idnits 2.17.1
draft-ietf-mile-rfc5070-bis-23.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
== There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
in the document. If these are example addresses, they should be changed.
-- The draft header indicates that this document obsoletes RFC6685, but the
abstract doesn't seem to mention this, which it should.
-- The draft header indicates that this document obsoletes RFC5070, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== The document seems to lack the recommended RFC 2119 boilerplate, even if
it appears to use RFC 2119 keywords.
(The document does seem to have the reference to RFC 2119 which the
ID-Checklist requires).
== Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please
use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
mean).
Found 'MUST not' in this paragraph:
Certain characters have special meaning in XML and MUST not appear
in literal form. Per Section 2.4 of [W3C.XML], these characters MUST be
escaped with a numeric character or entity reference.
== The document seems to contain a disclaimer for pre-RFC5378 work, but was
first submitted on or after 10 November 2008. The disclaimer is usually
necessary only for documents that revise or obsolete older RFCs, and that
take significant amounts of text from those RFCs. If you can contact all
authors of the source material and they are willing to grant the BCP78
rights to the IETF Trust, you can and should remove the disclaimer.
Otherwise, the disclaimer is needed and you can ignore this comment.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (June 20, 2016) is 2860 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: '0-9' is mentioned on line 7193, but not defined
== Missing Reference: '0-4' is mentioned on line 7193, but not defined
== Missing Reference: '0-5' is mentioned on line 7193, but not defined
== Missing Reference: 'O1' is mentioned on line 4905, but not defined
== Missing Reference: 'O2' is mentioned on line 4906, but not defined
== Missing Reference: 'O3' is mentioned on line 4895, but not defined
-- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX'
-- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217'
** Downref: Normative reference to an Informational RFC: RFC 2781
-- Possible downref: Non-RFC (?) normative reference: ref. 'ISO19770'
-- Obsolete informational reference (is this intentional?): RFC 5070
(Obsoleted by RFC 7970)
-- Obsolete informational reference (is this intentional?): RFC 6685
(Obsoleted by RFC 7970)
-- Obsolete informational reference (is this intentional?): RFC 5226
(Obsoleted by RFC 8126)
-- Obsolete informational reference (is this intentional?): RFC 2818
(Obsoleted by RFC 9110)
-- Obsolete informational reference (is this intentional?): RFC 5246
(Obsoleted by RFC 8446)
Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 11 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 MILE Working Group R. Danyliw
3 Internet-Draft CERT
4 Obsoletes: 5070, 6685 (if approved) June 20, 2016
5 Intended status: Standards Track
6 Expires: December 22, 2016
8 The Incident Object Description Exchange Format v2
9 draft-ietf-mile-rfc5070-bis-23
11 Abstract
13 The Incident Object Description Exchange Format (IODEF) defines a
14 data representation for security incident reports and indicators
15 commonly exchanged by operational security teams for mitigation and
16 watch and warning. This document describes an updated information
17 model for the IODEF and provides an associated data model specified
18 with XML Schema. This new information and data model obsoletes
19 Request for Comment (RFC) 5070 and 6685.
21 Status of This Memo
23 This Internet-Draft is submitted in full conformance with the
24 provisions of BCP 78 and BCP 79.
26 Internet-Drafts are working documents of the Internet Engineering
27 Task Force (IETF). Note that other groups may also distribute
28 working documents as Internet-Drafts. The list of current Internet-
29 Drafts is at http://datatracker.ietf.org/drafts/current/.
31 Internet-Drafts are draft documents valid for a maximum of six months
32 and may be updated, replaced, or obsoleted by other documents at any
33 time. It is inappropriate to use Internet-Drafts as reference
34 material or to cite them other than as "work in progress."
36 This Internet-Draft will expire on December 22, 2016.
38 Copyright Notice
40 Copyright (c) 2016 IETF Trust and the persons identified as the
41 document authors. All rights reserved.
43 This document is subject to BCP 78 and the IETF Trust's Legal
44 Provisions Relating to IETF Documents
45 (http://trustee.ietf.org/license-info) in effect on the date of
46 publication of this document. Please review these documents
47 carefully, as they describe your rights and restrictions with respect
48 to this document. Code Components extracted from this document must
49 include Simplified BSD License text as described in Section 4.e of
50 the Trust Legal Provisions and are provided without warranty as
51 described in the Simplified BSD License.
53 This document may contain material from IETF Documents or IETF
54 Contributions published or made publicly available before November
55 10, 2008. The person(s) controlling the copyright in some of this
56 material may not have granted the IETF Trust the right to allow
57 modifications of such material outside the IETF Standards Process.
58 Without obtaining an adequate license from the person(s) controlling
59 the copyright in such materials, this document may not be modified
60 outside the IETF Standards Process, and derivative works of it may
61 not be created outside the IETF Standards Process, except to format
62 it for publication as an RFC or to translate it into languages other
63 than English.
65 Table of Contents
67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
68 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
69 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
70 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 6
71 1.4. Changelog . . . . . . . . . . . . . . . . . . . . . . . . 7
72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8
73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8
74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
77 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10
78 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10
79 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 10
80 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10
81 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11
82 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
83 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
84 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 11
85 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 11
86 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12
87 2.13. Uniform Resource Locator strings . . . . . . . . . . . . 12
88 2.14. Identifiers and Identifier References . . . . . . . . . . 12
89 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 12
90 2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 13
91 2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 15
92 3. The IODEF Information Model . . . . . . . . . . . . . . . . . 17
93 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 17
94 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 19
95 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 22
96 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 22
97 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 24
98 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 24
99 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 25
100 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 26
101 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 27
102 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 28
103 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 29
104 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 32
105 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 33
106 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 34
107 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 35
108 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 36
109 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 39
110 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 40
111 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 41
112 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 41
113 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 44
114 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 46
115 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 48
116 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 50
117 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 51
118 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 52
119 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 52
120 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 54
121 3.14.1. Relating the Incident and EventData Classes . . . . 57
122 3.14.2. Recursive Definition of EventData . . . . . . . . . 57
123 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 58
124 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 61
125 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 61
126 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 65
127 3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 66
128 3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 67
129 3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 70
130 3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 73
131 3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 75
132 3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 76
133 3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 76
134 3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 78
135 3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 79
136 3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 79
137 3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 81
138 3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 82
139 3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 83
140 3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 85
141 3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 86
142 3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 87
143 3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 87
144 3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 88
145 3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 89
146 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 90
147 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 92
148 3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 92
149 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 93
150 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 94
151 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 94
152 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 97
153 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 97
154 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 98
155 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 104
156 3.29.5. Expressions with IndicatorExpression . . . . . . . . 106
157 3.29.6. ObservableReference Class . . . . . . . . . . . . . 107
158 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 108
159 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 109
160 4. Processing Considerations . . . . . . . . . . . . . . . . . . 109
161 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 110
162 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 110
163 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 110
164 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 111
165 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 112
166 5.1. Extending the Enumerated Values of Attributes . . . . . . 112
167 5.1.1. Private Extension of Enumerated Values . . . . . . . 112
168 5.1.2. Public Extension of Enumerated Values . . . . . . . . 113
169 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 113
170 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 115
171 6. Internationalization Issues . . . . . . . . . . . . . . . . . 116
172 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 117
173 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 117
174 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 117
175 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 119
176 9. Security Considerations . . . . . . . . . . . . . . . . . . . 158
177 9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 158
178 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 159
179 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 160
180 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 160
181 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 161
182 10.3. Expert Review of IODEF-Related XML Registry Entries . . 164
183 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 164
184 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 164
185 12.1. Normative References . . . . . . . . . . . . . . . . . . 164
186 12.2. Informative References . . . . . . . . . . . . . . . . . 167
187 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 168
189 1. Introduction
191 Organizations require help from other parties to mitigate malicious
192 activity targeting their network and to gain insight into potential
193 threats. This coordination might entail working with an ISP to
194 filter attack traffic, contacting a remote site to take down a
195 botnet, or sharing watch-lists of known malicious indicators in a
196 consortium.
198 The Incident Object Description Exchange Format (IODEF) is a format
199 for representing computer security information commonly exchanged
200 between Computer Security Incident Response Teams (CSIRTs) or other
201 operational security teams. It provides an XML representation for
202 conveying:
204 o indicators to characterize a threat;
206 o security incident reports to document attacks against an
207 organization;
209 o response activity taken or that could be taken in response to an
210 incident; and
212 o meta-data so that these various classes of information can be
213 exchanged among parties.
215 The purpose of the IODEF is to enhance the operational capabilities
216 of CSIRTs. Adoption of the IODEF will improve the ability of a CSIRT
217 to resolve security incidents; understand threats; and coordinate
218 response activities and proactive mitigations by simplifying
219 collaboration and data sharing with its partners. This structured
220 format provided by the IODEF allows for:
222 o machine-to-machine exchange of incident and indicator data;
224 o automated processing of this data whereby allowing more rapid
225 execution of appropriate courses of action; and
227 o the development of an ecosystem of interoperable tools enabling
228 security operations.
230 Sharing and coordinating with other organizations is not strictly a
231 technical problem. There are numerous procedural, cultural, legal
232 and trust-related barriers to overcome. The IODEF does not attempt
233 to address them directly. However, operational implementations of
234 the IODEF will need to consider these challenges.
236 Section 1 provides the background for the IODEF. Sections 3 and 8
237 specify the IODEF information and data model respectively. The data
238 types used in this document are described in Section 2. Processing
239 considerations, extending the specification, internationalization and
240 security issues are covered in Sections 4, 5, 6 and 9 respectively.
241 Examples are listed in Section 7.
243 1.1. Terminology
245 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
246 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
247 document are to be interpreted as described in [RFC2119].
249 1.2. Notations
251 The IODEF is specified as an Extensible Markup Language (XML)
252 [W3C.XML] Schema [W3C.SCHEMA]. The normative IODEF data model is
253 found in the XML schema in Section 8. To aid in the understanding of
254 the data elements, Section 3 also depicts the underlying information
255 model using Unified Modeling Language (UML). This abstract
256 presentation of the IODEF is not normative.
258 For clarity in this document, the term "XML document" will be used
259 when referring generically to any instance of an XML document. The
260 term "IODEF document" will be used to refer to an XML document
261 conforming to the IODEF specification. The terms "schema" will be
262 used to refer to Section 8 of this document. The terms "data model"
263 and "schema" will be used interchangeably. The terms "class" and
264 "element" will be used to reference either the corresponding data
265 element in the UML-based information or XML Schema-based data models,
266 respectively.
268 1.3. About the IODEF Data Model
270 A number of considerations were made in the design of the IODEF data
271 model.
273 o The data model found in this document is an evolution of the one
274 previously specified in [RFC5070]. New fields were added to
275 represent additional information. [RFC5070] was developed
276 primarily to represent incident reports. This document builds
277 upon it by adding support for indicators and revising it to
278 reflect the current challenges faced by CSIRTs. An attempt was
279 made to preserve backward compatibility but this was not possible
280 in all cases. See Section 4.4. This document obsoletes
281 [RFC5070].
283 o The IODEF is a transport format. Therefore, the data model may
284 not be the optimal archival or in-memory processing format.
286 o The IODEF is intended to be a framework to convey only commonly
287 exchanged information. It ensures that there are mechanisms for
288 extensibility to support organization-specific information and
289 techniques to reference information kept outside of the data
290 model.
292 o Not all commonly exchanged information has a well-defined format
293 or taxonomy. The IODEF attempts to strike a balance between
294 enforcing sufficient structure to allow automated processing and
295 supporting free-form content that enables maximum flexibility.
297 o The IODEF fits into a broader ecosystem of standards and
298 conventions. An attempt was made to harmonize the data model with
299 this context.
301 1.4. Changelog
303 A detailed list of additions made to the [RFC5070] data model are
304 enumerated in this section. See Section 4.4 for a list of
305 incompatible changes.
307 o Updated the data types (Section 2) to improve
308 internationalization, clarify ambiguity, and ensure consistency in
309 extensions.
311 o Added the observable-id attribute (Section 3.3.2) and
312 IndicatorData (Section 3.28) class (Section 3.28) to represent
313 indicators.
315 o Added the private-enum-name and -id attributes to the IODEF-
316 Document class (Section 3.1) to disambiguate private extensions.
318 o Updated the Incident class (Section 3.2) to represent additional
319 timing and workflow information.
321 o Added the ThreatActor (Section 3.7) and Campaign (Section 3.8)
322 classes to represent attack attribution information.
324 o Updated the Contact class (Section 3.9) and its children to
325 improve internationalization and represent additional information
326 about an entity.
328 o Updated the Method class (Section 3.11) to improve extensibility
329 through externally referenced resources.
331 o Added the Discovery class (Section 3.10) to describe how an
332 incident was discovered.
334 o Updated the Assessment class (Section 3.12) to enable more
335 descriptive characterizations of the impact of an incident.
337 o Updated the HistoryItem (Section 3.13.1) and Expectation
338 (Section 3.15) classes to support a reference to a course of
339 action.
341 o Updated the EventData class (Section 3.14) with additional meta-
342 data added to the Incident class.
344 o Updated the System (Section 3.17) class with additional meta-data.
346 o Updated the Counter class (Section 3.18.3) to support additional
347 rate metrics.
349 o Added the DomainData (Section 3.19), EmailData (Section 3.21),
350 WindowsRegistryKeysModified (Section 3.23), CertificateData
351 (Section 3.24) and FileData (Section 3.25) to improve the
352 description of an incident and support this data as indicators.
354 o Added the SignatureData (Section 3.27) and HashData classes
355 (Section 3.26) to represent digital signatures and hashes.
357 o Added support for public enumerated attribute extensions using
358 IANA registries (Section 5.1.2).
360 o Updated numerous enumerated attributes for completeness.
362 2. IODEF Data Types
364 The IODEF uses a number of simple and complex types. This section
365 describes these data types.
367 2.1. Integers
369 An integer is represented in the information model by the INTEGER
370 data type. Integer data MUST be encoded in Base 10.
372 The INTEGER data type is implemented in the data model as a
373 "xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES].
375 2.2. Real Numbers
377 A real (floating-point) number is represented in the information
378 model by the REAL data type. Real data MUST be encoded in Base 10.
380 The REAL data type is implemented in the data model as a "xs:float"
381 type per Section 3.2.4 of [W3C.SCHEMA.DTYPES].
383 2.3. Characters and Strings
385 A single character is represented in the information model by the
386 CHARACTER data type. A string is represented by the STRING data
387 type. Special characters MUST be encoded using entity references.
388 See Section 4.1.
390 The CHARACTER and STRING data types are implemented in the data model
391 as a "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
393 2.4. Multilingual Strings
395 A string that needs to be represented in a human-readable language
396 different than the default encoding of the document is represented in
397 the information model by the ML_STRING data type.
399 The ML_STRING data type is implemented in the data model as the
400 "iodef:MLStringType" type. This type extends the "xs:string" to
401 include two attributes.
403 +------------------------+
404 | iodef:MLStringType |
405 +------------------------+
406 | xs:string |
407 | |
408 | ENUM xml:lang |
409 | STRING translation-id |
410 +------------------------+
412 Figure 1: The iodef:MLStringType Type
414 The content of the class is a character string of type "xs:string"
415 whose language MAY be specified by the xml:lang attribute.
417 The attributes of the iodef:MLStringType type are:
419 xml:lang
420 Optional. ENUM. A language identifier per Section 2.12 of
421 [W3C.XML] whose values and format are described in [RFC5646]. The
422 interpretation of this code is described in Section 6.
424 translation-id
425 Optional. STRING. An identifier to relate other instances of
426 this class with the same parent as translations of this text. The
427 scope of this identifier is limited to all of the direct, peer
428 child classes of a given parent class.
430 Using this class enables representing translations of the same text
431 in multiple languages. Each translation is a distinct instance of
432 this class with a common parent. A group of classes each with a
433 translated instance of text is related by setting a common identifier
434 in the translation-id attribute. The language of a given class is
435 set by the xml:lang attribute. See Section 6 for more details on
436 representing translations of free-form text.
438 2.5. Binary Strings
440 Binary octets can be represented with two encodings.
442 2.5.1. Base64 Bytes
444 A binary octet encoded with Base64 is represented in the information
445 model by the BYTE data type. A sequence of these octets is of the
446 BYTE[] data type.
448 The BYTE and BYTE[] data types are implemented in the data model as a
449 "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES].
451 2.5.2. Hexadecimal Bytes
453 A binary octet encoded as a character tuple consistent of two
454 hexadecimal digits is represented in the information model by the
455 HEXBIN data type. A sequence of these octets is of the HEXBIN[] data
456 type.
458 The HEXBIN and HEXBIN[] data types are implemented in the data model
459 as a "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES].
461 2.6. Enumerated Types
463 An enumerated type is represented in the information model by the
464 ENUM data type. It is an ordered list of acceptable string values.
465 Each value has a representative keyword. Within the data model, the
466 enumerated type keywords are used as attribute values.
468 The ENUM data type is implemented in the data model as values of a
469 "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES].
471 2.7. Date-Time String
473 A date-time strings that describes a particular instant in time is
474 represented in the information model by the DATETIME data type.
475 Ranges are not supported.
477 The DATETIME data type is implemented in the data model as a
478 "xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES].
480 2.8. Timezone String
482 A timezone offset from UTC is represented in the information model by
483 the TIMEZONE data type. It is formatted according to the following
484 regular expression:
485 "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9](:[0-5][0-9])?".
