
4508 | |<>--{0..1}--[ Service ]
4509 | |<>--{0..1}--[ EmailData ]
4510 | |<>--{0..1}--[ Service ]
4511 | |<>--{0..1}--[ WindowsRegistryKeysModified ]
4512 | |<>--{0..1}--[ FileData ]
4513 | |<>--{0..1}--[ CertificateData ]
4514 | |<>--{0..1]--[ RegistryHandle ]
4515 | |<>--{0..1}--[ RecordData ]
4516 | |<>--{0..1}--[ EventData ]
4517 | |<>--{0..1}--[ Incident ]
4518 | |<>--{0..1}--[ Expectation ]
4519 | |<>--{0..1}--[ Reference ]
4520 | |<>--{0..1}--[ Assessment ]
4521 | |<>--{0..1}--[ HistoryItem ]
4522 | |<>--{0..1}--[ BulkObservable ]
4523 | |<>--{0..*}--[ AdditionalData ]
4524 +------------------------+
4526 Figure 62: The Observable Class
4528 The aggregate classes of the Observable class are:
4530 Address
4531 Zero or one. An Address observable. See Section 3.18.1.
4533 DomainData
4534 Zero or one. A DomainData observable. See Section 3.19.
4536 Service
4537 Zero or one. A Service observable. See Section 3.20.
4539 EmailData
4540 Zero or one. A EmailData observable. See Section 3.21.
4542 WindowsRegistryKeysModified
4543 Zero or one. A WindowsRegistryKeysModified observable. See
4544 Section 3.23.
4546 FileData
4547 Zero or one. A FileData observable. See Section 3.25.
4549 CertificateData
4550 Zero or one. A CertificateData observable. See Section 3.24.
4552 RegistryHandle
4553 Zero or one. A RegistryHandle observable. See Section 3.9.1.
4555 RecordData
4556 Zero or one. A RecordData observable. See Section 3.22.1.
4558 EventData
4559 Zero or one. An EventData observable. See Section 3.14.
4561 Incident
4562 Zero or one. An Incident observable. See Section 3.2.
4564 EventData
4565 Zero or one. An EventData observable. See Section 3.14.
4567 Expectation
4568 Zero or one. An Expectation observable. See Section 3.15.
4570 Reference
4571 Zero or one. A Reference observable. See Section 3.11.1.
4573 Assessment
4574 Zero or one. An Assessment observable. See Section 3.12.
4576 HistoryItem
4577 Zero or one. A HistoryItem observable. See Section 3.13.1.
4579 BulkObservable
4580 Zero or one. A bulk list of observables. See Section 3.29.3.1.
4582 AdditionalData
4583 Zero or more. EXTENSION. Mechanism by which to extend the data
4584 model.
4586 The Observable class MUST have exactly one of the possible child
4587 classes.
4589 The attributes of the Observable class are:
4591 restriction
4592 Optional. ENUM. See Section 3.3.1.
4594 ext-restriction
4595 Optional. STRING. A means by which to extend the restriction
4596 attribute. See Section 5.1.1.
4598 3.29.3.1. BulkObservable Class
4600 The BulkObservable class allows the enumeration of a single type of
4601 observables without requiring each one to be encoded individually in
4602 multiple instances of the same class.
4604 The type attribute describes the type of observable listed in the
4605 child BulkObservableList class. The BulkObservableFormat class
4606 optionally provides additional meta-data.
4608 +---------------------------+
4609 | BulkObservable |
4610 +---------------------------+
4611 | ENUM type |<>--{0..1}--[ BulkObservableFormat ]
4612 | STRING ext-type |<>----------[ BulkObservableList ]
4613 | |<>--{0..*}--[ AdditionalData ]
4614 +---------------------------+
4616 Figure 63: The BulkObservable Class
4618 The aggregate classes of the BulkObservable class are:
4620 BulkObservableFormat
4621 Zero or one. Provides additional meta-data about the observables
4622 enumerated in the BulkObservableList class. See
4623 Section 3.29.3.1.1.
4625 BulkObservableList
4626 One. STRING. A list of observables, one per line. Each line is
4627 separated with either a LF character or CR-and-LF characters. The
4628 type attribute specifies which observables will be listed.
4630 AdditionalData
4631 Zero or more. EXTENSION. Mechanism by which to extend the data
4632 model.
4634 The attributes of the BulkObservable class are:
4636 type
4637 Optional. ENUM. The type of the observable listed in the child
4638 ObservableList class. These values are maintained in the
4639 "BulkObservable-type" IANA registry per Section 10.2.
4641 1. asn. Autonomous System Number (per the Address@category
4642 attribute).
4644 2. atm. Asynchronous Transfer Mode (ATM) address (per the
4645 Address@category attribute).
4647 3. e-mail. Electronic mail address (RFC 822) (per the
4648 Address@category attribute).
4650 4. ipv4-addr. IPv4 host address in dotted-decimal notation
4651 (e.g., 192.0.2.1) (per the Address@category attribute).
4653 5. ipv4-net. IPv4 network address in dotted-decimal notation,
4654 slash, significant bits (e.g., 192.0.2.0/24) (per the
4655 Address@category attribute).
4657 6. ipv4-net-mask. IPv4 network address in dotted-decimal
4658 notation, slash, network mask in dotted-decimal notation
4659 (i.e., 192.0.2.0/255.255.255.0) (per the Address@category
4660 attribute).
4662 7. ipv6-addr. IPv6 host address (e.g., 2001:DB8::3) (per the
4663 Address@category attribute).
4665 8. ipv6-net. IPv6 network address, slash, significant bits
4666 (e.g., 2001:DB8::/32) (per the Address@category attribute).
4668 9. ipv6-net-mask. IPv6 network address, slash, network mask
4669 (per the Address@category attribute).
4671 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f)
4672 (per the Address@category attribute).
4674 11. site-uri. A URL or URI for a resource (per the
4675 Address@category attribute).
4677 12. domain-name. A fully qualified domain name or part of a
4678 name. (e.g., fqdn.example.com, example.com).
4680 13. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as
4681 a comma separated list (e.g., "fqdn.example.com, 192.0.2.1").
4683 14. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as
4684 a comma separated list (e.g., "fqdn.example.com,
4685 2001:DB8::3").
4687 15. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a
4688 timestamp (in the DATETIME format) of the resolution (e.g.,
4689 "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00").
4691 16. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a
4692 timestamp (in the DATETIME format) of the resolution (e.g.,
4693 "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00").
4695 17. ipv4-port. An IPv4 address, port and protocol tuple (e.g.,
4696 192.0.2.1, 80, tcp). The protocol name corresponds to the
4697 "Keyword" column in the [IANA.Protocols] registry.