487 The TIMEZONE data type is implemented in the data model as an
488 "iodef:TimezoneType" type.
490 2.9. Port Lists
492 A list of network ports is represented in the information model by
493 the PORTLIST data type. A PORTLIST consists of a comma-separated
494 list of numbers and ranges (N-M means ports N through M, inclusive).
495 It is formatted according to the following regular expression:
496 "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example,
497 "2,5-15,30,32,40-50,55-60".
499 The PORTLIST data type is implemented in the data model as an
500 "iodef:PortlistType" type.
502 2.10. Postal Address
504 A postal address is represented in the information model by the
505 POSTAL data type. The format of the POSTAL data type is documented
506 in Section 2.23 of [RFC4519] as a free-form multi-line string
507 separated by the "$" character.
509 The POSTAL data type is implemented in the data model as an
510 "iodef:MLStringType" type.
512 2.11. Telephone Number
514 A telephone number is represented in the information model by the
515 PHONE data type. The format of the PHONE data type is documented in
516 [E.164].
518 The PHONE data type is implemented in the data model as a "xs:string"
519 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
521 2.12. Email String
523 An email address is represented in the information model by the EMAIL
524 data type. The format of the EMAIL data type is documented in
525 Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531].
527 The EMAIL data type is implemented in the data model as a "xs:string"
528 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
530 2.13. Uniform Resource Locator strings
532 A uniform resource locator (URL) is represented in the information
533 model by the URL data type. The format of the URL data type is
534 documented in [RFC3986].
536 The URL data type is implemented as a "xs:anyURI" type per
537 Section 3.2.17 of [W3C.SCHEMA.DTYPES].
539 2.14. Identifiers and Identifier References
541 An identifier unique to the IODEF document is represented in the
542 information model by the ID data type. A reference to this
543 identifier is represented by the IDREF data type.
545 The ID and IDREF data types are implemented in the model as "xs:ID"
546 and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of
547 [W3C.SCHEMA.DTYPES].
549 2.15. Software
551 A particular version of software is represented in the information
552 model by the SOFTWARE data type. This software can be described by
553 using a reference, a URL or with free-form text.
555 The SOFTWARE data type is implemented in the data model as the
556 "iodef:SoftwareType" type.
558 +--------------------+
559 | iodef:SoftwareType |
560 +--------------------+
561 | |<>--{0..1}--[ SoftwareReference ]
562 | |<>--{0..*}--[ URL ]
563 | |<>--{0..*}--[ Description ]
564 +--------------------+
566 Figure 2: The SoftwareType Type
568 The aggregate classes of the SoftwareType type are:
570 SoftwareReference
571 Zero or one. Reference to a software application. See
572 Section 2.15.1.
574 URL
575 Zero or more. URL. A URL to a resource describing the software.
577 Description
578 Zero or more. ML_STRING. A free-form text description of the
579 software.
581 At least one of these classes MUST be present.
583 The iodef:SoftwareType type has no attributes.
585 2.15.1. SoftwareReference Class
587 The SoftwareReference class is a reference to a particular version of
588 software.
590 +----------------------+
591 | SoftwareReference |
592 +----------------------+
593 | xs:any |
594 | |
595 | ENUM spec-name |
596 | STRING ext-spec-name |
597 | ENUM dtype |
598 | STRING ext-dtype |
599 +----------------------+
601 Figure 3: The SoftwareReference Class
603 The element content varies according to the value of the spec-name
604 attribute. It is defined in the data model as "xs:any" per
605 [W3C.SCHEMA].
607 The attributes of the SoftwareReference class are:
609 spec-name
610 Required. ENUM. Identifies the format and semantics of the
611 element body of this class. Formal standards and specifications
612 can be referenced as well as a free-form text description with a
613 user-provided data type. These values are maintained in the
614 "SoftwareReference-spec-id" IANA registry per Section 10.2
616 1. custom. The element content is free-form and of the data type
617 specified by the dtype attribute. If this value is selected,
618 then the dtype attribute MUST be set.
620 2. cpe. The element content describes a Common Platform
621 Enumeration (CPE) entry per [NIST.CPE].
623 3. swid. The element content describes a software identification
624 (SWID) tag per [ISO19770].
626 4. ext-value. A value used to indicate that this attribute is
627 extended and the actual value is provided using the
628 corresponding ext-* attribute. See Section 5.1.1.
630 ext-spec-name
631 Optional. STRING. A means by which to extend the spec-name
632 attribute. See Section 5.1.1.
634 dtype
635 Optional. ENUM. The data type of the element content. The
636 permitted values for this attribute are shown below. The default
637 value is "string". These values are maintained in the
638 "SoftwareReference-dtype" IANA registry per Section 10.2.
640 1. bytes. The element content is of type HEXBIN.
642 2. integer. The element content is of type INTEGER.
644 3. real. The element content is of type REAL.
646 4. string. The element content is of type STRING.
648 5. xml. The element content is XML. See Section 5.2.
650 6. ext-value. A value used to indicate that this attribute is
651 extended and the actual value is provided using the
652 corresponding ext-* attribute. See Section 5.1.1.
654 ext-dtype
655 Optional. STRING. A means by which to extend the dtype
656 attribute. See Section 5.1.1.
658 2.16. Extension
660 Information not otherwise represented in the IODEF can be added using
661 the EXTENSION data type. This data type is a generic extension
662 mechanism.
664 The EXTENSION data type is implemented in the data model as the
665 "iodef:ExtensionType" type.
667 The data type of an EXTENSION is described by the dtype attribute.
668 For simple information, atomic data types (e.g., integers, strings)
669 are supported. Their semantics are further described by the meaning
670 and formatid attributes. Encapsulating XML documents conforming to
671 another schema is also supported. A detailed discussion of extending
672 the schema can be found in Section 5. Additional coordination may be
673 required to ensure that a recipient of a document using this type can
674 parse and process it.
676 +------------------------+
677 | iodef:ExtensionType |
678 +------------------------+
679 | xs:any |
680 | |
681 | STRING name |
682 | ENUM dtype |
683 | STRING ext-dtype |
684 | STRING meaning |
685 | STRING formatid |
686 | ENUM restriction |
687 | STRING ext-restriction |
688 | ID observable-id |
689 +------------------------+
691 Figure 4: The iodef:ExtensionType Type
693 The element content of this type is the extension being added to the
694 data model. This content is defined in the data model as "xs:any"
695 per [W3C.SCHEMA].
697 The attributes of the iodef:ExtensionType type are:
699 name
700 Optional. STRING. A free-form name of the field or data element.
702 dtype
703 Required. ENUM. The data type of the element content. The
704 default value is "string". These values are maintained in the
705 "ExtensionType-dtype" IANA registry per Section 10.2.
707 1. boolean. The element content is of type BOOLEAN.
709 2. byte. The element content is of type BYTE.
711 3. bytes. The element content is of type HEXBIN.
713 4. character. The element content is of type CHARACTER.
715 5. date-time. The element content is of type DATETIME.
717 6. ntpstamp. Same as date-time.
719 7. integer. The element content is of type INTEGER.
721 8. portlist. The element content is of type PORTLIST.
723 9. real. The element content is of type REAL.
725 10. string. The element content is of type STRING.
727 11. file. The element content is a base64 encoded binary file
728 encoded as a BYTE[] type.
730 12. path. The element content is a file-system path encoded as a
731 STRING type.
733 13. frame. The element content is a layer-2 frame encoded as a
734 HEXBIN type.
736 14. packet. The element content is a layer-3 packet encoded as a
737 HEXBIN type.
739 15. ipv4-packet. The element content is an IPv4 packet encoded
740 as a HEXBIN type.
742 16. ipv6-packet. The element content is an IPv6 packet encoded
743 as a HEXBIN type.
745 17. url. The element content is of type URL.
747 18. csv. The element content is a common separated value (CSV)
748 list per Section 2 of [RFC4180] encoded as a STRING type.
750 19. winreg. The element content is a Windows registry key
751 encoded as a STRING type.
753 20. xml. The element content is XML. See Section 5.
755 21. ext-value. A value used to indicate that this attribute is
756 extended and the actual value is provided using the
757 corresponding ext-* attribute. See Section 5.1.1.
759 ext-dtype
760 Optional. STRING. A means by which to extend the dtype
761 attribute. See Section 5.1.1.
763 meaning
764 Optional. STRING. A free-form text description of the element
765 content.
767 formatid
768 Optional. STRING. An identifier referencing the format or
769 semantics of the element content.
771 restriction
772 Optional. ENUM. See Section 3.3.1.
774 ext-restriction
775 Optional. STRING. A means by which to extend the restriction
776 attribute. See Section 5.1.1.
778 observable-id
779 Optional. ID. See Section 3.3.2.
781 3. The IODEF Information Model
783 The specifics of the IODEF information model are discussed in this
784 section. Each class and its relationships with the other classes is
785 described. When necessary, clarifications are made about translating
786 this information model to the schema in Section 8.
788 3.1. IODEF-Document Class
790 The IODEF-Document class is the top level class in the IODEF data
791 model. All IODEF documents are an instance of this class.
793 +--------------------------+
794 | IODEF-Document |
795 +--------------------------+
796 | STRING version |<>--{1..*}--[ Incident ]
797 | ENUM xml:lang |<>--{0..*}--[ AdditionalData ]
798 | STRING format-id |
799 | STRING private-enum-name |
800 | STRING private-enum-id |
801 +--------------------------+
803 Figure 5: IODEF-Document Class
805 The aggregate classes of the IODEF-Document class are:
807 Incident
808 One or more. The information related to a single incident. See
809 Section 3.2.
811 AdditionalData
812 Zero or more. EXTENSION. Mechanism by which to extend the data
813 model.
815 The attributes of the IODEF-Document class are:
817 version
818 Required. STRING. The IODEF specification version number to
819 which this IODEF document conforms. The value of this attribute
820 MUST be "2.00"
822 xml:lang
823 Optional. ENUM. A language identifier per Section 2.12 of
824 [W3C.XML] whose values and form are described in [RFC5646]. The
825 interpretation of this code is described in Section 6.
827 format-id
828 Optional. STRING. A free-form string to convey processing
829 instructions to the recipient of the document. Its semantics must
830 be negotiated out-of-band.
832 private-enum-name
833 Optional. STRING. A globally unique identifier for the CSIRT
834 generating the document to deconflict private extensions used in
835 the document. The fully qualified domain name associated with the
836 CSIRT MUST be used as the identifier. See Section 5.3.
838 private-enum-id
839 Optional. STRING. An organizationally unique identifier for an
840 extension used in the document. If this attribute is set, the
841 private-enum-name MUST also be set. See Section 5.3.
843 3.2. Incident Class
845 The Incident class describes commonly exchanged information when
846 reporting or sharing derived analysis from security incidents.
848 +-------------------------+
849 | Incident |
850 +-------------------------+
851 | ENUM purpose |<>----------[ IncidentID ]
852 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
853 | ENUM status |<>--{0..*}--[ RelatedActivity ]
854 | STRING ext-status |<>--{0..1}--[ DetectTime ]
855 | ENUM xml:lang |<>--{0..1}--[ StartTime ]
856 | ENUM restriction |<>--{0..1}--[ EndTime ]
857 | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ]
858 | ID observable-id |<>--{0..1}--[ ReportTime ]
859 | |<>----------[ GenerationTime ]
860 | |<>--{0..*}--[ Description ]
861 | |<>--{0..*} [ Discovery ]
862 | |<>--{0..*}--[ Assessment ]
863 | |<>--{0..*}--[ Method ]
864 | |<>--{1..*}--[ Contact ]
865 | |<>--{0..*}--[ EventData ]
866 | |<>--{0..1}--[ IndicatorData ]
867 | |<>--{0..1}--[ History ]
868 | |<>--{0..*}--[ AdditionalData ]
869 +-------------------------+
871 Figure 6: The Incident Class
873 The aggregate classes of the Incident class are:
875 IncidentID
876 One. An incident tracking number assigned to this incident by the
877 CSIRT that generated the IODEF document. See Section 3.4.
879 AlternativeID
880 Zero or one. The incident tracking numbers used by other CSIRTs
881 to refer to the incident described in the document. See
882 Section 3.5.
884 RelatedActivity
885 Zero or more. Related activity and attribution of this activity.
886 See Section 3.6.
888 DetectTime
889 Zero or one. DATETIME. The time the incident was first detected.
891 StartTime
892 Zero or one. DATETIME. The time the incident started.
894 EndTime
895 Zero or one. DATETIME. The time the incident ended.
897 RecoveryTime
898 Zero or one. DATETIME. The time the site recovered from the
899 incident.
901 ReportTime
902 Zero or one. DATETIME. The time the incident was reported.
904 GenerationTime
905 One. DATETIME. The time the content in this Incident class was
906 generated.
908 Description
909 Zero or more. ML_STRING. A free-form text description of the
910 incident.
912 Discovery
913 Zero or more. The means by which this incident was detected. See
914 Section 3.10.
916 Assessment
917 Zero or more. A characterization of the impact of the incident.
918 See Section 3.12.
920 Method
921 Zero or more. The techniques used by the threat actor in the
922 incident. See Section 3.11.
924 Contact
925 One or more. Contact information for the parties involved in the
926 incident. See Section 3.9.
928 EventData
929 Zero or more. Description of the events comprising the incident.
930 See Section 3.14.
932 IndicatorData
933 Zero or one. Indicators from the analysis of an incident. See
934 Section 3.28.
936 History
937 Zero or one. A log of significant events or actions that occurred
938 during the course of handling the incident. See Section 3.13.
940 AdditionalData
941 Zero or more. EXTENSION. Mechanism by which to extend the data
942 model.
944 The attributes of the Incident class are:
946 purpose
947 Required. ENUM. The purpose attribute represents describes the
948 rational for document the information in this class. It is
949 closely related to the Expectation class (Section 3.15). These
950 values are maintained in the "Incident-purpose" IANA registry per
951 Section 10.2. This attribute is defined as an enumerated list:
953 1. traceback. The Incident was sent for trace-back purposes.
955 2. mitigation. The Incident was sent to request aid in
956 mitigating the described activity.
958 3. reporting. The Incident was sent to comply with reporting
959 requirements.
961 4. watch. The Incident was sent to convey indicators that should
962 be monitored.
964 5. other. The Incident was sent for purposes specified in the
965 Expectation class.
967 6. ext-value. A value used to indicate that this attribute is
968 extended and the actual value is provided using the
969 corresponding ext-* attribute. See Section 5.1.1.
971 ext-purpose
972 Optional. STRING. A means by which to extend the purpose
973 attribute. See Section 5.1.1.
975 status
976 Optional. ENUM. The status attribute conveys the state in a
977 workflow where the incident is currently found. These values are
978 maintained in the "Incident-status" IANA registry per
979 Section 10.2. This attribute is defined as an enumerated list:
981 1. new. The Incident is newly reported and has not been
982 actioned.
984 2. in-progress. The contents of this Incident are under
985 investigation.
987 3. forwarded. The Incident has been forwarded to another party
988 for handling.
990 4. resolved. The investigation into the activity in this
991 Incident has concluded.
993 5. future. The described activity has not yet been detected.
995 6. ext-value. A value used to indicate that this attribute is
996 extended and the actual value is provided using the
997 corresponding ext-* attribute. See Section 5.1.1.
999 ext-status
1000 Optional. STRING. A means by which to extend the status
1001 attribute. See Section 5.1.1.
1003 xml:lang
1004 Optional. ENUM. A language identifier per Section 2.12 of
1005 [W3C.XML] whose values and form are described in [RFC5646]. The
1006 interpretation of this code is described in Section 6.
1008 restriction
1009 Optional. ENUM. See Section 3.3.1. The default value is
1010 "private".
1012 ext-restriction
1013 Optional. STRING. A means by which to extend the restriction
1014 attribute. See Section 5.1.1.
1016 observable-id
1017 Optional. ID. See Section 3.3.2.
1019 3.3. Common Attributes
1021 There are a number of recurring attributes used in the information
1022 model. They are documented in this section.
1024 3.3.1. restriction Attribute
1026 The restriction attribute indicates the disclosure guidelines to
1027 which the sender expects the recipient to adhere for the information
1028 represented in this class and its children. This guideline provides
1029 no security since there are no technical means to ensure that the
1030 recipient of the document handles the information as the sender
1031 requested.
1033 The value of this attribute is logically inherited by the children of
1034 this class. That is to say, the disclosure rules applied to this
1035 class, also apply to its children.
1037 It is possible to set a granular disclosure policy, since all of the
1038 high-level classes (i.e., children of the Incident class) have a
1039 restriction attribute. Therefore, a child can override the
1040 guidelines of a parent class, be it to restrict or relax the
1041 disclosure rules (e.g., a child has a weaker policy than an ancestor;
1042 or an ancestor has a weak policy, and the children selectively apply
1043 more rigid controls). The implicit value of the restriction
1044 attribute for a class that did not specify one can be found in the
1045 closest ancestor that did specify a value.
1047 This attribute is defined as an enumerated value with a default value
1048 of "private". Note that the default value of the restriction
1049 attribute is only defined in the context of the Incident class. In
1050 other classes where this attribute is used, no default is specified.
1052 These values are maintained in the "Restriction" IANA registry per
1053 Section 10.2.
1055 1. public. The information can be freely distributed without
1056 restriction.
1058 2. partner. The information may be shared within a closed
1059 community of peers, partners, or affected parties, but cannot be
1060 openly published.
1062 3. need-to-know. The information may be shared only within the
1063 organization with individuals that have a need to know.