4699 18. ipv6-port. An IPv6 address, port and protocol tuple (e.g.,
4700 2001:DB8::3, 80, tcp). The protocol name corresponds to the
4701 "Keyword" column in the [IANA.Protocols] registry.
4703 19. windows-reg-key. A Microsoft Windows Registry key.
4705 20. file-hash. A file hash. The format of this hash is
4706 described in the Hash class that MUST be present in a sibling
4707 BulkObservableFormat class.
4709 21. email-x-mailer. An X-Mailer field from an email.
4711 22. email-subject. An email subject line.
4713 23. http-user-agent. A User Agent field from an HTTP request
4714 header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0)
4715 Gecko/20100101 Firefox/38.0").
4717 24. http-request-uri. The Request URI from an HTTP request
4718 header.
4720 25. mutex. The name of a system mutex.
4722 26. file-path. A file path (e.g., "/tmp/local/file",
4723 "c:\windows\system32\file.sys")
4725 27. user-name. A username.
4727 28. ext-value. A value used to indicate that this attribute is
4728 extended and the actual value is provided using the
4729 corresponding ext-* attribute. See Section 5.1.1.
4731 ext-type
4732 Optional. STRING. A means by which to extend the type attribute.
4733 See Section 5.1.1.
4735 3.29.3.1.1. BulkObservableFormat Class
4737 The ObservableFormat class specifies meta-data about the format of an
4738 observable enumerated in a sibling BulkObservableList class.
4740 +---------------------------+
4741 | BulkObservableFormat |
4742 +---------------------------+
4743 | |<>--{0..1}--[ Hash ]
4744 | |<>--{0..*}--[ AdditionalData ]
4745 +---------------------------+
4747 Figure 64: The BulkObservableFormat Class
4749 The aggregate classes of the BulkObservableFormat class are:
4751 Hash
4752 Zero or one. Describes the format of a hash. See Section 3.26.1.
4754 AdditionalData
4755 Zero or more. EXTENSION. Mechanism by which to extend the data
4756 model.
4758 The BulkObservableFormat class has no attributes.
4760 Either Hash or AdditionalData MUST be present.
4762 3.29.4. IndicatorExpression Class
4764 The IndicatorExpression describes an expression composed of observed
4765 phenomenon or features, or indicators. Elements of the expression
4766 can be described directly, reference relevant data from other parts
4767 of a given IODEF document, or reference previously defined
4768 indicators.
4770 All child classes of a given instance of IndicatorExpression form a
4771 boolean algebraic expression where the operator between them is
4772 determined by the operator attribute.
4774 +--------------------------+
4775 | IndicatorExpression |
4776 +--------------------------+
4777 | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
4778 | STRING ext-operator |<>--{0..*}--[ Observable ]
4779 | |<>--{0..*}--[ ObservableReference ]
4780 | |<>--{0..*}--[ IndicatorReference ]
4781 | |<>--{0..*}--[ AdditionalData ]
4782 +--------------------------+
4784 Figure 65: The IndicatorExpression Class
4786 The aggregate classes of the IndicatorExpression class are:
4788 IndicatorExpression
4789 Zero or more. An expression composed of other observables or
4790 indicators. See Section 3.29.4.
4792 Observable
4793 Zero or more. A description of an observable. See
4794 Section 3.29.3.
4796 ObservableReference
4797 Zero or more. A reference to an observable. See Section 3.29.6.
4799 IndicatorReference
4800 Zero or more. A reference to an indicator. See Section 3.29.7.
4802 AdditionalData
4803 Zero or more. EXTENSION. Mechanism by which to extend the data
4804 model.
4806 The attributes of the IndicatorExpression class are:
4808 operator
4809 Optional. ENUM. The operator to be applied between the child
4810 elements. See Section 3.29.5 for parsing guidance. The default
4811 value is "and". These values are maintained in the
4812 "IndicatorExpression-operator" IANA registry per Section 10.2.
4814 1. not. negation operator.
4816 2. and. conjunction operator.
4818 3. or. disjunction operator.
4820 4. xor. exclusive disjunction operator.
4822 ext-operator
4823 Optional. STRING. A means by which to extend the operator
4824 attribute. See Section 5.1.1.
4826 3.29.5. Expressions with IndicatorExpression
4828 Boolean algebraic expressions can be used to specify relationships
4829 between observables and indicator. These expressions are constructed
4830 through the use of the operator attribute and parent-child
4831 relationships in IndicatorExpressions. These expressions should be
4832 parsed as follows:
4834 1. The operator specified by the operator attribute is applied
4835 between each of the child elements of the immediate parent
4836 IndicatorExpression element. If no operator attribute is
4837 specified, it should be assumed to be the conjunction operator
4838 (i.e., operator="and").
4840 2. A nested IndicatorExpression element with a parent
4841 IndicatorExpression is the equivalent of a parentheses in the
4842 expression.
4844 The following four examples in Figure 66 through Figure 69 illustrate
4845 these parsing rules:
4847 1 :
4848 2 [O1]: ..
4849 3 [O2]: ..
4850 4 :
4852 Equivalent expression: (O1 AND O2)
4854 Figure 66: Nested elements in an IndicatorExpression without an
4855 operator attribute specified
4857 1 :
4858 2 [O1]: ..
4859 3 [O2]: ..
4860 4 :
4862 Equivalent expression: (O1 OR O2)
4864 Figure 67: Nested elements in an IndicatorExpression with an operator
4865 attribute specified
4867 1 :
4868 2 :
4869 2 [O1]: ..
4870 3 [O2]: ..
4871 4 :
4872 2 [O3]: ..
4873 4 :
4875 Equivalent expression: ((O1 OR O2) OR O3)
4877 Figure 68: Nested elements with a recursive IndicatorExpression with
4878 an operator attribute specified
4880 1 :
4881 2 :
4882 2 [O1]: ..
4883 3 [O2]: ..
4884 4 :
4885 4 :
4887 Equivalent expression: (NOT (O1 AND O2))
4889 Figure 69: A recursive IndicatorExpression with an operator attribute
4890 specified
4892 Invalid algebraic expressions while valid XML, MUST NOT be specified.
4894 3.29.6. ObservableReference Class
4896 The ObservableReference describes a reference to an observable
4897 feature or phenomenon described elsewhere in the document.
4899 The ObservableReference class has no content.
4901 +-------------------------+
4902 | ObservableReference |
4903 +-------------------------+
4904 | IDREF uid-ref |
4905 +-------------------------+
4907 Figure 70: The ObservableReference Class
4909 The ObservableReference class has no content.
4911 The attribute of the ObservableReference class is:
4913 uid-ref
4914 Required. IDREF. An identifier that serves as a reference to a
4915 class in the IODEF document. The referenced class will have this
4916 identifier set in its observable-id attribute.
4918 3.29.7. IndicatorReference Class
4920 The IndicatorReference describes a reference to an indicator. This
4921 reference may be to an indicator described in this IODEF document or
4922 in a previously exchanged IODEF document.
4924 The IndicatorReference class has no content.
4926 +--------------------------+
4927 | IndicatorReference |
4928 +--------------------------+
4929 | IDREF uid-ref |
4930 | STRING euid-ref |
4931 | STRING version |
4932 +--------------------------+
4934 Figure 71: The IndicatorReference Class
4936 The attributes of the IndicatorReference class are:
4938 uid-ref
4939 Optional. IDREF. An identifier that references an Indicator
4940 class in the IODEF document. The referenced Indicator class will
4941 have this identifier set in its IndicatorID class.
4943 euid-ref
4944 Optional. STRING. An identifier that references an IndicatorID
4945 not in this IODEF document.
4947 version
4948 Optional. STRING. A version number of an indicator.
4950 Either the uid-ref or the euid-ref attribute MUST be set.
4952 3.29.8. AttackPhase Class
4954 The AttackPhase class describes a particular phase of an attack
4955 lifecycle.
4957 +------------------------+
4958 | AttackPhase |
4959 +------------------------+
4960 | |<>--{0..*}--[ AttackPhaseID ]
4961 | |<>--{0..*}--[ URL ]
4962 | |<>--{0..*}--[ Description ]
4963 | |<>--{0..*}--[ AdditionalData ]
4964 +------------------------+
4966 Figure 72: AttackPhase Class
4968 The aggregate classes of the AttackPhase class are:
4970 AttackPhaseID
4971 Zero or more. STRING. An identifier for the phase of the attack.
4973 URL
4974 Zero or more. URL. A URL to a resource describing this phase of
4975 the attack.
4977 Description
4978 Zero or more. ML_STRING. A free-form text description of this
4979 phase of the attack.
4981 AdditionalData
4982 Zero or more. EXTENSION. A mechanism by which to extend the data
4983 model.
4985 AttackPhase MUST have at least one instance of a child class.
4987 The AttackPhase class has no attributes.
4989 4. Processing Considerations
4991 This section provides additional requirements and guidance on
4992 creating and processing IODEF documents.
4994 4.1. Encoding
4996 Every IODEF document MUST begin with an XML declaration and MUST
4997 specify the XML version used. The character encoding MUST also be
4998 explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16
4999 [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD
5000 NOT be used. The IODEF conforms to all XML data encoding conventions
5001 and constraints.
5003 The XML declaration with no character encoding will read as follows:
5005
5007 When a character encoding is specified, the XML declaration will read
5008 as follows:
5010
5012 Where "charset" is the name of the character encoding as registered
5013 with the Internet Assigned Numbers Authority (IANA), see [RFC2978].
5015 The following characters have special meaning in XML and MUST be
5016 escaped with their entity reference equivalent: "&", "<", ">", "\""
5017 (double quotation mark), and "'" (apostrophe). These entity
5018 references are "&", "<", ">", """, and "'"
5019 respectively.
5021 4.2. IODEF Namespace
5023 The IODEF schema declares a namespace of
5024 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS].
5025 Each IODEF document MUST include a valid reference to the IODEF
5026 schema using the "xsi:schemaLocation" attribute. An example of such
5027 a declaration would look as follows:
5029
5034 4.3. Validation
5036 IODEF documents MUST be well-formed XML. It is RECOMMENDED that
5037 recipients validate the document against the schema described in
5038 Section 8. However, mere conformance to this schema is not
5039 sufficient for a semantically valid IODEF document. The text of
5040 Section 3 describes further formatting and constraints; some that
5041 cannot be conveniently encoded in the schema. These MUST must also
5042 be considered by an IODEF implementation. Furthermore, the
5043 enumerated values present in this document are a static list that
5044 will be incomplete over time as select attributes can be extended by
5045 a corresponding IANA registry per Section 10.2. Therefore, the
5046 schema to validate a given document MUST be dynamically generated
5047 from these registry values.
5049 4.4. Incompatibilities with v1
5051 The IODEF data model in this document makes a number of changes to
5052 [RFC5070]. These changes were largely additive -- classes and
5053 enumerated values were added. However, some incompatibilities
5054 between [RFC5070] and this new specification were introduced. These
5055 incompatibilities are as follows:
5057 o The IODEF-Document@version attribute is set to "2.0".
5059 o Attributes with enumerated values can now also be extended with
5060 IANA registries.
5062 o All iodef:MLStringType classes use xml:lang. IODEF-Document also
5063 uses xml:lang.
5065 o The Service@ip_protocol attribute was renamed to @ip-protocol.
5067 o The Node/NodeName class was removed in favor of representing
5068 domain names with Node/DomainData/Name class. The Node/DataTime
5069 class was also removed so that the Node/DomainData/
5070 DateDomainWasChecked class can represent the time at which the
5071 name to address resolution occurred.
5073 o The Node/NodeRole class was moved to System/NodeRole.
5075 o The Reference class is now defined by [RFC-ENUM].
5077 o The data previously represented in the Impact class is now in the
5078 SystemImpact and IncidentCategory classes. The Impact class has
5079 been removed.
5081 o The semantics of Counter@type are now represented in Counter@unit.
5083 o The IODEF-Document@formatid attribute has been renamed to @format-
5084 id.
5086 o Incident/ReportTime is no longer mandatory. However,
5087 GenerationTime is.
5089 o The Fax class was removed and is now represented by a generic
5090 Telephone class.
5092 o The Telephone, Email and PostalAddress classes were redefined from
5093 improved internationalization.
5095 5. Extending the IODEF
5097 In order to support the dynamic nature of security operations, the
5098 IODEF data model will need to continue to evolve. This section
5099 discusses how new data elements can be incorporated into the IODEF.
5100 There is support to add additional enumerated values and new classes.
5101 Adding additional attributes to existing classes is not supported.
5103 These extension mechanisms are designed so that adding new data
5104 elements is possible without requiring a modifications to this
5105 document. Extensions can be implemented publicly or privately. With
5106 proven value, well documented extensions can be incorporated into
5107 future versions of the specification.
5109 5.1. Extending the Enumerated Values of Attributes
5111 Additional enumerated values can be added to select attributes either
5112 through the use of specially marked attributes with the "ext-" prefix
5113 or through a set of corresponding IANA registries. The former
5114 approach allows for the extension to remain private. The latter
5115 approach is public.