1065 4. private. The information may not be shared.
1067 5. default. The information can be shared according to an
1068 information disclosure policy pre-arranged by the communicating
1069 parties.
1071 6. white. Same as 'public'.
1073 7. green. Same as 'partner'.
1075 8. amber. Same as 'need-to-know'.
1077 9. red. Same as 'private'.
1079 10. ext-value. A value used to indicate that this attribute is
1080 extended and the actual value is provided using the
1081 corresponding ext-* attribute. See Section 5.1.1.
1083 3.3.2. observable-id Attribute
1085 The observable-id attribute tags information in the document as an
1086 observable so that it can be referenced later in the description of
1087 an indicator. The value of this attribute is a unique identifier in
1088 the scope of the document. It is used by the ObservableReference
1089 class to enumerate observables when defining an indicator with the
1090 IndicatorData class.
1092 3.4. IncidentID Class
1094 The IncidentID class represents a tracking number that is unique in
1095 the context of the CSIRT. It serves as an identifier for an incident
1096 or a document identifier when sharing indicators. This identifier
1097 would serve as an index into a CSIRT's incident handling or knowledge
1098 management system.
1100 The combination of the name attribute and the string in the element
1101 content MUST be a globally unique identifier describing the activity.
1102 Documents generated by a given CSIRT MUST NOT reuse the same value
1103 unless they are referencing the same incident.
1105 +------------------------+
1106 | IncidentID |
1107 +------------------------+
1108 | STRING |
1109 | |
1110 | STRING name |
1111 | STRING instance |
1112 | ENUM restriction |
1113 | STRING ext-restriction |
1114 +------------------------+
1116 Figure 7: The IncidentID Class
1118 The content of the class is an incident identifier of type STRING.
1120 The attributes of the IncidentID class are:
1122 name
1123 Required. STRING. An identifier describing the CSIRT that
1124 created the document. In order to have a globally unique CSIRT
1125 name, the fully qualified domain name associated with the CSIRT
1126 MUST be used.
1128 instance
1129 Optional. STRING. An identifier referencing a subset of the
1130 named incident.
1132 restriction
1133 Optional. ENUM. See Section 3.3.1.
1135 ext-restriction
1136 Optional. STRING. A means by which to extend the restriction
1137 attribute. See Section 5.1.1.
1139 3.5. AlternativeID Class
1141 The AlternativeID class lists the tracking numbers used by CSIRTs,
1142 other than the one generating the document, to refer to the identical
1143 activity described in the IODEF document. A tracking number listed
1144 as an AlternativeID references the same incident detected by another
1145 CSIRT. The tracking numbers of the CSIRT that generated the IODEF
1146 document must never be considered an AlternativeID.
1148 +------------------------+
1149 | AlternativeID |
1150 +------------------------+
1151 | ENUM restriction |<>--{1..*}--[ IncidentID ]
1152 | STRING ext-restriction |
1153 +------------------------+
1155 Figure 8: The AlternativeID Class
1157 The aggregate class of the AlternativeID class is:
1159 IncidentID
1160 One or more. The tracking number of another CSIRT. See
1161 Section 3.4.
1163 The attributes of the AlternativeID class are:
1165 restriction
1166 Optional. ENUM. See Section 3.3.1.
1168 ext-restriction
1169 Optional. STRING. A means by which to extend the restriction
1170 attribute. See Section 5.1.1.
1172 3.6. RelatedActivity Class
1174 The RelatedActivity class relates the information described in the
1175 rest of the document to previously observed incidents or activity;
1176 and allows attribution to a specific actor or campaign.
1178 +------------------------+
1179 | RelatedActivity |
1180 +------------------------+
1181 | ENUM restriction |<>--{0..*}--[ IncidentID ]
1182 | STRING ext-restriction |<>--{0..*}--[ URL ]
1183 | |<>--{0..*}--[ ThreatActor ]
1184 | |<>--{0..*}--[ Campaign ]
1185 | |<>--{0..*}--[ IndicatorID ]
1186 | |<>--{0..1}--[ Confidence ]
1187 | |<>--{0..*}--[ Description ]
1188 | |<>--{0..*}--[ AdditionalData ]
1189 +------------------------+
1191 Figure 9: RelatedActivity Class
1193 The aggregate classes of the RelatedActivity class are:
1195 IncidentID
1196 Zero or more. The tracking number of a related incident. See
1197 Section 3.4.
1199 URL
1200 Zero or more. URL. A URL to activity related to this incident.
1202 ThreatActor
1203 Zero or more. The threat actor to whom the incident activity is
1204 attributed. See Section 3.7.
1206 Campaign
1207 Zero or more. The campaign of a given threat actor to whom the
1208 described activity is attributed. See Section 3.8.
1210 IndicatorID
1211 Zero or more. A reference to a related indicator. See
1212 Section 3.4.
1214 Confidence
1215 Zero or one. An estimate of the confidence in attributing this
1216 RelatedActivity to the events described in the document. See
1217 Section 3.12.5.
1219 Description
1220 Zero or more. ML_STRING. A description of how these
1221 relationships were derived.
1223 AdditionalData
1224 Zero or more. EXTENSION. A mechanism by which to extend the data
1225 model.
1227 The RelatedActivity class MUST have at least one instance of any of
1228 the following child classes: IncidentID, URL, ThreatActor, Campaign,
1229 Description or AdditionalData.
1231 The attributes of the RelatedActivity class are:
1233 restriction
1234 Optional. ENUM. See Section 3.3.1.
1236 ext-restriction
1237 Optional. STRING. A means by which to extend the restriction
1238 attribute. See Section 5.1.1.
1240 3.7. ThreatActor Class
1242 The ThreatActor class describes a threat actor.
1244 +------------------------+
1245 | ThreatActor |
1246 +------------------------+
1247 | ENUM restriction |<>--{0..*}--[ ThreatActorID ]
1248 | STRING ext-restriction |<>--{0..*}--[ URL ]
1249 | |<>--{0..*}--[ Description ]
1250 | |<>--{0..*}--[ AdditionalData ]
1251 +------------------------+
1253 Figure 10: ThreatActor Class
1255 The aggregate classes of the ThreatActor class are:
1257 ThreatActorID
1258 Zero or more. STRING. An identifier for the threat actor.
1260 URL
1261 Zero or more. URL. A URL to a reference describing the threat
1262 actor.
1264 Description
1265 Zero or more. ML_STRING. A description of the threat actor.
1267 AdditionalData
1268 Zero or more. EXTENSION. A mechanism by which to extend the data
1269 model.
1271 The ThreatActor class MUST have at least one instance of a child
1272 class.
1274 The attributes of the ThreatActor class are:
1276 restriction
1277 Optional. ENUM. See Section 3.3.1.
1279 ext-restriction
1280 Optional. STRING. A means by which to extend the restriction
1281 attribute. See Section 5.1.1.
1283 3.8. Campaign Class
1285 The Campaign class describes a campaign of attacks by a threat actor.
1287 +------------------------+
1288 | Campaign |
1289 +------------------------+
1290 | ENUM restriction |<>--{0..*}--[ CampaignID ]
1291 | STRING ext-restriction |<>--{0..*}--[ URL ]
1292 | |<>--{0..*}--[ Description ]
1293 | |<>--{0..*}--[ AdditionalData ]
1294 +------------------------+
1296 Figure 11: Campaign Class
1298 The aggregate classes of the Campaign class are:
1300 CampaignID
1301 Zero or more. STRING. An identifier for the campaign.
1303 URL
1304 Zero or more. URL. A URL to a reference describing the campaign.
1306 Description
1307 Zero or more. ML_STRING. A description of the campaign.
1309 AdditionalData
1310 Zero or more. EXTENSION. A mechanism by which to extend the data
1311 model.
1313 The Campaign class MUST have at least one instance of a child class.
1315 The attributes of the Campaign class are:
1317 restriction
1318 Optional. ENUM. See Section 3.3.1.
1320 ext-restriction
1321 Optional. STRING. A means by which to extend the restriction
1322 attribute. See Section 5.1.1.
1324 3.9. Contact Class
1326 The Contact class describes contact information for organizations and
1327 personnel involved in the incident. This class allows for the naming
1328 of the involved party, specifying contact information for them, and
1329 identifying their role in the incident.
1331 People and organizations are treated interchangeably as contacts; one
1332 can be associated with the other using the recursive definition of
1333 the class (the Contact class is aggregated into the Contact class).
1334 The 'type' attribute disambiguates the type of contact information
1335 being provided.
1337 The recursive definition of Contact provides a way to relate
1338 information without requiring the explicit use of identifiers or
1339 duplication of data. A complete point of contact is derived by a
1340 particular traversal from the root Contact class to the leaf Contact
1341 class. Each child Contact class logically inherits contact
1342 information from its ancestors.
1344 +------------------------+
1345 | Contact |
1346 +------------------------+
1347 | ENUM role |<>--{0..*}--[ ContactName ]
1348 | STRING ext-role |<>--{0..*}--[ ContactTitle ]
1349 | ENUM type |<>--{0..*}--[ Description ]
1350 | STRING ext-type |<>--{0..*}--[ RegistryHandle ]
1351 | ENUM restriction |<>--{0..*}--[ PostalAddress ]
1352 | STRING ext-restriction |<>--{0..*}--[ Email ]
1353 | |<>--{0..*}--[ Telephone ]
1354 | |<>--{0..1}--[ Timezone ]
1355 | |<>--{0..*}--[ Contact ]
1356 | |<>--{0..*}--[ AdditionalData ]
1357 +------------------------+
1359 Figure 12: The Contact Class
1361 The aggregate classes of the Contact class are:
1363 ContactName
1364 Zero or more. ML_STRING. The name of the contact. The contact
1365 may either be an organization or a person. The type attribute
1366 disambiguates the semantics.
1368 ContactTitle
1369 Zero or more. ML_STRING. The title for the individual named in
1370 the ContactName.
1372 Description
1373 Zero or more. ML_STRING. A free-form text description of the
1374 contact.
1376 RegistryHandle
1377 Zero or more. A handle name into the registry of the contact.
1378 See Section 3.9.1.
1380 PostalAddress
1381 Zero or more. The postal address of the contact. See
1382 Section 3.9.2.
1384 Email
1385 Zero or more. The email address of the contact. See
1386 Section 3.9.3.
1388 Telephone
1389 Zero or more. The telephone number of the contact. See
1390 Section 3.9.4.
1392 Timezone
1393 Zero or one. TIMEZONE. The timezone in which the contact
1394 resides.
1396 Contact
1397 Zero or more. A recursive definition of the Contact class. This
1398 definition can be used to group common data pertaining to multiple
1399 points of contact and is especially useful when listing multiple
1400 contacts at the same organization.
1402 AdditionalData
1403 Zero or more. EXTENSION. A mechanism by which to extend the data
1404 model.
1406 At least one of the aggregate classes MUST be present in an instance
1407 of the Contact class.
1409 The attributes of the Contact class are:
1411 role
1412 Required. ENUM. Indicates the role the contact fulfills. These
1413 values are maintained in the "Contact-role" IANA registry per
1414 Section 10.2.
1416 1. creator. The entity that generate the document.
1418 2. reporter. The entity that reported the information.
1420 3. admin. An administrative contact or business owner for an
1421 asset or organization.
1423 4. tech. An entity responsible for the day-to-day management of
1424 technical issues for an asset or organization.
1426 5. provider. An external hosting provider for an asset.
1428 6. user. An end-user of an asset or part of an organization.
1430 7. billing. An entity responsible for billing issues for an
1431 asset or organization.
1433 8. legal. An entity responsible for legal issue related to an
1434 asset or organization.
1436 9. irt. An entity responsible for handling security issues for
1437 an asset or organization.
1439 10. abuse. An entity responsible for handling abuse originating
1440 from an asset or organization.
1442 11. cc. An entity that is to be kept informed about the events
1443 related to an asset or organization.
1445 12. cc-irt. A CSIRT or information sharing organization
1446 coordinating activity related to an asset or organization.
1448 13. leo. A law enforcement organization supporting the
1449 investigation of activity affecting an asset or organization.
1451 14. vendor. The vendor that produces an asset.
1453 15. vendor-support. A vendor that provides services.
1455 16. victim. A victim in the incident.
1457 17. victim-notified. A victim in the incident who has been
1458 notified.
1460 18. ext-value. A value used to indicate that this attribute is
1461 extended and the actual value is provided using the
1462 corresponding ext-* attribute. See Section 5.1.1.
1464 ext-role
1465 Optional. STRING. A means by which to extend the role attribute.
1466 See Section 5.1.1.
1468 type
1469 Required. ENUM. Indicates the type of contact being described.
1470 This attribute is defined as an enumerated list. These values are
1471 maintained in the "Contact-type" IANA registry per Section 10.2.
1473 1. person. The information for this contact references an
1474 individual.
1476 2. organization. The information for this contact references an
1477 organization.
1479 3. ext-value. A value used to indicate that this attribute is
1480 extended and the actual value is provided using the
1481 corresponding ext-* attribute. See Section 5.1.1.
1483 ext-type
1484 Optional. STRING. A means by which to extend the type attribute.
1485 See Section 5.1.1.
1487 restriction
1488 Optional. ENUM. See Section 3.3.1.
1490 ext-restriction
1491 Optional. STRING. A means by which to extend the restriction
1492 attribute. See Section 5.1.1.
1494 3.9.1. RegistryHandle Class
1496 The RegistryHandle class represents a handle into an Internet
1497 registry or community-specific database.
1499 +---------------------+
1500 | RegistryHandle |
1501 +---------------------+
1502 | STRING |
1503 | |
1504 | ENUM registry |
1505 | STRING ext-registry |
1506 +---------------------+
1508 Figure 13: The RegistryHandle Class
1510 The content of the class is a handle into a registry of type STRING.
1512 The attributes of the RegistryHandle class are:
1514 registry
1515 Required. ENUM. The database to which the handle belongs. These
1516 values are maintained in the "RegistryHandle-registry" IANA
1517 registry per Section 10.2. The possible values are:
1519 1. internic. Internet Network Information Center
1521 2. apnic. Asia Pacific Network Information Center
1523 3. arin. American Registry for Internet Numbers
1525 4. lacnic. Latin-American and Caribbean IP Address Registry
1527 5. ripe. Reseaux IP Europeens
1529 6. afrinic. African Internet Numbers Registry
1531 7. local. A database local to the CSIRT
1533 8. ext-value. A value used to indicate that this attribute is
1534 extended and the actual value is provided using the
1535 corresponding ext-* attribute. See Section 5.1.1.
1537 ext-registry
1538 Optional. STRING. A means by which to extend the registry
1539 attribute. See Section 5.1.1.
1541 3.9.2. PostalAddress Class
1543 The PostalAddress class specifies an postal address and associated
1544 annotation.
1546 +--------------------+
1547 | PostalAddress |
1548 +--------------------+
1549 | ENUM type |<>----------[ PAddress ]
1550 | STRING ext-type |<>--{0..*}--[ Description ]
1551 +--------------------+
1553 Figure 14: The PostalAddress Class
1555 The aggregate classes of the PostalAddress class are:
1557 PAddress
1558 One. POSTAL. A postal address.
1560 Description
1561 Zero or more. ML_STRING. A free-form text description of the
1562 address.
1564 The attributes of the PostalAddress class are:
1566 type
1567 Optional. ENUM. Categorizes the type of address described in the
1568 PAddress class. These values are maintained in the
1569 "PostalAddress-type" IANA registry per Section 10.2.
1571 1. street. An address describing a physical location.
1573 2. mailing. An address to which correspondence should be sent.
1575 3. ext-value. A value used to indicate that this attribute is
1576 extended and the actual value is provided using the
1577 corresponding ext-* attribute. See Section 5.1.1.
1579 ext-type
1580 Optional. STRING. A means by which to extend the type attribute.
1581 See Section 5.1.1.
1583 3.9.3. Email Class
1585 The Email class specifies an email address and associated annotation.
1587 +--------------------+
1588 | Email |
1589 +--------------------+
1590 | ENUM type |<>----------[ EmailTo ]
1591 | STRING ext-type |<>--{0..*}--[ Description ]
1592 +--------------------+
1594 Figure 15: The Email Class
1596 The aggregate classes of the Email class are:
1598 EmailTo
1599 One. EMAIL. An email address.
1601 Description
1602 Zero or more. ML_STRING. A free-form text description of the
1603 email address.
1605 The attributes of the Email class are:
1607 type
1608 Optional. ENUM. Categorizes the type of email address described
1609 in the EmailTo class. These values are maintained in the "Email-
1610 type" IANA registry per Section 10.2.
1612 1. direct. A email address of an individual.
1614 2. hotline. A email address regularly monitored for operational
1615 purposes.
1617 3. ext-value. A value used to indicate that this attribute is
1618 extended and the actual value is provided using the
1619 corresponding ext-* attribute. See Section 5.1.1.
1621 ext-type
1622 Optional. STRING. A means by which to extend the type attribute.
1623 See Section 5.1.1.
1625 3.9.4. Telephone Class
1627 The Telephone class describes a telephone number and associated
1628 annotation.
1630 +--------------------+
1631 | Telephone |
1632 +--------------------+
1633 | ENUM type |<>----------[ TelephoneNumber ]
1634 | STRING ext-type |<>--{0..*}--[ Description ]
1635 +--------------------+
1637 Figure 16: The Telephone Class
1639 The aggregate classes of the Telephone class are:
1641 TelephoneNumber
1642 One. PHONE. A telephone number.
1644 Description
1645 Zero or more. ML_STRING. A free-form text description of the
1646 phone number.