5117 5.1.1. Private Extension of Enumerated Values
5119 The data model supports adding new enumerated values to an attribute
5120 without public registration. For each attribute that supports this
5121 extension technique, there is a corresponding attribute in the same
5122 element whose name is identical but with a prefix of "ext-". This
5123 special attribute is referred to as the extension attribute. The
5124 attribute being extended is referred to as an extensible attribute.
5125 For example, an extensible attribute named "foo" will have a
5126 corresponding extension attribute named "ext-foo". An element may
5127 have many extensible attributes.
5129 In addition to a corresponding extension attribute, each extensible
5130 attribute has "ext-value" as one its possible enumerated values.
5131 Selection of this particular value in an extensible attribute signals
5132 that the extension attribute contains data. Otherwise, this "ext-
5133 value" value has no meaning.
5135 In order to add a new enumerated value to an extensible attribute,
5136 the value of this attribute MUST be set to "ext-value", and the new
5137 desired value MUST be set in the corresponding extension attribute.
5138 For example, extending the type attribute of the SystemImpact class
5139 would look as follows:
5141
5143 A given extension attribute MUST NOT be set unless the corresponding
5144 extensible attribute has been set to "ext-value".
5146 5.1.2. Public Extension of Enumerated Values
5148 The data model also supports publicly extending select enumerated
5149 attributes. A new entry can be added by registering a new entry in
5150 the appropriate IANA registry. Section 10.2 provides a mapping
5151 between the extensible attributes and their corresponding registry.
5152 Section 4.3 discusses the XML Validation implications of this type of
5153 extension. All extensible attributes that support private extensions
5154 also support public extensions.
5156 5.2. Extending Classes
5158 Classes of the EXTENSION (iodef:ExtensionType) type can extend the
5159 data model. They provide the ability to have new atomic or XML-
5160 encoded data elements in all of the top-level classes of the Incident
5161 class and a few of the complex subordinate classes. As there are
5162 multiple instances of the extensible classes in the data model, there
5163 is discretion on where to add a new data element. It is RECOMMENDED
5164 that the extension be placed in the most closely related class to the
5165 new information.
5167 Extensions using the atomic data types (i.e., all values of the dtype
5168 attributes other than "xml") MUST:
5170 1. Set the element content to the desired value, and
5172 2. Set the dtype attribute to correspond to the data type of the
5173 element content.
5175 The following guidelines exist for extensions using XML (i.e.,
5176 dtype="xml"):
5178 1. The element content of the extensible class MUST be set to the
5179 desired value and the dtype attribute MUST be set to "xml".
5181 2. The extension schema MUST declare a separate namespace. It is
5182 RECOMMENDED that these extensions have the prefix "iodef-". This
5183 recommendation makes readability of the document easier by
5184 allowing the reader to infer which namespaces relate to IODEF by
5185 inspection.
5187 3. It is RECOMMENDED that extension schemas follow the naming
5188 convention of the IODEF data model. This too improves the
5189 readability of extended IODEF documents. The names of all
5190 elements SHOULD be capitalized. For elements with composed
5191 names, a capital letter SHOULD be used for each word. Attribute
5192 names SHOULD be in lower case. Attributes with composed names
5193 SHOULD be separated by a hyphen.
5195 4. Implementations that encounter an unrecognized element in a
5196 supported namespace MUST reject the document as a syntax error.
5198 5. There are security and performance implications in requiring
5199 implementations to dynamically download schemas at run time.
5200 Therefore, implementations SHOULD NOT download schemas at runtime
5201 unless the appropriate precautions are taken. Implementations
5202 also need to contend with the potential of significant network
5203 and processing issues.
5205 6. Some adopters of the IODEF may have private schema definitions
5206 that are not publicly available. Thus implementations may
5207 encounter IODEF documents with references to private schemas that
5208 may not be resolvable. Hence, IODEF document recipients MUST be
5209 prepared for a schema definition in an IODEF document never to
5210 resolve.
5212 The following schema and XML document excerpt provide a template for
5213 an extension schema and its use in the IODEF document.
5215 This example schema defines a namespace of "iodef-extension1" and a
5216 single element named "newdata".
5218
5222 attributeFormDefault="unqualified"
5223 elementFormDefault="qualified">
5224
5228
5229
5231 The following XML excerpt demonstrates the use of the above schema as
5232 an extension to the IODEF.
5234
5241
5242 ...
5243
5244
5245 Field that could not be represented elsewhere
5246
5247
5248
5249
5276 If an unrecognized private extension is encountered in processing,
5277 the recipient MAY reject the entire document as a syntax error.
5279 6. Internationalization Issues
5281 Internationalization and localization is of specific concern to the
5282 IODEF as it facilitates operational coordination with a diverse set
5283 of partners. The IODEF implements internationalization by relying on
5284 XML constructs and through explicit design choices in the data model.
5286 Since the IODEF is implemented as an XML Schema, it supports
5287 different character encodings, such as UTF-8 and UTF-16, possible
5288 with XML. Additionally, each IODEF document MUST specify the
5289 language in which its content is encoded. The language can be
5290 specified with the attribute "xml:lang" (per Section 2.12 of
5291 [W3C.XML]) in the top-level element (i.e., IODEF-Document) and
5292 letting all other elements inherit that definition. All IODEF
5293 classes with a free-form text definition (i.e., all those defined
5294 with type iodef:MLStringType) can also specify a language different
5295 from the rest of the document.
5297 The data model supports multiple translations of free-form text. All
5298 ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality
5299 to their parent. This allows the identical text translated into
5300 different languages to be encoded in different instances of the same
5301 class with a common parent. This design also enables the creation of
5302 a single document containing all the translations. The IODEF
5303 implementation SHOULD extract the appropriate language relevant to
5304 the recipient.
5306 Related instances of a given iodef:MLStringType class that are
5307 translations of each other are identified by a common identifier set
5308 in the translation-id attribute. The example below shows three
5309 instances of a Description class expressed in three different
5310 languages. The relationship between these three instances of the
5311 Description class is conveyed by the common value of "1" in the
5312 translation-id attribute.
5314
5316 ...
5317 English
5319 Englisch
5321 Anglais
5324 The IODEF balances internationalization support with the need for
5325 interoperability. While the IODEF supports different languages, the
5326 data model also relies heavily on standardized enumerated attributes
5327 that can crudely approximate the contents of the document. With this
5328 approach, a CSIRT should be able to make some sense of an IODEF
5329 document it receives even if the free-form text data elements are
5330 written in a language unfamiliar to the recipient.
5332 7. Examples
5334 This section provides example of IODEF documents. These examples do
5335 not represent the full capabilities of the data model or the the only
5336 way to encode particular information.
5338 7.1. Minimal Example
5340 A document containing only the mandatory elements and attributes.
5342
5343
5344
5350
5351 492382
5352 2015-07-18T09:00:00-05:00
5353
5354
5355 contact@csirt.example.com
5356
5357
5358
5359
5360
5362 7.2. Indicators from a Campaign
5364 An example of C2 domains from a given campaign.
5366
5367
5368
5374
5375 897923
5376
5377
5378
5379 TA-12-AGGRESSIVE-BUTTERFLY
5380
5381 Aggressive Butterfly
5382
5383
5384 C-2015-59405
5385 Orange Giraffe
5386
5387
5388 2015-10-02T11:18:00-05:00
5389 Summarizes the Indicators of Compromise
5390 for the Orange Giraffe campaign of the Aggressive
5391 Butterfly crime gang.
5392
5393
5394
5395
5396
5397 CSIRT for example.com
5398
5399 contact@csirt.example.com
5400
5401
5402
5403
5404
5405 G90823490
5406
5407 C2 domains
5408 2014-12-02T11:18:00-05:00
5409
5410
5411
5412 kj290023j09r34.example.com
5413 09ijk23jfj0k8.example.net
5414 klknjwfjiowjefr923.example.org
5415 oimireik79msd.example.org
5416
5417
5418
5419
5420
5421
5422
5424 8. The IODEF Data Model (XML Schema)
5426
5427
5436
5439
5442
5445
5447
5448
5449 Incident Object Description Exchange Format v2.0, RFC5070bis
5450
5451
5452
5457
5458
5459
5460
5461
5463
5464
5465
5466
5467
5469
5471
5472
5473
5478
5479
5480
5481
5482
5483
5486
5487
5488
5489
5490
5491
5492
5494
5496
5498
5500
5501
5503
5504
5505
5507
5508
5510
5512
5513
5515
5516
5519
5521
5522
5523
5524
5525
5526
5527
5528
5529
5530
5531
5532
5533
5534
5535
5536
5537
5538
5539
5540
5541
5542
5543
5544
5549
5550
5551
5552
5553
5554
5556
5558
5560
5561
5562
5563
5568
5569
5570
5571
5572
5573
5575
5577
5578
5579
5584
5585
5586
5587
5589
5591
5593
5595
5597
5598
5600
5602
5603
5605
5607
5608
5609
5610
5611
5612
5614
5615
5617
5619
5620
5622
5624
5625
5626
5627
5628
5629
5630
5632
5634
5636
5638
5639
5641
5643
5644
5645
5646
5651
5652
5653
5654
5656
5658
5660
5662
5664
5666
5668
5669
5671
5673
5674
5676
5679
5681
5683
5685
5687
5688
5689
5690
5691
5692
5693
5694
5695
5696
5697
5698
5699
5700
5701
5702
5703
5704
5705
5706
5707
5708
5709
5710
5711
5712
5713
5714
5715
5716
5717
5718
5719
5720
5721
5722
5723
5724
5725
5728
5730
5731
5732
5733
5734
5735
5736
5737
5738
5739
5740
5741
5742
5743
5744
5745
5746
5747
5748
5749
5750
5752
5753
5755
5756
5757
5758
5759
5760
5761
5762
5763
5764
5765
5766
5767
5768
5769
5770
5772
5773
5775
5777
5778
5779
5780
5781
5782
5783
5784
5785
5786
5787
5788
5789
5790
5791
5792
5793
5795
5796
5798
5799
5800
5801
5802
5803
5804
5805
5806
5807
5808
5813
5814
5815
5816
5817
5818
5819
5820
5821
5827
5828
5829
5830
5831
5832
5834
5836
5837
5838
5839
5840
5841
5842
5843
5844
5846
5848
5850
5851
5853
5855
5857
5859
5860
5861
5862
5863
5868
5869
5870
5871
5873
5875
5876
5877
5878
5879
5881
5883
5884
5886
5888
5889
5890
5891
5896
5897
5898
5899
5901
5903
5905
5906
5909
5911
5913
5915
5916
5917
5918
5919
5920
5921
5922
5923
5924
5925
5926
5927
5928
5929
5930
5931
5932
5933
5934
5935
5936
5937
5938
5939
5940
5941
5942
5943
5944
5945
5947
5950
5951
5953
5955
5956
5957
5962
5963
5964
5965
5967
5969
5971
5973
5975
5977
5978
5980
5982
5983
5984
5989
5990
5991
5992
5993
5995
5997
5998
5999
6000
6001
6006
6007
6008
6009
6011
6012
6013
6014
6015
6016
6017
6018
6020
6022
6024
6025
6027
6028
6029
6030
6031
6032
6033
6034
6035
6036
6038
6040
6041
6042
6043
6044
6045
6046
6047
6048
6049
6050
6051
6053
6054
6056
6059
6062
6063
6064
6065
6066
6067
6068
6069
6070
6071
6072
6073
6074
6075
6076
6077
6078
6079
6080
6081
6082
6083
6084
6085
6086
6087
6088
6089
6090
6091
6092
6093
6094
6095
6096
6097
6098
6099
6100
6101
6103
6104
6106
6108
6111
6112
6113
6114
6115
6116
6117
6118
6119
6120
6121
6122
6123
6124
6125
6126
6127
6128
6129
6130
6131
6132
6133
6134
6135
6136
6137
6138
6139
6140
6141
6142
6143
6144
6145
6146
6148
6150
6151
6153
6154
6155
6156
6157
6158
6159
6160
6161
6162
6163
6164
6165
6166
6167
6168
6169
6170
6171
6172
6173
6174
6175
6176
6177
6179
6181
6182
6183
6184
6185
6186
6187
6188
6189
6190
6191
6192
6193
6198
6199
6200
6201
6203
6204
6205
6206
6207
6208
6211
6213
6214
6216
6218
6220
6221
6223
6225
6226
6228
6230
6231
6232
6233
6238
6239
6240
6241
6242
6243
6244
6245
6250
6251
6252
6253
6254
6256
6258
6260
6262
6265
6267
6269
6270
6271
6273
6274
6276
6279
6281
6283
6285
6287
6288
6289
6290
6291
6292
6293
6294
6295
6296
6297
6298
6299
6300
6301
6302
6303
6304
6305
6306
6307
6308
6309
6310
6311
6316
6317
6318
6319
6320
6322
6324
6325
6326
6328
6330
6331
6332
6333
6334
6335
6336
6337
6340
6342
6343
6344
6346
6347
6348
6349
6350
6351
6352
6353
6354
6355
6356
6357
6358
6359
6360
6361
6362
6363
6364
6365