1648 The attributes of the Telephone class are:
1650 type
1651 Optional. ENUM. Categorizes the type of telephone number
1652 described in the TelephoneNumber class. These values are
1653 maintained in the "Telephone-type" IANA registry per Section 10.2.
1655 1. wired. A number of a wire-line (land-line) phone.
1657 2. mobile. A number of a mobile phone.
1659 3. fax. A number to a fax machine.
1661 4. hotline. A number to a regularly monitored operational
1662 hotline.
1664 5. ext-value. A value used to indicate that this attribute is
1665 extended and the actual value is provided using the
1666 corresponding ext-* attribute. See Section 5.1.1.
1668 ext-type
1669 Optional. STRING. A means by which to extend the type attribute.
1670 See Section 5.1.1.
1672 3.10. Discovery Class
1674 The Discovery class describes how an incident was detected.
1676 +------------------------+
1677 | Discovery |
1678 +------------------------+
1679 | ENUM source |<>--{0..*}--[ Description ]
1680 | STRING ext-source |<>--{0..*}--[ Contact ]
1681 | ENUM restriction |<>--{0..*}--[ DetectionPattern ]
1682 | STRING ext-restriction |
1683 +------------------------+
1685 Figure 17: The Discovery Class
1687 The aggregate classes of the Discovery class are:
1689 Description
1690 Zero or more. ML_STRING. A free-form text description of how
1691 this incident was detected.
1693 Contact
1694 Zero or more. Contact information for the party that discovered
1695 the incident. See Section 3.9.
1697 DetectionPattern
1698 Zero or more. Describes an application-specific configuration
1699 that detected the incident. See Section 3.10.1.
1701 The attributes of the Discovery class are:
1703 source
1704 Optional. ENUM. Categorizes the techniques used to discover the
1705 incident. These values are partially derived from Table 3-1 of
1706 [NIST800.61rev2]. These values are maintained in the "Discovery-
1707 source" IANA registry per Section 10.2.
1709 1. nidps. Network Intrusion Detection or Prevention system.
1711 2. hips. Host-based Intrusion Prevention system.
1713 3. siem. Security Information and Event Management System.
1715 4. av. Antivirus or and antispam software.
1717 5. third-party-monitoring. Contracted third-party monitoring
1718 service.
1720 6. incident. The activity was discovered while investigating an
1721 unrelated incident.
1723 7. os-log. Operating system logs.
1725 8. application-log. Application logs.
1727 9. device-log. Network device logs.
1729 10. network-flow. Network flow analysis.
1731 11. passive-dns. Passive DNS analysis.
1733 12. investigation. Manual investigation initiated based on
1734 notification of a new vulnerability or exploit.
1736 13. audit. Security audit.
1738 14. internal-notification. A party within the organization
1739 reported the activity
1741 15. external-notification. A party outside of the organization
1742 reported the activity.
1744 16. leo. A law enforcement organization notified the victim
1745 organization.
1747 17. partner. A customer or business partner reported the
1748 activity to the victim organization.
1750 18. actor. The threat actor directly or indirectly reported this
1751 activity to the victim organization.
1753 19. unknown. Unknown detection approach.
1755 20. ext-value. A value used to indicate that this attribute is
1756 extended and the actual value is provided using the
1757 corresponding ext-* attribute. See Section 5.1.1.
1759 ext-source
1760 Optional. STRING. A means by which to extend the source
1761 attribute. See Section 5.1.1.
1763 restriction
1764 Optional. ENUM. See Section 3.3.1.
1766 ext-restriction
1767 Optional. STRING. A means by which to extend the restriction
1768 attribute. See Section 5.1.1.
1770 3.10.1. DetectionPattern Class
1772 The DetectionPattern class describes a configuration or signature
1773 that can be used by an IDS/IPS, SIEM, anti-virus, end-point
1774 protection, network analysis, malware analysis, or host forensics
1775 tool to identify a particular phenomenon. This class requires the
1776 identification of the target application and allows the configuration
1777 to be described in either free-form or machine readable form.
1779 +------------------------+
1780 | DetectionPattern |
1781 +------------------------+
1782 | ENUM restriction |<>----------[ Application ]
1783 | STRING ext-restriction |<>--{0..*}--[ Description ]
1784 | ID observable-id |<>--{0..*}--[ DetectionConfiguration ]
1785 +------------------------+
1787 Figure 18: The DetectionPattern Class
1789 The aggregate classes of the DetectionPattern class are:
1791 Application
1792 One. SOFTWARE. The application for which the
1793 DetectionConfiguration or Description is being provided.
1795 Description
1796 Zero or more. ML_STRING. A free-form text description of how to
1797 use the Application or provided DetectionConfiguration.
1799 DetectionConfiguration
1800 Zero or more. STRING. A machine consumable configuration to find
1801 a pattern of activity.
1803 Either an instance of the Description or DetectionConfiguration class
1804 MUST be present.
1806 The attributes of the DetectionPattern class are:
1808 restriction
1809 Optional. ENUM. See Section 3.3.1.
1811 ext-restriction
1812 Optional. STRING. A means by which to extend the restriction
1813 attribute. See Section 5.1.1.
1815 observable-id
1816 Optional. ID. See Section 3.3.2.
1818 3.11. Method Class
1820 The Method class describes the tactics, techniques, procedures or
1821 weakness used by the threat actor in an incident. This class
1822 consists of both a list of references describing the attack methods
1823 and weaknesses and a free-form text description.
1825 +------------------------+
1826 | Method |
1827 +------------------------+
1828 | ENUM restriction |<>--{0..*}--[ Reference ]
1829 | STRING ext-restriction |<>--{0..*}--[ Description ]
1830 | |<>--{0..*}--[ sci:AttackPattern ]
1831 | |<>--{0..*}--[ sci:Vulnerability ]
1832 | |<>--{0..*}--[ sci:Weakness ]
1833 | |<>--{0..*}--[ AdditionalData ]
1834 +------------------------+
1836 Figure 19: The Method Class
1838 The aggregate classes of the Method class are:
1840 Reference
1841 Zero or more. A reference to a vulnerability, malware sample,
1842 advisory, or analysis of an attack technique. See Section 3.11.1.
1844 Description
1845 Zero or more. ML_STRING. A free-form text description of
1846 techniques, tactics, or procedures used by the threat actor.
1848 sci:AttackPattern
1849 Zero or more. A reference to an pattern of attack or exploitation
1850 per [RFC7203]
1852 sci:Vulnerability
1853 Zero or more. A reference to a vulnerability per [RFC7203]
1855 sci:Weakness
1856 Zero or more. A reference to the exploited weakness per [RFC7203]
1858 AdditionalData
1859 Zero or more. EXTENSION. A mechanism by which to extend the data
1860 model.
1862 An instance of one of these child MUST be present.
1864 The attributes of the Method class are:
1866 restriction
1867 Optional. ENUM. See Section 3.3.1.
1869 ext-restriction
1870 Optional. STRING. A means by which to extend the restriction
1871 attribute. See Section 5.1.1.
1873 3.11.1. Reference Class
1875 The Reference class is an external reference to relevant information
1876 such a vulnerability, IDS alert, malware sample, advisory, or attack
1877 technique.
1879 +-------------------------+
1880 | Reference |
1881 +-------------------------+
1882 | ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
1883 | |<>--{0..*}--[ URL ]
1884 | |<>--{0..*}--[ Description ]
1885 +-------------------------+
1887 Figure 20: The Reference Class
1889 The aggregate classes of the Reference class are:
1891 enum:ReferenceName
1892 Zero or one. Reference identifier per [RFC7495].
1894 URL
1895 Zero or more. URL. A URL to a reference.
1897 Description
1898 Zero or more. ML_STRING. A free-form text description of this
1899 reference.
1901 At least one of these classes MUST be present.
1903 The attribute of the Reference class is:
1905 observable-id
1906 Optional. ID. See Section 3.3.2.
1908 3.12. Assessment Class
1910 The Assessment class describes the repercussions of the incident to
1911 the victim.
1913 +-------------------------+
1914 | Assessment |
1915 +-------------------------+
1916 | ENUM occurrence |<>--{0..*}--[ IncidentCategory ]
1917 | ENUM restriction |<>--{0..*}--[ SystemImpact ]
1918 | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ]
1919 | ID observable-id |<>--{0..*}--[ TimeImpact ]
1920 | |<>--{0..*}--[ MonetaryImpact ]
1921 | |<>--{0..*}--[ IntendedImpact ]
1922 | |<>--{0..*}--[ Counter ]
1923 | |<>--{0..*}--[ MitigatingFactor ]
1924 | |<>--{0..*}--[ Cause ]
1925 | |<>--{0..1}--[ Confidence ]
1926 | |<>--{0..*}--[ AdditionalData ]
1927 +-------------------------+
1929 Figure 21: Assessment Class
1931 The aggregate classes of the Assessment class are:
1933 IncidentCategory
1934 Zero or more. ML_STRING. A free-form text description
1935 categorizing the type of Incident.
1937 SystemImpact
1938 Zero or more. A technical characterization of the impact of the
1939 incident activity on the victim's enterprise. See Section 3.12.1.
1941 BusinessImpact
1942 Zero or more. Impact of the incident activity on the business
1943 functions of the victim organization. See Section 3.12.2.
1945 TimeImpact
1946 Zero or more. A characterization of the victim organization due
1947 to the incident activity as a function of time. See
1948 Section 3.12.3.
1950 MonetaryImpact
1951 Zero or more. The financial loss due to the incident activity.
1952 See Section 3.12.4.
1954 IntendedImpact
1955 Zero or more. The intended outcome to the victim sought by the
1956 threat actor. Defined identically to the BusinessImpact defined
1957 in Section 3.12.2, but describes intent rather than the realized
1958 impact.
1960 Counter
1961 Zero or more. A counter with which to summarize the magnitude of
1962 the activity. See Section 3.18.3.
1964 MitigatingFactor
1965 Zero or more. ML_STRING. A description of a mitigating factor
1966 relative to the impact on the victim organization.
1968 Cause
1969 Zero or more. ML_STRING. A description of an underlying cause of
1970 the impact.
1972 Confidence
1973 Zero or one. An estimate of confidence in the impact assessment.
1974 See Section 3.12.5.
1976 AdditionalData
1977 Zero or more. EXTENSION. A mechanism by which to extend the data
1978 model.
1980 A least one instance of the possible five impact classes (i.e.,
1981 SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or
1982 IntendedImpact) MUST be present.
1984 The attributes of the Assessment class are:
1986 occurrence
1987 Optional. ENUM. Specifies whether the assessment is describing
1988 actual or potential outcomes.
1990 1. actual. This assessment describes activity that has occurred.
1992 2. potential. This assessment describes potential activity that
1993 might occur.
1995 restriction
1996 Optional. ENUM. See Section 3.3.1.
1998 ext-restriction
1999 Optional. STRING. A means by which to extend the restriction
2000 attribute. See Section 5.1.1.
2002 observable-id
2003 Optional. ID. See Section 3.3.2.
2005 3.12.1. SystemImpact Class
2007 The SystemImpact class describes the technical impact of the incident
2008 to the systems on the network.
2010 +-----------------------+
2011 | SystemImpact |
2012 +-----------------------+
2013 | ENUM severity |<>--{0..*}--[ Description ]
2014 | ENUM completion |
2015 | ENUM type |
2016 | STRING ext-type |
2017 +-----------------------+
2019 Figure 22: SystemImpact Class
2021 The aggregate class of the SystemImpact class is:
2023 Description
2024 Zero or more. ML_STRING. A free-form text description of the
2025 impact to the system.
2027 The attributes of the SystemImpact class are:
2029 severity
2030 Optional. ENUM. An estimate of the relative severity of the
2031 activity. The permitted values are shown below. There is no
2032 default value.
2034 1. low. Low severity
2036 2. medium. Medium severity
2038 3. high. High severity
2040 completion
2041 Optional. ENUM. An indication whether the described activity was
2042 successful. The permitted values are shown below. There is no
2043 default value.
2045 1. failed. The attempted activity was not successful.
2047 2. succeeded. The attempted activity succeeded.
2049 type
2050 Required. ENUM. Classifies the impact. The permitted values are
2051 shown below. The default value is "unknown". These values are
2052 maintained in the "SystemImpact-type" IANA registry per
2053 Section 10.2.
2055 1. takeover-account. Control was taken of a given account.
2057 2. takeover-service. Control was taken of a given service.
2059 3. takeover-system. Control was taken of a given system.
2061 4. cps-manipulation. A cyber-physical system was manipulated.
2063 5. cps-damage. A cyber-physical system was damaged.
2065 6. availability-data. Access to particular data was degraded or
2066 denied.
2068 7. availability-account. Access to an account was degraded or
2069 denied.
2071 8. availability-service. Access to a service was degraded or
2072 denied.
2074 9. availability-system. Access to a system was degraded or
2075 denied.
2077 10. damaged-system. Hardware on a system was irreparably
2078 damaged.
2080 11. damaged-data. Data on a system was deleted.
2082 12. breach-proprietary. Sensitive or proprietary information was
2083 accessed or exfiltrated.
2085 13. breach-privacy. Personally identifiable information was
2086 accessed or exfiltrated.
2088 14. breach-credential. Credential information was accessed or
2089 exfiltrated.
2091 15. breach-configuration. System configuration or data inventory
2092 was access or exfiltrated.
2094 16. integrity-data. Data on the system was modified.
2096 17. integrity-configuration. Application or system configuration
2097 was modified.
2099 18. integrity-hardware. Firmware of a hardware component was
2100 modified.
2102 19. traffic-redirection. Network traffic on the system was
2103 redirected
2105 20. monitoring-traffic. Network traffic emerging from a host or
2106 enclave was monitored.
2108 21. monitoring-host. System activity (e.g., running processes,
2109 keystrokes) were monitored.
2111 22. policy. Activity violated the system owner's acceptable use
2112 policy.
2114 23. unknown. The impact is unknown.
2116 24. ext-value. A value used to indicate that this attribute is
2117 extended and the actual value is provided using the
2118 corresponding ext-* attribute. See Section 5.1.1.
2120 ext-type
2121 Optional. STRING. A means by which to extend the type attribute.
2122 See Section 5.1.1.
2124 3.12.2. BusinessImpact Class
2126 The BusinessImpact class describes and characterizes the degree to
2127 which the function of the organization was impacted by the Incident.
2129 +-------------------------+
2130 | BusinessImpact |
2131 +-------------------------+
2132 | ENUM severity |<>--{0..*}--[ Description ]
2133 | STRING ext-severity |
2134 | ENUM type |
2135 | STRING ext-type |
2136 +-------------------------+
2138 Figure 23: BusinessImpact Class
2140 The aggregate class of the BusinessImpact class is:
2142 Description
2143 Zero or more. ML_STRING. A free-form text description of the
2144 impact to the organization.
2146 The attributes of the BusinessImpact class are:
2148 severity
2149 Optional. ENUM. Characterizes the severity of the incident on
2150 business functions. The permitted values are shown below. They
2151 were derived from Table 3-2 of [NIST800.61rev2]. The default
2152 value is "unknown". These values are maintained in the
2153 "BusinessImpact-severity" IANA registry per Section 10.2.
2155 1. none. No effect to the organization's ability to provide all
2156 services to all users.
2158 2. low. Minimal effect as the organization can still provide all
2159 critical services to all users but has lost efficiency.
2161 3. medium. The organization has lost the ability to provide a
2162 critical service to a subset of system users.
2164 4. high. The organization is no longer able to provide some
2165 critical services to any users.
2167 5. unknown. The impact is not known.
2169 6. ext-value. A value used to indicate that this attribute is
2170 extended and the actual value is provided using the
2171 corresponding ext-* attribute. See Section 5.1.1.
2173 ext-severity
2174 Optional. STRING. A means by which to extend the severity
2175 attribute. See Section 5.1.1.
2177 type
2178 Required. ENUM. Characterizes the effect this incident had on
2179 the business. The permitted values are shown below. The default
2180 value is "unknown". These values are maintained in the
2181 "BusinessImpact-type" IANA registry per Section 10.2.
2183 1. breach-proprietary. Sensitive or proprietary information was
2184 accessed or exfiltrated.
2186 2. breach-privacy. Personally identifiable information was
2187 accessed or exfiltrated.
2189 3. breach-credential. Credential information was accessed or
2190 exfiltrated.
2192 4. loss-of-integrity. Sensitive or proprietary information was
2193 changed or deleted.
2195 5. loss-of-service. Service delivery was disrupted.
2197 6. theft-financial. Money was stolen.
2199 7. theft-service. Services were misappropriated.
2201 8. degraded-reputation. The reputation of the organization's
2202 brand was diminished.
2204 9. asset-damage. A cyber-physical system was damaged.
2206 10. asset-manipulation. A cyber-physical system was manipulated.
2208 11. legal. The incident resulted in legal or regulatory action.
2210 12. extortion. The incident resulted in actors extorting the
2211 victim organization.
2213 13. unknown. The impact is unknown.
2215 14. ext-value. A value used to indicate that this attribute is
2216 extended and the actual value is provided using the
2217 corresponding ext-* attribute. See Section 5.1.1.
2219 ext-type
2220 Optional. STRING. A means by which to extend the type attribute.
2221 See Section 5.1.1.
2223 3.12.3. TimeImpact Class
2225 The TimeImpact class describes the impact of the incident on an
2226 organization as a function of time. It provides a way to convey down
2227 time and recovery time.