6366
6367
6368
6369
6370
6372
6373
6375
6377
6378
6379
6380
6381
6382
6383
6384
6385
6386
6387
6388
6389
6390
6391
6392
6393
6394
6395
6396
6397
6398
6399
6400
6401
6402
6403
6404
6405
6406
6407
6408
6409
6410
6411
6412
6413
6414
6415
6416
6417
6418
6419
6420
6421
6422
6423
6424
6425
6426
6427
6428
6429
6430
6431
6432
6433
6434
6435
6436
6437
6442
6443
6444
6445
6446
6447
6448
6449
6450
6451
6452
6453
6454
6455
6457
6458
6459
6460
6461
6462
6463
6464
6465
6466
6467
6468
6470
6471
6472
6473
6475
6476
6477
6478
6480
6482
6484
6485
6486
6487
6488
6489
6494
6495
6496
6497
6498
6500
6502
6504
6506
6508
6509
6511
6512
6513
6514
6515
6516
6517
6518
6519
6520
6521
6522
6523
6524
6525
6526
6527
6528
6529
6530
6531
6532
6533
6534
6535
6536
6537
6538
6539
6544
6545
6546
6547
6549
6550
6551
6552
6554
6555
6556
6557
6559
6561
6562
6563
6564
6565
6566
6567
6568
6569
6570
6571
6572
6573
6578
6579
6580
6581
6582
6584
6586
6588
6590
6592
6594
6595
6597
6599
6601
6603
6604
6605
6606
6607
6608
6609
6610
6611
6612
6613
6614
6615
6616
6617
6618
6619
6620
6621
6622
6623
6624
6625
6626
6627
6628
6629
6630
6631
6632
6633
6634
6635
6636
6637
6638
6639
6640
6641
6642
6644
6645
6646
6647
6648
6649
6650
6652
6653
6654
6655
6656
6661
6662
6663
6664
6665
6666
6668
6670
6671
6672
6673
6674
6675
6676
6678
6679
6681
6683
6685
6687
6689
6691
6693
6694
6696
6698
6699
6700
6701
6702
6703
6704
6705
6708
6710
6712
6715
6717
6719
6720
6721
6722
6723
6724
6725
6726
6727
6728
6729
6730
6731
6732
6733
6734
6735
6736
6737
6738
6739
6744
6745
6746
6747
6748
6749
6750
6751
6752
6753
6754
6755
6756
6757
6758
6760
6762
6763
6764
6765
6766
6767
6768
6769
6770
6771
6772
6773
6774
6775
6776
6777
6778
6783
6784
6785
6786
6789
6790
6792
6794
6795
6796
6797
6798
6799
6800
6801
6802
6803
6805
6806
6807
6808
6810
6811
6812
6813
6814
6815
6816
6817
6818
6819
6824
6825
6826
6827
6828
6830
6832
6833
6835
6836
6838
6839
6840
6841
6842
6843
6844
6845
6846
6847
6848
6849
6850
6851
6852
6853
6854
6855
6856
6857
6858
6860
6861
6862
6863
6864
6865
6866
6867
6869
6870
6872
6873
6874
6875
6876
6881
6882
6883
6884
6885
6887
6888
6889
6894
6895
6896
6897
6898
6899
6901
6903
6904
6905
6906
6907
6908
6909
6910
6912
6913
6914
6915
6916
6921
6922
6923
6924
6926
6927
6928
6929
6930
6931
6932
6933
6936
6938
6939
6940
6941
6943
6944
6945
6946
6947
6948
6949
6951
6953
6955
6957
6958
6960
6962
6963
6964
6965
6966
6967
6968
6969
6971
6972
6973
6974
6975
6976
6977
6978
6979
6980
6982
6985
6986
6987
6988
6989
6990
6991
6992
6993
6994
6996
6997
6998
6999
7000
7001
7002
7003
7004
7005
7006
7007
7009
7010
7012
7014
7015
7016
7017
7018
7019
7020
7021
7023
7024
7026
7027
7028
7029
7030
7031
7032
7033
7034
7035
7036
7037
7038
7039
7040
7041
7042
7043
7044
7045
7046
7047
7048
7049
7050
7051
7052
7053
7054
7055
7056
7057
7058
7059
7060
7061
7062
7063
7064
7066
7067
7068
7069
7070
7071
7072
7073
7074
7075
7076
7077
7078
7079
7080
7083
7085
7086
7087
7088
7089
7090
7091
7092
7093
7094
7095
7096
7097
7098
7099
7100
7101
7102
7103
7104
7105
7106
7107
7108
7109
7110
7112
7113
7115
7117
7118
7119
7120
7121
7126
7127
7128
7129
7134
7135
7136
7137
7138
7139
7140
7141
7142
7144
7145
7146
7147
7148
7149
7150
7151
7152
7153
7154
7155
7156
7157
7158
7159
7160
7162
7164
7165
7167
7168
7169
7170
7172
7174
7175
7176
7177
7178
7179
7181
7183
7184
7185
7186
7187
7188
7190
7191
7194
7196
7199
7200
7201
7202
7203
7204
7205
7206
7207
7208
7209
7210
7211
7212
7213
7214
7215
7216
7217
7218
7219
7220
7225
7226
7227
7228
7229
7230
7231
7232
7233
7234
7235
7236
7237
7238
7239
7240
7241
7242
7243
7244
7245
7246
7247
7248
7249
7250
7251
7252
7253
7254
7255
7256
7257
7258
7259
7260
7261
7262
7263
7264
7265
7266
7267
7268
7269
7270
7271
7272
7273
7274
7275
7276
7277
7278
7279
7280
7281
7282
7283
7284
7285
7286
7287
7288
7289
7290
7291
7292
7293
7294
7295
7296
7297
7298
7299
7300
7301
7302
7303
7304
7305
7306
7307
7308
7309
7310
7311
7312
7313
7314
7315
7316
7317
7319 9. Security Considerations
7321 The IODEF data model does not directly introduce security or privacy
7322 issues. However, as the data encoded by the IODEF might be
7323 considered sensitive by the parties exchanging it or by those
7324 described by it, care needs to be taken to ensure appropriate
7325 handling during the document construction, exchange, processing,
7326 archiving, subsequent retrieval and analysis.
7328 9.1. Security
7330 The underlying messaging format and protocol used to exchange
7331 instances of the IODEF MUST provide appropriate guarantees of
7332 confidentiality, integrity, and authenticity. The use of a
7333 standardized security protocol is encouraged. The Real-time Inter-
7334 network Defense (RID) protocol [RFC6545] and its associated transport
7335 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.
7337 The contents of an IODEF document may include a request for action.
7338 An IODEF implementation may also initiate courses of action based on
7339 the document contents. For these reasons, care must be taken by
7340 IODEF implementations to properly authenticate the sender and
7341 receiver of the document. The recipient must also ascribe
7342 appropriate confidence to the data prior to action.
7344 Executable content could be embedded into the IODEF document directly
7345 or through an extension. The IODEF implementation MUST handle this
7346 content with care to prevent unintentional automated execution.
7348 9.2. Privacy
7350 The IODEF contains numerous fields that are identifiers which could
7351 be linked to an individual or organization. IODEF documents may
7352 contain sensitive information about these identified parties; and
7353 repeated document exchanges about the same and related parties may
7354 enable the correlation of data about them. Likewise, a party may
7355 report on another to a third party without their knowledge.
7357 When creating an IODEF document, careful consideration must be given
7358 to what information is shared. Personal identifiers and attributable
7359 sensitive information should only be shared when necessary.
7361 When exchanging documents, transport security MUST provide document-
7362 level confidentiality. XML element-level confidentiality can also be
7363 provided by using [W3C.XMLENC].
7365 In order to suggest data processing and handling guidelines of the
7366 encoded information, the IODEF allows a document sender to convey a
7367 privacy policy using the restriction attribute. The various
7368 instances of this attribute allow different data elements of the
7369 document to be covered by dissimilar policies. While flexible, it
7370 must be stressed that this approach only serves as a guideline from
7371 the sender, as the recipient is free to ignore it.
7373 Although outside of the scope of an IODEF implementation, the
7374 contents of IODEF documents and any derived analysis should be
7375 archived with at appropriate confidentiality controls. Likewise,
7376 access to retrieve and analyze this data should be restricted to
7377 authorized users.
7379 10. IANA Considerations
7381 This document registers a namespace, an XML schema, and a number of
7382 registries that map to enumerated values defined in the data model.
7384 10.1. Namespace and Schema
7386 This document uses URNs to describe an XML namespace and schema
7387 conforming to a registry mechanism described in [RFC3688]
7389 Registration for the IODEF namespace:
7391 o URI: urn:ietf:params:xml:ns:iodef-2.0
7393 o Registrant Contact: See the first author of the "Author's Address"
7394 section of this document.
7396 o XML: None. Namespace URIs do not represent an XML specification.
7398 Registration for the IODEF XML schema:
7400 o URI: urn:ietf:params:xml:schema:iodef-2.0
7402 o Registrant Contact: See the first author of the "Author's Address"
7403 section of this document.
7405 o XML: See Section 8 of this document.
7407 10.2. Enumerated Value Registries
7409 This document creates 33 identically structured registries to be
7410 managed by IANA:
7412 o Name of the parent registry: "Incident Object Description Exchange
7413 Format v2 (IODEF)"
7415 o URL of the registry: http://www.iana.org/assignments/iodef2
7417 o Namespace format: A registry entry consists of:
7419 * Value. An enumerated value for a given IODEF attribute.
7421 * Description. A short description of the enumerated value.
7423 * Reference. An optional list of URIs to further describe the
7424 value.
7426 o Allocation policy: Expert Review per [RFC5226]
7428 The registries to be created are named in the "Registry Name" column
7429 of Table 1. The initial values for the Value and Description fields
7430 of a given registry are listed in the "IV (Value)" and "IV
7431 (Description)" columns respectively. The "IV (Value)" points to a
7432 given schema type per Section 8. Each enumerated value in the schema
7433 gets a corresponding entry in a given registry. The "IV
7434 (Description)" points to a section in the text of this document that
7435 describes each enumerated value. The initial value of the Reference
7436 field of every registry entry described below should be this
7437 document.
7439 +-----------------------+---------------------------+---------------+
7440 | Registry Name | IV (Value) | IV |
7441 | | | (Description) |
7442 +-----------------------+---------------------------+---------------+
7443 | Restriction | iodef-restriction-type | Section 3.3.1 |
7444 | | | |
7445 | Incident-purpose | incident-purpose-type | Section 3.2 |
7446 | | | |
7447 | Incident-status | incident-status-type | Section 3.2 |
7448 | | | |
7449 | Contact-role | contact-role-type | Section 3.9 |
7450 | | | |
7451 | Contact-type | contact-type-type | Section 3.9 |
7452 | | | |
7453 | RegistryHandle- | registryhandle-registry- | Section 3.9.1 |
7454 | registry | type | |
7455 | | | |
7456 | PostalAddress-type | postaladdress-type-type | Section 3.9.2 |
7457 | | | |
7458 | Telephone-type | telephone-type-type | Section 3.9.4 |
7459 | | | |
7460 | Email-type | email-type-type | Section 3.9.3 |
7461 | | | |
7462 | Expectation-action | action-type | Section 3.15 |
7463 | | | |
7464 | Discovery-source | discovery-source-type | Section 3.10 |
7465 | | | |
7466 | SystemImpact-type | systemimpact-type-type | Section |
7467 | | | 3.12.1 |
7468 | | | |
7469 | BusinessImpact- | businessimpact-severity- | Section |
7470 | severity | type | 3.12.2 |
7471 | | | |
7472 | BusinessImpact-type | businessimpact-type-type | Section |
7473 | | | 3.12.2 |
7474 | | | |
7475 | TimeImpact-metric | timeimpact-metric-type | Section |
7476 | | | 3.12.3 |
7477 | | | |
7478 | TimeImpact-duration | duration-type | Section |
7479 | | | 3.12.3 |
7480 | | | |
7481 | Confidence-rating | confidence-rating-type | Section |
7482 | | | 3.12.5 |
7483 | | | |
7484 | NodeRole-category | noderole-category-type | Section |
7485 | | | 3.18.2 |
7486 | | | |
7487 | System-category | system-category-type | Section 3.17 |
7488 | | | |
7489 | System-ownership | system-ownership-type | Section 3.17 |
7490 | | | |
7491 | Address-category | address-category-type | Section |
7492 | | | 3.18.1 |
7493 | | | |
7494 | Counter-type | counter-type-type | Section |
7495 | | | 3.18.3 |
7496 | | | |
7497 | Counter-unit | counter-unit-type | Section |
7498 | | | 3.18.3 |
7499 | | | |
7500 | DomainData-system- | domaindata-system-status- | Section 3.19 |
7501 | status | type | |
7502 | | | |
7503 | DomainData-domain- | domaindata-domain-status- | Section 3.19 |
7504 | status | type | |
7505 | | | |
7506 | RecordPattern-type | recordpattern-type-type | Section |
7507 | | | 3.22.2 |
7508 | | | |
7509 | RecordPattern- | recordpattern-offsetunit- | Section |
7510 | offsetunit | type | 3.22.2 |
7511 | | | |
7512 | Key-registryaction | key-registryaction-type | Section |
7513 | | | 3.23.1 |
7514 | | | |
7515 | HashData-scope | hashdata-scope-type | Section 3.26 |
7516 | | | |
7517 | BulkObservable-type | bulkobservable-type-type | Section |
7518 | | | 3.29.3.1 |
7519 | | | |
7520 | IndicatorExpression- | indicatorexpression- | Section |
7521 | operator | operator-type | 3.29.4 |
7522 | | | |
7523 | ExtensionType-dtype | dtype-type | Section 2.16 |
7524 | | | |
7525 | SoftwareReference- | softwarereference-spec- | Section |
7526 | spec-id | id-type | 2.15.1 |
7527 | | | |
7528 | SoftwareReference- | softwarereference-dtype- | Section |
7529 | dtype | type | 2.15.1 |
7530 +-----------------------+---------------------------+---------------+
7532 Table 1: IANA Enumerated Value Registries
7534 11. Acknowledgments
7536 Thanks to Paul Stockler for his editorial leadership in the
7537 transition of RFC5070bis to this document.