2229 +---------------------+
2230 | TimeImpact |
2231 +---------------------+
2232 | REAL |
2233 | |
2234 | ENUM severity |
2235 | ENUM metric |
2236 | STRING ext-metric |
2237 | ENUM duration |
2238 | STRING ext-duration |
2239 +---------------------+
2241 Figure 24: TimeImpact Class
2243 The content of the class is of type REAL and specifies an amount of
2244 time. The duration attribute provides units for this content; and
2245 the metric attribute explains what this content is measuring.
2247 The attributes of the TimeImpact class are:
2249 severity
2250 Optional. ENUM. An estimate of the relative severity of the
2251 activity. The permitted values are shown below. There is no
2252 default value.
2254 1. low. Low severity
2256 2. medium. Medium severity
2258 3. high. High severity
2260 metric
2261 Required. ENUM. Defines the meaning of the value in the element
2262 content. These values are maintained in the "TimeImpact-metric"
2263 IANA registry per Section 10.2.
2265 1. labor. Total staff-time to recovery from the activity (e.g.,
2266 2 employees working 4 hours each would be 8 hours).
2268 2. elapsed. Elapsed time from the beginning of the recovery to
2269 its completion (i.e., wall-clock time).
2271 3. downtime. Duration of time for which some provided service(s)
2272 was not available.
2274 4. ext-value. A value used to indicate that this attribute is
2275 extended and the actual value is provided using the
2276 corresponding ext-* attribute. See Section 5.1.1.
2278 ext-metric
2279 Optional. STRING. A means by which to extend the metric
2280 attribute. See Section 5.1.1.
2282 duration
2283 Optional. ENUM. Defines the unit of time for the value in the
2284 element content. The default value is "hour". These values are
2285 maintained in the "TimeImpact-duration" IANA registry per
2286 Section 10.2.
2288 1. second. The unit of the element content is seconds.
2290 2. minute. The unit of the element content is minutes.
2292 3. hour. The unit of the element content is hours.
2294 4. day. The unit of the element content is days.
2296 5. month. The unit of the element content is months.
2298 6. quarter. The unit of the element content is quarters.
2300 7. year. The unit of the element content is years.
2302 8. ext-value. A value used to indicate that this attribute is
2303 extended and the actual value is provided using the
2304 corresponding ext-* attribute. See Section 5.1.1.
2306 ext-duration
2307 Optional. STRING. A means by which to extend the duration
2308 attribute. See Section 5.1.1.
2310 3.12.4. MonetaryImpact Class
2312 The MonetaryImpact class describes the financial impact of the
2313 activity on an organization. For example, this impact may consider
2314 losses due to the cost of the investigation or recovery, diminished
2315 productivity of the staff, or a tarnished reputation that will affect
2316 future opportunities.
2318 +------------------+
2319 | MonetaryImpact |
2320 +------------------+
2321 | REAL |
2322 | |
2323 | ENUM severity |
2324 | STRING currency |
2325 +------------------+
2327 Figure 25: MonetaryImpact Class
2329 The content of the class is of type REAL and specifies a quantity of
2330 money. The currency attribute defines the currently of this value.
2332 The attributes of the MonetaryImpact class are:
2334 severity
2335 Optional. ENUM. An estimate of the relative severity of the
2336 activity. The permitted values are shown below. There is no
2337 default value.
2339 1. low. Low severity
2340 2. medium. Medium severity
2342 3. high. High severity
2344 currency
2345 Optional. STRING. Defines the currency in which the value in the
2346 element content is expressed. The permitted values are defined in
2347 "Codes for the representation of currencies and funds" of
2348 [ISO4217]. There is no default value.
2350 3.12.5. Confidence Class
2352 The Confidence class represents an estimate of the validity and
2353 accuracy of data expressed in the document. This estimate can be
2354 expressed as a category or a numeric calculation.
2356 +-------------------+
2357 | Confidence |
2358 +-------------------+
2359 | REAL |
2360 | |
2361 | ENUM rating |
2362 | STRING ext-rating |
2363 +-------------------+
2365 Figure 26: Confidence Class
2367 The content of the class is of type REAL and specifies a numerical
2368 assessment in the confidence of the data when the value of the rating
2369 attribute is "numeric". Otherwise, this element MUST be empty.
2371 The attributes of the Confidence class are:
2373 rating
2374 Required. ENUM. A qualitative assessment of confidence. These
2375 values are maintained in the "Confidence-rating" IANA registry per
2376 Section 10.2
2378 1. low. Low confidence.
2380 2. medium. Medium confidence.
2382 3. high. High confidence.
2384 4. numeric. The element content contains a number that conveys
2385 the confidence of the data. The semantics of this number
2386 outside the scope of this specification.
2388 5. unknown. The confidence rating value is not known.
2390 6. ext-value. A value used to indicate that this attribute is
2391 extended and the actual value is provided using the
2392 corresponding ext-* attribute. See Section 5.1.1.
2394 ext-rating
2395 Optional. STRING. A means by which to extend the rating
2396 attribute. See Section 5.1.1.
2398 3.13. History Class
2400 The History class is a log of the significant events or actions
2401 performed by the involved parties during the course of handling the
2402 incident.
2404 The level of detail maintained in this log is left up to the
2405 discretion of those handling the incident.
2407 +------------------------+
2408 | History |
2409 +------------------------+
2410 | ENUM restriction |<>--{1..*}--[ HistoryItem ]
2411 | STRING ext-restriction |
2412 +------------------------+
2414 Figure 27: The History Class
2416 The aggregate classes of the History class are:
2418 HistoryItem
2419 One or more. An entry in the history log of significant events or
2420 actions performed by the involved parties. See Section 3.13.1.
2422 The attributes of the History class are:
2424 restriction
2425 Optional. ENUM. See Section 3.3.1.
2427 ext-restriction
2428 Optional. STRING. A means by which to extend the restriction
2429 attribute. See Section 5.1.1.
2431 3.13.1. HistoryItem Class
2433 The HistoryItem class is an entry in the History (Section 3.13) log
2434 that documents a particular action or event that occurred in the
2435 course of handling the incident. The details of the entry are a
2436 free-form text description, but each can be categorized with the type
2437 attribute.
2439 +-------------------------+
2440 | HistoryItem |
2441 +-------------------------+
2442 | ENUM action |<>----------[ DateTime ]
2443 | STRING ext-action |<>--{0..1}--[ IncidentID ]
2444 | ENUM restriction |<>--{0..1}--[ Contact ]
2445 | STRING ext-restriction |<>--{0..*}--[ Description ]
2446 | ID observable-id |<>--{0..*}--[ DefinedCOA ]
2447 | |<>--{0..*}--[ AdditionalData ]
2448 +-------------------------+
2450 Figure 28: HistoryItem Class
2452 The aggregate classes of the HistoryItem class are:
2454 DateTime
2455 One. DATETIME. A timestamp of this entry in the history log.
2457 IncidentID
2458 Zero or One. In a history log created by multiple parties, the
2459 IncidentID provides a mechanism to specify which CSIRT created a
2460 particular entry and references this organization's tracking
2461 number. When a single organization is maintaining the log, this
2462 class can be ignored. See Section 3.4.
2464 Contact
2465 Zero or One. Provides contact information for the entity that
2466 performed the action documented in this class. See Section 3.9.
2468 Description
2469 Zero or more. ML_STRING. A free-form text description of the
2470 action or event.
2472 DefinedCOA
2473 Zero or more. STRING. An identifier meaningful to the sender and
2474 recipient of this document that references a course of action
2475 (COA). This class MUST be present if the action attribute is set
2476 to "defined-coa".
2478 AdditionalData
2479 Zero or more. EXTENSION. A mechanism by which to extend the data
2480 model.
2482 The attributes of the HistoryItem class are:
2484 action
2485 Required. ENUM. Classifies a performed action or occurrence
2486 documented in this history log entry. As activity will likely
2487 have been instigated either through a previously conveyed
2488 expectation or internal investigation. This attribute is
2489 identical to the action attribute of the Expectation class. The
2490 difference is only one of tense. When an action is in this class,
2491 it has been completed. See Section 3.15.
2493 ext-action
2494 Optional. STRING. A means by which to extend the action
2495 attribute. See Section 5.1.1.
2497 restriction
2498 Optional. ENUM. See Section 3.3.1.
2500 ext-restriction
2501 Optional. STRING. A means by which to extend the restriction
2502 attribute. See Section 5.1.1.
2504 observable-id
2505 Optional. ID. See Section 3.3.2.
2507 3.14. EventData Class
2509 The EventData class is a container class to organize data about
2510 events that occurred during an incident.
2512 +-------------------------+
2513 | EventData |
2514 +-------------------------+
2515 | ENUM restriction |<>--{0..*}--[ Description ]
2516 | STRING ext-restriction |<>--{0..1}--[ DetectTime ]
2517 | ID observable-id |<>--{0..1}--[ StartTime ]
2518 | |<>--{0..1}--[ EndTime ]
2519 | |<>--{0..1}--[ RecoveryTime ]
2520 | |<>--{0..1}--[ ReportTime ]
2521 | |<>--{0..*}--[ Contact ]
2522 | |<>--{0..*}--[ Discovery ]
2523 | |<>--{0..1}--[ Assessment ]
2524 | |<>--{0..*}--[ Method ]
2525 | |<>--{0..*}--[ Flow ]
2526 | |<>--{0..*}--[ Expectation ]
2527 | |<>--{0..1}--[ Record ]
2528 | |<>--{0..*}--[ EventData ]
2529 | |<>--{0..*}--[ AdditionalData ]
2530 +-------------------------+
2532 Figure 29: The EventData Class
2534 The aggregate classes of the EventData class are:
2536 Description
2537 Zero or more. ML_STRING. A free-form text description of the
2538 event.
2540 DetectTime
2541 Zero or one. DATETIME. The time the event was detected.
2543 StartTime
2544 Zero or one. DATETIME. The time the event started.
2546 EndTime
2547 Zero or one. DATETIME. The time the event ended.
2549 RecoveryTime
2550 Zero or one. DATETIME. The time the site recovered from the
2551 event.
2553 ReportTime
2554 Zero or one. DATETIME. The time the event was reported.
2556 Contact
2557 Zero or more. Contact information for the parties involved in the
2558 event. See Section 3.9.
2560 Discovery
2561 Zero or more. The means by which the event was detected. See
2562 Section 3.10.
2564 Assessment
2565 Zero or one. The impact of the event on the victim and the
2566 actions taken. See Section 3.12.
2568 Method
2569 Zero or more. The technique used by the threat actor in the
2570 event. See Section 3.11.
2572 Flow
2573 Zero or more. A description of the systems or networks involved.
2574 See Section 3.16.
2576 Expectation
2577 Zero or more. The expected action to be performed by the
2578 recipient for the described event. See Section 3.15.
2580 Record
2581 Zero or one. Supportive data (e.g., log files) that provides
2582 additional information about the event. See Section 3.22.
2584 EventData
2585 Zero or more. A recursive definition of the EventData class. See
2586 Section 3.14.2 for an explanation on using this class.
2588 AdditionalData
2589 Zero or more. EXTENSION. An extension mechanism for data not
2590 explicitly represented in the data model.
2592 At least one of the aggregate classes MUST be present in an instance
2593 of the EventData class.
2595 The attributes of the EventData class are:
2597 restriction
2598 Optional. ENUM. See Section 3.3.1. The default value is
2599 "default".
2601 ext-restriction
2602 Optional. STRING. A means by which to extend the restriction
2603 attribute. See Section 5.1.1.
2605 observable-id
2606 Optional. ID. See Section 3.3.2.
2608 3.14.1. Relating the Incident and EventData Classes
2610 There is substantial overlap in the child classes aggregated in the
2611 Incident and EventData classes. Nevertheless, the semantics of these
2612 classes are quite different. The Incident class provides summary
2613 information about the entire incident, while the EventData class
2614 provides information about the individual events comprising the
2615 incident. In the common case, the EventData class will provide more
2616 specific information for the general description provided in the
2617 Incident class. However, in the case where the summarized
2618 information in the Incident class conflicts the detailed information
2619 in an EventData class the more specific EventData class MUST
2620 supersede the more generic information provided in Incident class.
2622 3.14.2. Recursive Definition of EventData
2624 The EventData class is container for the properties of an event in an
2625 incident. These properties include: the hosts involved, impact of
2626 the incident activity on the hosts, forensic logs, etc. The
2627 recursive definition of EventData allows for the grouping of related
2628 information with common properties. This approach eliminates the
2629 need for explicit identifiers to relate information or duplicate it.
2630 Instead, the relative depth (nesting) of a class is used to group
2631 (relate) information.
2633 For example, consider a case where two hosts experience different
2634 impacts during an incident. However, these two hosts have common
2635 contact information. A depiction of how this situation would be
2636 represented can be found in Figure 30. EventData (2) and (3) group
2637 each of the two hosts with their unique impact. EventData (1)
2638 describes the common Contact class these two hosts share.
2640 +------------------+
2641 | EventData (1) |
2642 +------------------+
2643 | |<>----[ Contact ]
2644 | |
2645 | |<>----[ EventData (2) ]<>----[ Flow ]
2646 | | [ ]<>----[ Assessment ]
2647 | |
2648 | |<>----[ EventData (3) ]<>----[ Flow ]
2649 | | [ ]<>----[ Assessment ]
2650 +------------------+
2652 Figure 30: Recursion in the EventData Class
2654 3.15. Expectation Class
2656 The Expectation class conveys to the recipient of the IODEF document
2657 the actions the sender is requesting.
2659 +-------------------------+
2660 | Expectation |
2661 +-------------------------+
2662 | ENUM action |<>--{0..*}--[ Description ]
2663 | STRING ext-action |<>--{0..*}--[ DefinedCOA ]
2664 | ENUM severity |<>--{0..1}--[ StartTime ]
2665 | ENUM restriction |<>--{0..1}--[ EndTime ]
2666 | STRING ext-restriction |<>--{0..1}--[ Contact ]
2667 | ID observable-id |
2668 +-------------------------+
2670 Figure 31: The Expectation Class
2672 The aggregate classes of the Expectation class are:
2674 Description
2675 Zero or more. ML_STRING. A free-form text description of the
2676 desired action(s).
2678 DefinedCOA
2679 Zero or more. STRING. A unique identifier meaningful to the
2680 sender and recipient of this document that references a course of
2681 action. This class MUST be present if the action attribute is set
2682 to "defined-coa".
2684 StartTime
2685 Zero or one. DATETIME. The time at which the sender would like
2686 the action performed. A timestamp that is earlier than the
2687 ReportTime specified in the Incident class denotes that the sender
2688 would like the action performed as soon as possible. The absence
2689 of this element indicates no expectations of when the recipient
2690 would like the action performed.
2692 EndTime
2693 Zero or one. DATETIME. The time by which the sender expects the
2694 recipient to complete the action. If the recipient cannot
2695 complete the action before EndTime, the recipient MUST NOT carry
2696 out the action. Because of transit delays and clock drift the
2697 sender MUST be prepared for the recipient to have carried out the
2698 action, even if it completes past EndTime.
2700 Contact
2701 Zero or one. The entity expected to perform the action. See
2702 Section 3.9.
2704 The attributes of the Expectation class are:
2706 action
2707 Optional. ENUM. Classifies the type of action requested. The
2708 default value of "other". These values are maintained in the
2709 "Expectation-action" IANA registry per Section 10.2.
2711 1. nothing. No action is requested. Do nothing with the
2712 information.
2714 2. contact-source-site. Contact the site(s) identified as the
2715 source of the activity.
2717 3. contact-target-site. Contact the site(s) identified as the
2718 target of the activity.
2720 4. contact-sender. Contact the originator of the document.
2722 5. investigate. Investigate the systems(s) listed in the event.
2724 6. block-host. Block traffic from the machine(s) listed as
2725 sources the event.
2727 7. block-network. Block traffic from the network(s) lists as
2728 sources in the event.
2730 8. block-port. Block the port listed as sources in the event.
2732 9. rate-limit-host. Rate-limit the traffic from the machine(s)
2733 listed as sources in the event.
2735 10. rate-limit-network. Rate-limit the traffic from the
2736 network(s) lists as sources in the event.
2738 11. rate-limit-port. Rate-limit the port(s) listed as sources in
2739 the event.
2741 12. redirect-traffic. Redirect traffic from the intended
2742 recipient for further analysis.
2744 13. honeypot. Redirect traffic from systems listed in the event
2745 to a honeypot for further analysis.
2747 14. upgrade-software. Upgrade or patch the software or firmware
2748 on an asset listed in the event.
2750 15. rebuild-asset. Reinstall the operating system or
2751 applications on an asset listed in the event.
2753 16. harden-asset. Change the configuration an asset listed in
2754 the event to reduce the attack surface.
2756 17. remediate-other. Remediate the activity in a way other than
2757 by rate limiting or blocking.
2759 18. status-triage. Confirm receipt and begin triaging the
2760 incident.
2762 19. status-new-info. Notify the sender when new information is
2763 received for this incident.
2765 20. watch-and-report. Watch for the described activity or
2766 indicators; and notify the sender when seen.
2768 21. training. Train user to identify or mitigate the described
2769 threat.
2771 22. defined-coa. Perform a predefined course of action (COA).
2772 The COA is named in the DefinedCOA class.
2774 23. other. Perform a custom action described in the Description
2775 class.