7539 Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi
7540 Takahashi, David Waltermire and Sean Turner as the MILE working group
7541 chairs, secretary or area directors for providing feedback and
7542 coordination of this document.
7544 Thanks to the following individuals (listed alphabetically) who
7545 provided feedback during the meetings, on the mailing list or through
7546 implementation experience: Jerome Athias, David Black, Eric Burger,
7547 Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris
7548 Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam
7549 Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio
7550 Suzuki and Nik Teague.
7552 12. References
7554 12.1. Normative References
7556 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language
7557 (XML) 1.0 (Second Edition)", W3C Recommendation , October
7558 2000, .
7560 [W3C.SCHEMA]
7561 World Wide Web Consortium, "XML XML Schema Part 1:
7562 Structures Second Edition", W3C Recommendation , October
7563 2004, .
7565 [W3C.SCHEMA.DTYPES]
7566 World Wide Web Consortium, "XML Schema Part 2: Datatypes
7567 Second Edition", W3C Recommendation , October 2004,
7568 .
7570 [W3C.XMLNS]
7571 World Wide Web Consortium, "Namespaces in XML", W3C
7572 Recommendation , January 1999,
7573 .
7575 [W3C.XPATH]
7576 World Wide Web Consortium, "XML Path Language (XPath)
7577 3.1", W3C Candidate Recommendation , December 2015,
7578 .
7580 [W3C.XMLSIG]
7581 World Wide Web Consortium, "XML Signature Syntax and
7582 Processing 2.0", W3C Recommendation , June 2008,
7583 .
7585 [IEEE.POSIX]
7586 Institute of Electrical and Electronics Engineers,
7587 "Information Technology - Portable Operating System
7588 Interface (POSIX) - Part 1: Base Definitions",
7589 IEEE 1003.1, June 2001.
7591 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
7592 Requirement Levels", RFC 2119, March 1997.
7594 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of
7595 Languages", RFC 5646, September 2009.
7597 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
7598 Resource Identifiers (URI): Generic Syntax", RFC 3986,
7599 January 2005`.
7601 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration
7602 Procedures", BCP 2978, October 2000.
7604 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519,
7605 June 2006.
7607 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October
7608 2008.
7610 [RFC-ENUM]
7611 Montville, A. and D. Black, "IODEF Enumeration Reference
7612 Format", RFC 7495, January 2015.
7614 [RFC-SCI] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
7615 Incident Object Description Exchange Format (IODEF)
7616 Extension for Structured Cybersecurity Information",
7617 RFC 7203, April 2014.
7619 [ISO4217] International Organization for Standardization,
7620 "International Standard: Codes for the representation of
7621 currencies and funds, ISO 4217:2001", ISO 4217:2001,
7622 August 2001.
7624 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January
7625 2004.
7627 [IANA.Ports]
7628 Internet Assigned Numbers Authority, "Service Name and
7629 Transport Protocol Port Number Registry", January 2014,
7630 .
7633 [IANA.Protocols]
7634 Internet Assigned Numbers Authority, "Assigned Internet
7635 Protocol Numbers", January 2014,
7636 .
7639 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
7640 10646", RFC 3629, November 2003.
7642 [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
7643 10646", RFC 2781, February 2000.
7645 [IANA.Media]
7646 Internet Assigned Numbers Authority, "Media Types", March
7647 2015, .
7650 [NIST.CPE]
7651 The National Institute of Standards and Technology,
7652 "Common Platform Enumeration", 2014,
7653 .
7655 [ISO19770]
7656 International Organization for Standardization,
7657 "Information technology -- Software asset management --
7658 Part 2: Software identification tag, ISO/IEC
7659 19770-2:2015", ISO 19770-2:2015, October 2015.
7661 12.2. Informative References
7663 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
7664 Object Description Exchange Format", RFC 5070, December
7665 2007.
7667 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
7668 RFC 6545, April 2012.
7670 [RFC6546] Trammell, B., "Transport of Real-time Inter-network
7671 Defense (RID) Messages over HTTP/TLS", RFC 6546, April
7672 2012.
7674 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
7675 Class for Reporting Phishing", RFC 5901, July 2010.
7677 [NIST800.61rev2]
7678 Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
7679 "NIST Special Publication 800-61 Revision 2: Computer
7680 Security Incident Handling Guide", January 2012,
7681 .
7684 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
7685 Type for the Internet Registry Information Service
7686 (IRIS)", RFC 3982, January 2005.
7688 [KB310516]
7689 Microsoft Corporation, "How to add, modify, or delete
7690 registry subkeys and values by using a registration
7691 entries (.reg) file", December 2007.
7693 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-
7694 Separated Values (CSV) File", RFC 4180, October 2005.
7696 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
7697 IANA Considerations Section in RFCs", RFC 5226, May 2008.
7699 [W3C.XMLENC]
7700 World Wide Web Consortium, "XML Encryption Syntax and
7701 Processing Version 1.1", W3C Recommendation , April 2013,
7702 .
7704 Author's Address
7706 Roman Danyliw
7707 CERT - Carnegie Mellon University
7708 4500 Fifth Avenue
7709 Pittsburgh, PA
7710 USA
7712 EMail: rdd@cert.org