2777 24. ext-value. A value used to indicate that this attribute is
2778 extended and the actual value is provided using the
2779 corresponding ext-* attribute. See Section 5.1.1.
2781 ext-action
2782 Optional. STRING. A means by which to extend the action
2783 attribute. See Section 5.1.1.
2785 severity
2786 Optional. ENUM. Indicates the desired priority of the action.
2787 This attribute is an enumerated list with no default value, and
2788 the semantics of these relative measures are context dependent.
2790 1. low. Low priority
2792 2. medium. Medium priority
2794 3. high. High priority
2796 restriction
2797 Optional. ENUM. See Section 3.3.1. The default value is
2798 "default".
2800 ext-restriction
2801 Optional. STRING. A means by which to extend the restriction
2802 attribute. See Section 5.1.1.
2804 observable-id
2805 Optional. ID. See Section 3.3.2.
2807 3.16. Flow Class
2809 The Flow class describes the systems and networks involved in the
2810 incident; and the relationships between them.
2812 +------------------+
2813 | Flow |
2814 +------------------+
2815 | |<>--{1..*}--[ System ]
2816 +------------------+
2818 Figure 32: The Flow Class
2820 The aggregate class of the Flow class is:
2822 System
2823 One or More. A host or network involved in an event. See
2824 Section 3.17.
2826 The Flow class has no attributes.
2828 3.17. System Class
2830 The System class describes a system or network involved in an event.
2832 +------------------------+
2833 | System |
2834 +------------------------+
2835 | ENUM category |<>----------[ Node ]
2836 | STRING ext-category |<>--{0..*}--[ NodeRole ]
2837 | STRING interface |<>--{0..*}--[ Service ]
2838 | ENUM spoofed |<>--{0..*}--[ OperatingSystem ]
2839 | ENUM virtual |<>--{0..*}--[ Counter ]
2840 | ENUM ownership |<>--{0..*}--[ AssetID ]
2841 | STRING ext-ownership |<>--{0..*}--[ Description ]
2842 | ENUM restriction |<>--{0..*}--[ AdditionalData ]
2843 | STRING ext-restriction |
2844 | ID observable-id |
2845 +------------------------+
2847 Figure 33: The System Class
2849 The aggregate classes of the System class are:
2851 Node
2852 One. A host or network involved in the incident. See
2853 Section 3.18.
2855 NodeRole
2856 Zero or more. The intended purpose of the system. See
2857 Section 3.18.2.
2859 Service
2860 Zero or more. A network service running on the system. See
2861 Section 3.20.
2863 OperatingSystem
2864 Zero or more. SOFTWARE. The operating system running on the
2865 system.
2867 Counter
2868 Zero or more. A counter with which to summarize properties of
2869 this host or network. See Section 3.18.3.
2871 AssetID
2872 Zero or more. STRING. An asset identifier for the System.
2874 Description
2875 Zero or more. ML_STRING. A free-form text description of the
2876 System.
2878 AdditionalData
2879 Zero or more. EXTENSION. A mechanism by which to extend the data
2880 model.
2882 The attributes of the System class are:
2884 category
2885 Optional. ENUM. Classifies the role the host or network played
2886 in the incident. These values are maintained in the "System-
2887 category" IANA registry per Section 10.2.
2889 1. source. The System was the source of the event.
2891 2. target. The System was the target of the event.
2893 3. intermediate. The System was an intermediary in the event.
2895 4. sensor. The System was a sensor monitoring the event.
2897 5. infrastructure. The System was an infrastructure node of
2898 IODEF document exchange.
2900 6. ext-value. A value used to indicate that this attribute is
2901 extended and the actual value is provided using the
2902 corresponding ext-* attribute. See Section 5.1.1.
2904 ext-category
2905 Optional. STRING. A means by which to extend the category
2906 attribute. See Section 5.1.1.
2908 interface
2909 Optional. STRING. Specifies the interface on which the event(s)
2910 on this System originated. If the Node class specifies a network
2911 rather than a host, this attribute has no meaning.
2913 spoofed
2914 Optional. ENUM. An indication of confidence in whether this
2915 System was the true target or attacking host. The permitted
2916 values for this attribute are shown below. The default value is
2917 "unknown".
2919 1. unknown. The accuracy of the category attribute value is
2920 unknown.
2922 2. yes. The category attribute value is likely incorrect. In
2923 the case of a source, the System is likely a decoy; with a
2924 target, the System was likely not the intended victim.
2926 3. no. The category attribute value is believed to be correct.
2928 virtual
2929 Optional. ENUM. Indicates whether this System is a virtual or
2930 physical device. The default value is "unknown".
2932 1. yes. The System is a virtual device.
2934 2. no. The System is a physical device.
2936 3. unknown. It is not known if the System is virtual.
2938 ownership
2939 Optional. ENUM. Describes the ownership of this System relative
2940 to the victim in the incident. These values are maintained in the
2941 "System-ownership" IANA registry per Section 10.2.
2943 1. organization. Corporate or enterprise-owned.
2945 2. personal. Personally-owned by an employee or affiliate of the
2946 corporation or enterprise.
2948 3. partner. Owned by a partner of the corporation or enterprise.
2950 4. customer. Owned by a customer of the corporation or
2951 enterprise.
2953 5. no-relationship. Owned by an entity that has no known
2954 relationship with victim organization.
2956 6. unknown. Ownership is unknown.
2958 7. ext-value. A value used to indicate that this attribute is
2959 extended and the actual value is provided using the
2960 corresponding ext-* attribute. See Section 5.1.1.
2962 ext-ownership
2963 Optional. STRING. A means by which to extend the ownership
2964 attribute. See Section 5.1.1.
2966 restriction
2967 Optional. ENUM. See Section 3.3.1.
2969 ext-restriction
2970 Optional. STRING. A means by which to extend the restriction
2971 attribute. See Section 5.1.1.
2973 observable-id
2974 Optional. ID. See Section 3.3.2.
2976 3.18. Node Class
2978 The Node class identifies a system, asset or network; and its
2979 location.
2981 +---------------+
2982 | Node |
2983 +---------------+
2984 | |<>--{0..*}--[ DomainData ]
2985 | |<>--{0..*}--[ Address ]
2986 | |<>--{0..1}--[ PostalAddress ]
2987 | |<>--{0..*}--[ Location ]
2988 | |<>--{0..*}--[ Counter ]
2989 +---------------+
2991 Figure 34: The Node Class
2993 The aggregate classes of the Node class are:
2995 DomainData
2996 Zero or more. The domain (DNS) information associated with this
2997 Node. If an Address is not provided, at least one DomainData MUST
2998 be specified. See Section 3.19.
3000 Address
3001 Zero or more. The hardware, network, or application address of
3002 the Node. If a DomainData is not provided, at least one Address
3003 MUST be specified. See Section 3.18.1.
3005 PostalAddress
3006 Zero or one. POSTAL. The postal address of the node.
3008 Location
3009 Zero or more. ML_STRING. A free-form text description of the
3010 physical location of the Node. This description may provide a
3011 more detailed description of where in the PostalAddress this Node
3012 is found (e.g., room number, rack number, slot number in a
3013 chassis).
3015 Counter
3016 Zero or more. A counter with which to summarizes properties of
3017 this host or network. See Section 3.18.3.
3019 The Node class has no attributes.
3021 3.18.1. Address Class
3023 The Address class represents a hardware (layer-2), network (layer-3),
3024 or application (layer-7) address.
3026 +-------------------------+
3027 | Address |
3028 +-------------------------+
3029 | STRING |
3030 | |
3031 | ENUM category |
3032 | STRING ext-category |
3033 | STRING vlan-name |
3034 | INTEGER vlan-num |
3035 | ID observable-id |
3036 +-------------------------+
3038 Figure 35: The Address Class
3040 The content of the class is an address of type STRING whose semantics
3041 are determined by the category attribute.
3043 The attributes of the Address class are:
3045 category
3046 Required. ENUM. The type of address represented. The default
3047 value is "ipv6-addr". These values are maintained in the
3048 "Address-category" IANA registry per Section 10.2.
3050 1. asn. Autonomous System Number.
3052 2. atm. Asynchronous Transfer Mode (ATM) address.
3054 3. e-mail. Email address, per the EMAIL data type.
3056 4. ipv4-addr. IPv4 host address in dotted-decimal notation
3057 (a.b.c.d).
3059 5. ipv4-net. IPv4 network address in dotted-decimal notation,
3060 slash, significant bits (i.e., a.b.c.d/nn).
3062 6. ipv4-net-masked. A sanitized IPv4 address with significant
3063 bits per "ipv4-net" but with the character 'x' replacing any
3064 digit(s) in the address or prefix.
3066 7. ipv4-net-mask. IPv4 network address in dotted-decimal
3067 notation, slash, network mask in dotted-decimal notation
3068 (i.e., a.b.c.d/w.x.y.z).
3070 8. ipv6-addr. IPv6 host address per Section 4 of [RFC5952].
3072 9. ipv6-net. IPv6 network address, slash, prefix per
3073 Section 2.3 of [RFC4291].
3075 10. ipv6-net-masked. A sanitized IPv6 address and prefix per
3076 "ipv6-net" but with the character 'x' replacing any
3077 hexadecimal digit(s) in the address or digit(s) in the
3078 prefix.
3080 11. mac. Media Access Control (MAC) address (i.e.,
3081 aa:bb:cc:dd:ee:ff).
3083 12. site-uri. A URL or URI for a resource, per the URL data
3084 type.
3086 13. ext-value. A value used to indicate that this attribute is
3087 extended and the actual value is provided using the
3088 corresponding ext-* attribute. See Section 5.1.1.
3090 ext-category
3091 Optional. STRING. A means by which to extend the category
3092 attribute. See Section 5.1.1.
3094 vlan-name
3095 Optional. STRING. The name of the Virtual LAN to which the
3096 address belongs.
3098 vlan-num
3099 Optional. INTEGER. The number of the Virtual LAN to which the
3100 address belongs.
3102 observable-id
3103 Optional. ID. See Section 3.3.2.
3105 3.18.2. NodeRole Class
3107 The NodeRole class describes the function performed by or role of a
3108 particular system, asset or network.
3110 +-----------------------+
3111 | NodeRole |
3112 +-----------------------+
3113 | ENUM category |<>--{0..*}--[ Description ]
3114 | STRING ext-category |
3115 +-----------------------+
3117 Figure 36: The NodeRole Class
3119 The aggregate class of the NodeRole class is:
3121 Description
3122 Zero or more. ML_STRING. A free-form text description of the
3123 role of the system.
3125 The attributes of the NodeRole class are:
3127 category
3128 Required. ENUM. Function or role of a node. These values are
3129 maintained in the "NodeRole-category" IANA registry per
3130 Section 10.2.
3132 1. client. Client computer.
3134 2. client-enterprise. Client computer on the enterprise
3135 network.
3137 3. client-partner. Client computer on network of a partner.
3139 4. client-remote. Client computer remotely connected to the
3140 enterprise network.
3142 5. client-kiosk. Client computer serving as a kiosk.
3144 6. client-mobile. Mobile device.
3146 7. server-internal. Server with internal services.
3148 8. server-public. Server with public services.
3150 9. www. WWW server.
3152 10. mail. Mail server.
3154 11. webmail. Web mail server.
3156 12. messaging. Messaging server (e.g., NNTP, IRC, IM).
3158 13. streaming. Streaming-media server.
3160 14. voice. Voice server (e.g., SIP, H.323).
3162 15. file. File server.
3164 16. ftp. FTP server.
3166 17. p2p. Peer-to-peer node.
3168 18. name. Name server (e.g., DNS, WINS).
3170 19. directory. Directory server (e.g., LDAP, finger, whois).
3172 20. credential. Credential server (e.g., domain controller,
3173 Kerberos).
3175 21. print. Print server.
3177 22. application. Application server.
3179 23. database. Database server.
3181 24. backup. Backup server.
3183 25. dhcp. DHCP server.
3185 26. assessment. Assessment server (e.g., vulnerability scanner,
3186 end-point assessment).
3188 27. source-control. Source code control server.
3190 28. config-management. Configuration management server.
3192 29. monitoring. Security monitoring server (e.g., IDS).
3194 30. infra. Infrastructure server (e.g., router, firewall, DHCP).
3196 31. infra-firewall. Firewall.
3198 32. infra-router. Router.
3200 33. infra-switch. Switch.
3202 34. camera. Camera and video system.
3204 35. proxy. Proxy server.
3206 36. remote-access. Remote access server.
3208 37. log. Log server (e.g., syslog).
3210 38. virtualization. Server running virtual machines.
3212 39. pos. Point-of-sale device.
3214 40. scada. Supervisory control and data acquisition (SCADA)
3215 system.
3217 41. scada-supervisory. Supervisory system for a SCADA.
3219 42. sinkhole. Traffic sinkhole destination.
3221 43. honeypot. Honeypot server.
3223 44. anonymization. Anonymization server (e.g., Tor node).
3225 45. c2-server. Malicious command and control server.
3227 46. malware-distribution. Server that distributes malware
3229 47. drop-server. Server to which exfiltrated content is
3230 uploaded.
3232 48. hop-point. Intermediary server used to get to a victim.
3234 49. reflector. A system used in a reflector attack.
3236 50. phishing-site. Site hosting phishing content.
3238 51. spear-phishing-site. Site hosting spear-phishing content.
3240 52. recruiting-site. Site to recruit.
3242 53. fraudulent-site. Fraudulent site.
3244 54. ext-value. A value used to indicate that this attribute is
3245 extended and the actual value is provided using the
3246 corresponding ext-* attribute. See Section 5.1.1.
3248 ext-category
3249 Optional. STRING. A means by which to extend the category
3250 attribute. See Section 5.1.1.
3252 3.18.3. Counter Class
3254 The Counter class summarizes multiple occurrences of an event or
3255 conveys counts or rates of various features.
3257 The complete semantics of this class are context dependent based on
3258 the class in which it is aggregated.
3260 +---------------------+
3261 | Counter |
3262 +---------------------+
3263 | REAL |
3264 | |
3265 | ENUM type |
3266 | STRING ext-type |
3267 | ENUM unit |
3268 | STRING ext-unit |
3269 | STRING meaning |
3270 | ENUM duration |
3271 | STRING ext-duration |
3272 +---------------------+
3274 Figure 37: The Counter Class
3276 The content of the class is a value of type REAL whose meaning and
3277 units are determined by the type and duration attributes,
3278 respectively. If the duration attribute is present, the element
3279 content is a rather. Otherwise, it is a simple counter.
3281 The attributes of the Counter class are:
3283 type
3284 Required. ENUM. Specifies the type of counter specified in the
3285 element content. These values are maintained in the "Counter-
3286 type" IANA registry per Section 10.2.
3288 1. count. The Counter class value is a counter.
3290 2. peak. The Counter class value is a peak value.
3292 3. average. The Counter class value is an average.
3294 4. ext-value. A value used to indicate that this attribute is
3295 extended and the actual value is provided using the
3296 corresponding ext-* attribute. See Section 5.1.1.
3298 ext-type
3299 Optional. STRING. A means by which to extend the type attribute.
3300 See Section 5.1.1.
3302 unit
3303 Required. ENUM. Specifies the units of the element content.
3304 These values are maintained in the "Counter-unit" IANA registry
3305 per Section 10.2.
3307 1. byte. Bytes transferred.
3309 2. mbit. Megabits (Mbits) transfered.
3311 3. packet. Packets.
3313 4. flow. Network flow records.
3315 5. session. Sessions.
3317 6. alert. Notifications generated by another system (e.g., IDS
3318 or SIM).
3320 7. message. Messages (e.g., mail messages).
3322 8. event. Events.
3324 9. host. Hosts.
3326 10. site. Site.
3328 11. organization. Organizations.
3330 12. ext-value. A value used to indicate that this attribute is
3331 extended and the actual value is provided using the
3332 corresponding ext-* attribute. See Section 5.1.1.
3334 ext-unit
3335 Optional. STRING. A means by which to extend the unit attribute.
3336 See Section 5.1.1.
3338 meaning
3339 Optional. STRING. A free-form text description of the metric
3340 represented by the Counter.
3342 duration
3343 Optional. ENUM. If present, the Counter class represents a rate.
3344 This attribute specifies unit of time over which the rate whose
3345 units are specified in the unit attribute is being conveyed. This
3346 attribute is the the denominator of the rate (where the unit
3347 attribute specified the nominator). The possible values of this
3348 attribute are defined in the duration attribute of Section 3.12.3
3350 ext-duration
3351 Optional. STRING. A means by which to extend the duration
3352 attribute. See Section 5.1.1.
3354 3.19. DomainData Class
3356 The DomainData class describes a domain name and meta-data associated
3357 with this domain.
3359 +--------------------------+
3360 | DomainData |
3361 +--------------------------+
3362 | ENUM system-status |<>----------[ Name ]
3363 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
3364 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
3365 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
3366 | ID observable-id |<>--{0..*}--[ RelatedDNS ]
3367 | |<>--{0..*}--[ Nameservers ]
3368 | |<>--{0..1}--[ DomainContacts ]
3369 +--------------------------+
3371 Figure 38: The DomainData Class
3373 The aggregate classes of the DomainData class are:
3375 Name
3376 One. STRING. The domain name of a system.
3378 DateDomainWasChecked
3379 Zero or one. DATETIME. A timestamp of when the domain listed in
3380 the Name class was resolved.
3382 RegistrationDate
3383 Zero or one. DATETIME. A timestamp of when domain listed in Name
3384 class was registered.
3386 ExpirationDate
3387 Zero or one. DATETIME. A timestamp of when the domain listed in
3388 Name class is set to expire.
3390 RelatedDNS
3391 Zero or more. EXTENSION. Additional DNS records associated with
3392 this domain.
3394 Nameservers
3395 Zero or more. The name servers identified for the domain listed
3396 in Name class. See Section 3.19.1.
3398 DomainContacts
3399 Zero or one. Contact information for the domain listed in Name
3400 class supplied by the registrar or through a whois query.
3402 The attributes of the DomainData class are:
3404 system-status
3405 Required. ENUM. Assesses the domain's involvement in the event.
3406 These values are maintained in the "DomainData-system-status" IANA
3407 registry per Section 10.2.
3409 1. spoofed. This domain was spoofed.
3411 2. fraudulent. This domain was operated with fraudulent
3412 intentions.
3414 3. innocent-hacked. This domain was compromised by a third
3415 party.
3417 4. innocent-hijacked. This domain was deliberately hijacked.
3419 5. unknown. No categorization for this domain known.
3421 6. ext-value. A value used to indicate that this attribute is
3422 extended and the actual value is provided using the
3423 corresponding ext-* attribute. See Section 5.1.1.
3425 ext-system-status
3426 Optional. STRING. A means by which to extend the system-status
3427 attribute. See Section 5.1.1.
3429 domain-status
3430 Required. ENUM. Categorizes the registry status of the domain at
3431 the time the document was generated. These values and their
3432 associated descriptions are derived from Section 3.2.2 of
3433 [RFC3982]. These values are maintained in the "DomainData-domain-
3434 status" IANA registry per Section 10.2.
3436 1. reservedDelegation. The domain is permanently inactive.
3438 2. assignedAndActive. The domain is in a normal state.
3440 3. assignedAndInactive. The domain has an assigned registration
3441 but the delegation is inactive.
3443 4. assignedAndOnHold. The domain is in dispute.
3445 5. revoked. The domain is in the process of being purged from
3446 the database.
3448 6. transferPending. The domain is pending a change in
3449 authority.
3451 7. registryLock. The domain is on hold by the registry.
3453 8. registrarLock. Same as "registryLock".
3455 9. other. The domain has a known status but it is not one of
3456 the redefined enumerated values.
3458 10. unknown. The domain has an unknown status.
3460 11. ext-value. A value used to indicate that this attribute is
3461 extended and the actual value is provided using the
3462 corresponding ext-* attribute. See Section 5.1.1.
3464 ext-domain-status
3465 Optional. STRING. A means by which to extend the domain-status
3466 attribute. See Section 5.1.1.
3468 observable-id
3469 Optional. ID. See Section 3.3.2.
3471 3.19.1. Nameservers Class
3473 The Nameservers class describes the name servers associated with a
3474 given domain.
3476 +--------------------+
3477 | Nameservers |
3478 +--------------------+
3479 | |<>----------[ Server ]
3480 | |<>--{1..*}--[ Address ]
3481 +--------------------+
3483 Figure 39: The Nameservers Class
3485 The aggregate classes of the Nameservers class are:
3487 Server
3488 One. STRING. The domain name of the name server.
3490 Address
3491 One or more. The address of the name server. The value of the
3492 category attribute MUST be either "ipv4-addr" or "ipv6-addr". See
3493 Section 3.18.1.
3495 The Nameservers class has no attributes.
3497 3.19.2. DomainContacts Class
3499 The DomainContacts class describes the contact information for a
3500 given domain provided either by the registrar or through a whois
3501 query.
3503 This contact information can be explicitly described through a
3504 Contact class or a reference can be provided to a domain with
3505 identical contact information. Either a single SameDomainContact
3506 MUST be present or one or more Contact classes.
3508 +--------------------+
3509 | DomainContacts |
3510 +--------------------+
3511 | |<>--{0..1}--[ SameDomainContact ]
3512 | |<>--{1..*}--[ Contact ]
3513 +--------------------+
3515 Figure 40: The DomainContacts Class
3517 The aggregate classes of the DomainContacts class are:
3519 SameDomainContact
3520 Zero or one. STRING. A domain name already cited in this
3521 document or through previous exchange that contains the identical
3522 contact information as the domain name in question. The domain
3523 contact information associated with this domain should be used
3524 instead of an explicit definition with the Contact class.
3526 Contact
3527 One or more. Contact information for the domain. See
3528 Section 3.9.
3530 The DomainContacts class has no attributes.
3532 3.20. Service Class
3534 The Service class describes a network service. The service is
3535 described by protocol, port, protocol header field and application
3536 providing or using the service.
3538 +-------------------------+
3539 | Service |
3540 +-------------------------+
3541 | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
3542 | ID observable-id |<>--{0..1}--[ Port ]
3543 | |<>--{0..1}--[ Portlist ]
3544 | |<>--{0..1}--[ ProtoCode ]
3545 | |<>--{0..1}--[ ProtoType ]
3546 | |<>--{0..1}--[ ProtoField ]
3547 | |<>--{0..1}--[ ApplicationHeader ]
3548 | |<>--{0..1}--[ EmailData ]
3549 | |<>--{0..1}--[ Application ]
3550 +-------------------------+
3552 Figure 41: The Service Class
3554 The aggregate classes of the Service class are:
3556 ServiceName
3557 Zero or one. A protocol name.
3559 Port
3560 Zero or one. INTEGER. A port number.
3562 Portlist
3563 Zero or one. PORTLIST. A list of port numbers.
3565 ProtoCode
3566 Zero or one. INTEGER. A transport layer (layer 4) protocol-
3567 specific code field (e.g., ICMP code field).
3569 ProtoType
3570 Zero or one. INTEGER. A transport layer (layer 4) protocol
3571 specific type field (e.g., ICMP type field).
3573 ProtoField
3574 Zero or one. INTEGER. A transport layer (layer 4) protocol
3575 specific flag field (e.g., TCP flag field).
3577 ApplicationHeader
3578 Zero or one. A protocol header. See Section 3.20.2.
3580 EmailData
3581 Zero or one. Headers associated with an email message. See
3582 Section 3.21.
3584 Application
3585 Zero or one. SOFTWARE. The application acting as either the
3586 client or server for the service.
3588 At least one of these classes MUST be present.
3590 When a given System classes with category="source" and another with
3591 category="target" are aggregated into a single Flow class, and each
3592 of these System classes has a Service and Portlist class, an implicit
3593 relationship between these Portlists exists. If N ports are listed
3594 for a System@category="source", and M ports are listed for
3595 System@category="target", the number of ports in N must be equal to
3596 M. Likewise, the ports MUST be listed in an identical sequence such
3597 that the n-th port in the source corresponds to the n-th port of the
3598 target. If N is greater than 1, a given instance of a Flow class
3599 MUST only have a single instance of a System@category="source" and
3600 System@category="target".
3602 The attributes of the Service class are:
3604 ip-protocol
3605 Optional. INTEGER. The IANA assigned IP protocol number per
3606 [IANA.Protocols] The attribute MUST be set if a Port, Portlist,
3607 ProtoCode, ProtoType, ProtoField class is present.
3609 observable-id
3610 Optional. ID. See Section 3.3.2.
3612 3.20.1. ServiceName Class
3614 The ServiceName class identifies an application protocol. It can be
3615 described by referencing an IANA registered protocol, a URL or with
3616 free-form text.
3618 +--------------------+
3619 | ServiceName |
3620 +--------------------+
3621 | |<>--{0..1}--[ IANAService ]
3622 | |<>--{0..*}--[ URL ]
3623 | |<>--{0..*}--[ Description ]
3624 +--------------------+
3626 Figure 42: The ServiceName Class
3628 The aggregate classes of the ServiceName class are:
3630 IANAService
3631 Zero or one. STRING. The name of the service per the "Service
3632 Name" field of the [IANA.Ports] registry.
3634 URL
3635 Zero or more. URL. A URL to a resource describing the service.
3637 Description
3638 Zero or more. ML_STRING. A free-form text description of the
3639 service.
3641 At least one of these classes MUST be present.
3643 The ServiceName class has no attributes.
3645 3.20.2. ApplicationHeader Class
3647 The ApplicationHeader class describes arbitrary fields from a
3648 protocol header and its corresponding value.
3650 +--------------------------+
3651 | ApplicationHeader |
3652 +--------------------------+
3653 | |<>--{1..*}--[ ApplicationHeaderField ]
3654 +--------------------------+
3656 Figure 43: The ApplicationHeader Class
3658 The aggregate class of the ApplicationHeader class is:
3660 ApplicationHeaderField
3661 One or more. EXTENSION. A field name and value in a protocol
3662 header. The 'name' attribute MUST be set to the field name. The
3663 field value MUST be set in the element content.
3665 The ApplicationHeader class has no attributes.
3667 3.21. EmailData Class
3669 The EmailData class describes headers from an email message and
3670 cryptographic hash and signatures applied to it.
3672 +-------------------------+
3673 | EmailData |
3674 +-------------------------+
3675 | ID observable-id |<>--{0..*}--[ EmailTo ]
3676 | |<>--{0..1}--[ EmailFrom ]
3677 | |<>--{0..1}--[ EmailSubject ]
3678 | |<>--{0..1}--[ EmailX-Mailer ]
3679 | |<>--{0..*}--[ EmailHeaderField ]
3680 | |<>--{0..1}--[ EmailHeaders ]
3681 | |<>--{0..1}--[ EmailBody ]
3682 | |<>--{0..1}--[ EmailMessage ]
3683 | |<>--{0..*}--[ HashData ]
3684 | |<>--{0..*}--[ SignatureData ]
3685 +-------------------------+
3687 Figure 44: EmailData Class
3689 The aggregate classes of the EmailData class are:
3691 EmailTo
3692 Zero or more. EMAIL. The value of the "To:" header field
3693 (Section 3.6.3 of [RFC5322]) in an email.
3695 EmailFrom
3696 Zero or one. EMAIL. The value of the "From:" header field
3697 (Section 3.6.2 of [RFC5322]) in an email.
3699 EmailSubject
3700 Zero or one. STRING. The value of the "Subject:" header field in
3701 an email. See Section 3.6.4 of [RFC5322].
3703 EmailX-Mailer
3704 Zero or one. STRING. The value of the "X-Mailer:" header field
3705 in an email.
3707 EmailHeaderField
3708 Zero or more. EXTENSION. The header name and value of an
3709 arbitrary header field of the email message. The 'name' attribute
3710 MUST be set to header name. The header value MUST be set in the
3711 element body. The dtype attribute MUST be set to "string".
3713 EmailHeaders
3714 Zero or one. STRING. The headers of an email message.
3716 EmailBody
3717 Zero or one. STRING. The body of an email message.
3719 EmailMessage
3720 Zero or one. STRING. The headers and body of an email message.
3722 HashData
3723 Zero or more. Hash(es) associated with this email message. See
3724 Section 3.26.
3726 SignatureData
3727 Zero or more. Signature(s) associated with this email message.
3728 See Section 3.27.
3730 The attribute of the EmailData class is:
3732 observable-id
3733 Optional. ID. See Section 3.3.2.
3735 3.22. Record Class
3737 The Record class is a container class for log and audit data that
3738 provides supportive information about the events in an incident. The
3739 source of this data will often be the output of monitoring tools.
3740 These logs substantiate the activity described in the document.
3742 +------------------------+
3743 | Record |
3744 +------------------------+
3745 | ENUM restriction |<>--{1..*}--[ RecordData ]
3746 | STRING ext-restriction |
3747 +------------------------+
3749 Figure 45: Record Class
3751 The aggregate classes of the Record class are:
3753 RecordData
3754 One or more. Log or audit data generated by a particular tool.
3755 Separate instances of the RecordData class SHOULD be used for each
3756 type of log. See Section 3.22.1.
3758 The attributes of the Record class are:
3760 restriction
3761 Optional. ENUM. See Section 3.3.1.
3763 ext-restriction
3764 Optional. STRING. A means by which to extend the restriction
3765 attribute. See Section 5.1.1.
3767 3.22.1. RecordData Class
3769 The RecordData class describes or references log or audit data from a
3770 given type of tool and provides a means to annotate the output.
3772 +------------------------+
3773 | RecordData |
3774 +------------------------+
3775 | ENUM restriction |<>--{0..1}--[ DateTime ]
3776 | STRING ext-restriction |<>--{0..*}--[ Description ]
3777 | ID observable-id |<>--{0..1}--[ Application ]
3778 | |<>--{0..*}--[ RecordPattern ]
3779 | |<>--{0..*}--[ RecordItem ]
3780 | |<>--{0..*}--[ URL ]
3781 | |<>--{0..*}--[ FileData ]
3782 | |<>--{0..*}--
3783 | | [ WindowsRegistryKeysModified ]
3784 | |<>--{0..*}--[ CertificateData ]
3785 | |<>--{0..*}--[ AdditionalData ]
3786 +------------------------+
3788 Figure 46: The RecordData Class
3790 The aggregate classes of the RecordData class are:
3792 DateTime
3793 Zero or one. DATETIME. A timestamp of the data found in the
3794 RecordItem or URL classes.
3796 Description
3797 Zero or more. ML_STRING. A free-form text description of the
3798 data provided in the RecordItem or URL classes.
3800 Application
3801 Zero or one. SOFTWARE. Identifies the tool used to generate the
3802 data in the RecordItem or URL classes.
3804 RecordPattern
3805 Zero or more. A search string to precisely find the relevant data
3806 in the RecordItem or URL classes. See Section 3.22.2.
3808 RecordItem
3809 Zero or more. EXTENSION. Log, audit, or forensic data to support
3810 the conclusions made during the course of analyzing the incident.
3812 URL
3813 Zero or more. URL. A URL reference to a log or audit data.
3815 FileData
3816 Zero or one. The files involved in the incident. See
3817 Section 3.25.
3819 WindowsRegistryKeysModified
3820 Zero or more. The registry keys that were involved in the
3821 incident. See Section 3.23.
3823 CertificateData
3824 Zero or more. The certificates that were involved in the
3825 incident. See Section 3.24.
3827 AdditionalData
3828 Zero or more. EXTENSION. An extension mechanism for data not
3829 explicitly represented in the data model.
3831 At least one of the following classes MUST be present: RecordItem,
3832 URL, FileData, WindowsRegistryKeysModified, CertificateData or
3833 AdditionalData.
3835 The attributes of the RecordData class are:
3837 restriction
3838 Optional. ENUM. See Section 3.3.1.
3840 ext-restriction
3841 Optional. STRING. A means by which to extend the restriction
3842 attribute. See Section 5.1.1.
3844 observable-id
3845 Optional. ID. See Section 3.3.2.
3847 3.22.2. RecordPattern Class
3849 The RecordPattern class describes where in the log data provided or
3850 referenced in RecordData class relevant information can be found. It
3851 provides a way to reference subsets of information, identified by a
3852 pattern, in a large log file, audit trail, or forensic data.
3854 +-----------------------+
3855 | RecordPattern |
3856 +-----------------------+
3857 | STRING |
3858 | |
3859 | ENUM type |
3860 | STRING ext-type |
3861 | INTEGER offset |
3862 | ENUM offsetunit |
3863 | STRING ext-offsetunit |
3864 | INTEGER instance |
3865 +-----------------------+
3867 Figure 47: The RecordPattern Class
3869 The content of the class is of type STRING and specifies a search
3870 pattern.
3872 The attributes of the RecordPattern class are:
3874 type
3875 Required. ENUM. Describes the type of pattern being specified in
3876 the element content. The default is "regex". These values are
3877 maintained in the "RecordPattern-type" IANA registry per
3878 Section 10.2.
3880 1. regex. regular expression as defined by POSIX Extended
3881 Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].
3883 2. binary. Binhex encoded binary pattern, per the HEXBIN data
3884 type.
3886 3. xpath. XML Path (XPath) [W3C.XPATH]
3888 4. ext-value. A value used to indicate that this attribute is
3889 extended and the actual value is provided using the
3890 corresponding ext-* attribute. See Section 5.1.1.
3892 ext-type
3893 Optional. STRING. A means by which to extend the type attribute.
3894 See Section 5.1.1.
3896 offset
3897 Optional. INTEGER. Amount of units (determined by the offsetunit
3898 attribute) to seek into the RecordItem data before matching the
3899 pattern.
3901 offsetunit
3902 Optional. ENUM. Describes the units of the offset attribute.
3903 The default is "line". These values are maintained in the
3904 "RecordPattern-offsetunit" IANA registry per Section 10.2.
3906 1. line. Offset is a count of lines.
3908 2. byte. Offset is a count of bytes.
3910 3. ext-value. A value used to indicate that this attribute is
3911 extended and the actual value is provided using the
3912 corresponding ext-* attribute. See Section 5.1.1.
3914 ext-offsetunit
3915 Optional. STRING. A means by which to extend the offsetunit
3916 attribute. See Section 5.1.1.
3918 instance
3919 Optional. INTEGER. Number of times to apply the specified
3920 pattern.
3922 3.23. WindowsRegistryKeysModified Class
3924 The WindowsRegistryKeysModified class describes Windows operating
3925 system registry keys and the operations that were performed on them.
3926 This class was derived from [RFC5901].
3928 +-----------------------------+
3929 | WindowsRegistryKeysModified |
3930 +-----------------------------+
3931 | ID observable-id |<>--{1..*}--[ Key ]
3932 +-----------------------------+
3934 Figure 48: The WindowsRegistryKeysModified Class
3936 The aggregate classes of the WindowsRegistryKeysModified class are:
3938 Key
3939 One or more. The Window registry key. See Section 3.23.1.
3941 The attribute of the WindowsRegistryKeysModified class is:
3943 observable-id
3944 Optional. ID. See Section 3.3.2.
3946 3.23.1. Key Class
3948 The Key class describes a Windows operating system registry key name
3949 and value pair, and the operation performed on it.
3951 +---------------------------+
3952 | Key |
3953 +---------------------------+
3954 | ENUM registryaction |<>----------[ KeyName ]
3955 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
3956 | ID observable-id |
3957 +---------------------------+
3959 Figure 49: The Key Class
3961 The aggregate classes of the Key class are:
3963 KeyName
3964 One. STRING. The name of a Windows operating system registry key
3965 (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
3967 KeyValue
3968 Zero or one. STRING. The value of the registry key identified in
3969 the KeyName class encoded per the .reg file format [KB310516].
3971 The attributes of the Key class are:
3973 registryaction
3974 Optional. ENUM. The type of action taken on the registry key.
3975 These values are maintained in the "Key-registryaction" IANA
3976 registry per Section 10.2.
3978 1. add-key. Registry key added.
3980 2. add-value. Value added to a registry key.
3982 3. delete-key. Registry key deleted.
3984 4. delete-value. Value deleted from a registry key.
3986 5. modify-key. Registry key modified.
3988 6. modify-value. Value modified in a registry key.
3990 7. ext-value. A value used to indicate that this attribute is
3991 extended and the actual value is provided using the
3992 corresponding ext-* attribute. See Section 5.1.1.
3994 ext-registryaction
3995 Optional. STRING. A means by which to extend the registryaction
3996 attribute. See Section 5.1.1.
3998 observable-id
3999 Optional. ID. See Section 3.3.2.
4001 3.24. CertificateData Class
4003 The CertificateData class describes X.509 certificates.
4005 +------------------------+
4006 | CertificateData |
4007 +------------------------+
4008 | ENUM restriction |<>--{1..*}--[ Certificate ]
4009 | STRING ext-restriction |
4010 | ID observable-id |
4011 +------------------------+
4013 Figure 50: The CertificateData Class
4015 The aggregate classes of the CertificateData class are:
4017 Certificate
4018 One or more. A description of an X.509 certificate or certificate
4019 chain. See Section 3.24.1.
4021 The attributes of the CertificateData class are:
4023 restriction
4024 Optional. ENUM. See Section 3.3.1.
4026 ext-restriction
4027 Optional. STRING. A means by which to extend the restriction
4028 attribute. See Section 5.1.1.
4030 observable-id
4031 Optional. ID. See Section 3.3.2.
4033 3.24.1. Certificate Class
4035 The Certificate class describes a given X.509 certificate or
4036 certificate chain.
4038 +--------------------------+
4039 | Certificate |
4040 +--------------------------+
4041 | ID observable-id |<>----------[ ds:X509Data ]
4042 | |<>--{0..*}--[ Description ]
4043 +--------------------------+
4045 Figure 51: The Certificate Class
4047 The aggregate classes of the Certificate class are:
4049 ds:X509Data
4050 One. A given X.509 certificate or chain. See Section 4.4.4 of
4051 [W3C.XMLSIG].
4053 Description
4054 Zero or more. ML_STRING. A free-form text description explaining
4055 the context of this certificate.
4057 The attributes of the Certificate class are:
4059 observable-id
4060 Optional. ID. See Section 3.3.2.
4062 3.25. FileData Class
4064 The FileData class describes a file or set of files.
4066 +------------------------+
4067 | FileData |
4068 +------------------------+
4069 | ENUM restriction |<>--{1..*}--[ File ]
4070 | STRING ext-restriction |
4071 | ID observable-id |
4072 +------------------------+
4074 Figure 52: The FileData Class
4076 The aggregate classes of the FileData class are:
4078 File
4079 One or more. A description of a file. See Section 3.25.1.
4081 The attributes of the FileData class are:
4083 restriction
4084 Optional. ENUM. See Section 3.3.1.
4086 ext-restriction
4087 Optional. STRING. A means by which to extend the restriction
4088 attribute. See Section 5.1.1.
4090 observable-id
4091 Optional. ID. See Section 3.3.2.
4093 3.25.1. File Class
4095 The File class describes a file; its associated meta data; and
4096 cryptographic hashes and signatures applied to it.
4098 +-----------------------+
4099 | File |
4100 +-----------------------+
4101 | ID observable-id |<>--{0..1}--[ FileName ]
4102 | |<>--{0..1}--[ FileSize ]
4103 | |<>--{0..1}--[ FileType ]
4104 | |<>--{0..*}--[ URL ]
4105 | |<>--{0..1}--[ HashData ]
4106 | |<>--{0..1}--[ SignatureData ]
4107 | |<>--{0..1}--[ AssociatedSoftware ]
4108 | |<>--{0..*}--[ FileProperties ]
4109 +-----------------------+
4111 Figure 53: The File Class
4113 The aggregate classes of the File class are:
4115 FileName
4116 Zero or One. STRING. The name of the file.
4118 FileSize
4119 Zero or One. INTEGER. The size of the file in bytes.
4121 FileType
4122 Zero or One. STRING. The type of file per the IANA Media Types
4123 Registry [IANA.Media]. Valid values correspond to the text in the
4124 "Template" column (e.g., "application/pdf").
4126 URL
4127 Zero or more. URL. A URL reference to the file.
4129 HashData
4130 Zero or One. Hash(es) associated with this file. See
4131 Section 3.26.
4133 SignatureData
4134 Zero or One. Signature(s) associated with this file. See
4135 Section 3.27.
4137 AssociatedSoftware
4138 Zero or One. SOFTWARE. The software application or operating
4139 system to which this file belongs or by which it can be processed.
4141 FileProperties
4142 Zero or more. EXTENSION. Mechanism by which to extend the data
4143 model to describe properties of the file.
4145 The attributes of the File class are:
4147 observable-id
4148 Optional. ID. See Section 3.3.2.
4150 3.26. HashData Class
4152 The HashData class describes different types of hashes on an given
4153 object (e.g., file, part of a file, email).
4155 +--------------------------+
4156 | HashData |
4157 +--------------------------+
4158 | ENUM scope |<>--{0..1}--[ HashTargetID ]
4159 | |<>--{0..*}--[ Hash ]
4160 | |<>--{0..*}--[ FuzzyHash ]
4161 +--------------------------+
4163 Figure 54: The HashData Class
4165 The aggregate classes of the HashData class are:
4167 HashTargetID
4168 Zero or One. STRING. An identifier that references a subset of
4169 the object being hashed. The semantics of this identifier are
4170 specified by the scope attribute.
4172 Hash
4173 Zero or more. The hash of an object. See Section 3.26.1.
4175 FuzzyHash
4176 Zero or more. The fuzzy hash of an object. See Section 3.26.2.
4178 At least one instance of either Hash or FuzzyHash MUST be present.
4180 The attribute of the HashData class is:
4182 scope
4183 Required. ENUM. Describes on which part of the object the hash
4184 should be applied. These values are maintained in the "HashData-
4185 scope" IANA registry per Section 10.2.
4187 1. file-contents. A hash computed over the entire contents of a
4188 file.
4190 2. file-pe-section. A hash computed on a given section of a
4191 Windows Portable Executable (PE) file. If set to this value,
4192 the HashTargetID class MUST identify the section being hashed.
4193 A section is identified by an ordinal number (starting at 1)
4194 corresponding to the the order in which the given section
4195 header was defined in the Section Table of the PE file header.
4197 3. file-pe-iat. A hash computed on the Import Address
4198 Table (IAT) of a PE file. As IAT hashes are often tool
4199 dependent, if this value is set, the Application class of
4200 either the Hash or FuzzyHash classes MUST specify the tool
4201 used to generate the hash.
4203 4. file-pe-resource. A hash computed on a given resource in a PE
4204 file. If set to this value, the HashTargetID class MUST
4205 identify the resource being hashed. A resource is identified
4206 by an ordinal number (starting at 1) corresponding to the
4207 order in which the given resource is declared in the Resource
4208 Directory of the Data Dictionary in the PE file header.
4210 5. file-pdf-object. A hash computed on a given object in a
4211 Portable Document Format (PDF) file. If set to this value,
4212 the HashTargetID class MUST identify the object being hashed.
4213 This object is identified by its offset in the PDF file.
4215 6. email-hash. A hash computed over the headers and body of an
4216 email message.
4218 7. email-headers-hash. A hash computed over all of the headers
4219 of an email message.
4221 8. email-body-hash. A hash computed over the body of an email
4222 message.
4224 9. ext-value. A value used to indicate that this attribute is
4225 extended and the actual value is provided using the
4226 corresponding ext-* attribute. See Section 5.1.1.
4228 ext-scope
4229 Optional. STRING. A means by which to extend the scope
4230 attribute. See Section 5.1.1.
4232 3.26.1. Hash Class
4234 The Hash class describes a cryptographic hash value; the algorithm
4235 and application used to generate it; and the canonicalization method
4236 applied to the object being hashed.
4238 +----------------+
4239 | Hash |
4240 +----------------+
4241 | |<>----------[ ds:DigestMethod ]
4242 | |<>----------[ ds:DigestValue ]
4243 | |<>--{0..1}--[ ds:CanonicalizationMethod ]
4244 | |<>--{0..1}--[ Application ]
4245 +----------------+
4247 Figure 55: The Hash Class
4249 The aggregate classes of the Hash class are:
4251 ds:DigestMethod
4252 One. The hash algorithm used to generate the hash. See
4253 Section 4.3.3.5 of [W3C.XMLSIG]
4255 ds:DigestValue
4256 One. The computed hash value. See Section 4.3.3.6 of
4257 [W3C.XMLSIG].
4259 ds:CanonicalizationMethod
4260 Zero or one. The canonicalization method used on the object being
4261 hashed. See Section 4.3.1 of [W3C.XMLSIG].
4263 Application
4264 Zero or One. SOFTWARE. The application used to calculate the
4265 hash.
4267 The HashData class has no attributes.
4269 3.26.2. FuzzyHash Class
4271 The FuzzyHash class describes a fuzzy hash and the application used
4272 to generate it.
4274 +--------------------------+
4275 | FuzzyHash |
4276 +--------------------------+
4277 | |<>--{1..*}--[ FuzzyHashValue ]
4278 | |<>--{0..1}--[ Application ]
4279 | |<>--{0..*}--[ AdditionalData ]
4280 +--------------------------+
4282 Figure 56: The FuzzyHash Class
4284 The aggregate classes of the FuzzyHash class are:
4286 FuzzyHashValue
4287 One or more. EXTENSION. The computed fuzzy hash value.
4289 Application
4290 Zero or one. SOFTWARE. The application used to calculate the
4291 hash.
4293 AdditionalData
4294 Zero or more. EXTENSION. Mechanism by which to extend the data
4295 model.
4297 The FuzzyData class has no attributes.
4299 3.27. SignatureData Class
4301 The SignatureData class describes different types of digital
4302 signatures on an object.
4304 +--------------------------+
4305 | SignatureData |
4306 +--------------------------+
4307 | |<>--{1..*}--[ ds:Signature ]
4308 +--------------------------+
4310 Figure 57: The SignatureData Class
4312 The aggregate class of the SignatureData class is:
4314 Signature
4315 One or more. An given signature. See Section 4.2 of [W3C.XMLSIG]
4317 The SignatureData class has no attributes.
4319 3.28. IndicatorData Class
4321 The IndicatorData class describes indicators and meta-data associated
4322 with them.
4324 +--------------------------+
4325 | IndicatorData |
4326 +--------------------------+
4327 | |<>--{1..*}--[ Indicator ]
4328 +--------------------------+
4330 Figure 58: The IndicatorData Class
4332 The aggregate class of the IndicatorData class is:
4334 Indicator
4335 One or more. A description of an indicator. See Section 3.29.
4337 The IndicatorData class has no attributes.
4339 3.29. Indicator Class
4341 The Indicator class describes an indicator. An indicator consists of
4342 observable features and phenomenon that aid in the forensic or
4343 proactive detection of malicious activity; and associated meta-data.
4344 An indicator can be described outright; by referencing or composing
4345 previously defined indicators; or by referencing observables
4346 described in the incident report found in this document.
4348 +------------------------+
4349 | Indicator |
4350 +------------------------+
4351 | ENUM restriction |<>----------[ IndicatorID ]
4352 | STRING ext-restriction |<>--{0..*}--[ AlternativeIndicatorID ]
4353 | |<>--{0..*}--[ Description ]
4354 | |<>--{0..1}--[ StartTime ]
4355 | |<>--{0..1}--[ EndTime ]
4356 | |<>--{0..1}--[ Confidence ]
4357 | |<>--{0..*}--[ Contact ]
4358 | |<>--{0..1}--[ Observable ]
4359 | |<>--{0..1}--[ ObservableReference ]
4360 | |<>--{0..1}--[ IndicatorExpression ]
4361 | |<>--{0..1}--[ IndicatorReference ]
4362 | |<>--{0..*}--[ NodeRole ]
4363 | |<>--{0..*}--[ AttackPhase ]
4364 | |<>--{0..*}--[ Reference ]
4365 | |<>--{0..*}--[ AdditionalData ]
4366 +------------------------+
4368 Figure 59: The Indicator Class
4370 The aggregate classes of the Indicator class are:
4372 IndicatorID
4373 One. An identifier for this indicator. See Section 3.29.1
4375 AlternativeIndicatorID
4376 Zero or more. An alternative identifier for this indicator. See
4377 Section 3.29.2
4379 Description
4380 Zero or more. ML_STRING. A free-form text description of the
4381 indicator.
4383 StartTime
4384 Zero or one. DATETIME. A timestamp of the start of the time
4385 period during which this indicator is valid.
4387 EndTime
4388 Zero or one. DATETIME. A timestamp of the end of the time period
4389 during which this indicator is valid.
4391 Confidence
4392 Zero or one. An estimate of the confidence in the quality of the
4393 indicator. See Section 3.12.5.
4395 Contact
4396 Zero or more. Contact information for this indicator. See
4397 Section 3.9.
4399 Observable
4400 Zero or one. An observable feature or phenomenon of this
4401 indicator. See Section 3.29.3.
4403 ObservableReference
4404 Zero or one. A reference to an observable feature or phenomenon
4405 defined elsewhere in the document. See Section 3.29.6.
4407 IndicatorExpression
4408 Zero or one. A composition of observables. See Section 3.29.4.
4410 IndicatorReference
4411 Zero or one. A reference to an indicator. See Section 3.29.7.
4413 NodeRole
4414 Zero or more. The role of the system in the attack should this
4415 indicator be matched to it. See Section 3.18.2.
4417 AttackPhase
4418 Zero or more. The phase in an attack lifecycle during which this
4419 indicator might be seen. See Section 3.29.8.
4421 Reference
4422 Zero or more. A reference to additional information relevant to
4423 this indicator. See Section 3.11.1.
4425 AdditionalData
4426 Zero or more. EXTENSION. Mechanism by which to extend the data
4427 model.
4429 The Indicator class MUST have exactly one instance of an Observable,
4430 IndicatorExpression, ObservableReference, or IndicatorReference
4431 class.
4433 The StartTime and EndTime classes can be used to define an interval
4434 during which the indicator is valid. If both classes are present,
4435 the indicator is consider valid only during the described interval.
4436 If neither class is provided, the indicator is considered valid
4437 during any time interval. If only a StartTime is provided, the
4438 indicator is valid anytime after this timestamp. If only an EndTime
4439 is provided, the indicator is valid anytime prior to this timestamp.
4441 The attributes of the Indicator class are:
4443 restriction
4444 Optional. ENUM. See Section 3.3.1.
4446 ext-restriction
4447 Optional. STRING. A means by which to extend the restriction
4448 attribute. See Section 5.1.1.
4450 3.29.1. IndicatorID Class
4452 The IndicatorID class identifies an indicator with a globally unique
4453 identifier. The combination of the name and version attributes, and
4454 the element content form this identifier. Indicators generated by
4455 given CSIRT MUST NOT reuse the same value unless they are referencing
4456 the same indicator.
4458 +------------------+
4459 | IndicatorID |
4460 +------------------+
4461 | ID |
4462 | |
4463 | STRING name |
4464 | STRING version |
4465 +------------------+
4467 Figure 60: The IndicatorID Class
4469 The content of the class is of type ID and specifies an identifier
4470 for an indicator.
4472 The attributes of the IndicatorID class are:
4474 name
4475 Required. STRING. An identifier describing the CSIRT that
4476 created the indicator. In order to have a globally unique CSIRT
4477 name, the fully qualified domain name associated with the CSIRT
4478 MUST be used. This format is identical to the IncidentID@name
4479 attribute in Section 3.4.
4481 version
4482 Required. STRING. A version number of an indicator.
4484 3.29.2. AlternativeIndicatorID Class
4486 The AlternativeIndicatorID class lists alternative identifiers for an
4487 indicator.
4489 +-------------------------+
4490 | AlternativeIndicatorID |
4491 +-------------------------+
4492 | ENUM restriction |<>--{1..*}--[ IndicatorReference ]
4493 | STRING ext-restriction |
4494 +-------------------------+
4496 Figure 61: The AlternativeIndicatorID Class
4498 The aggregate class of the AlternativeIndicatorID class is:
4500 IndicatorReference
4501 One or more. A reference to an indicator. See Section 3.29.7
4503 The attributes of the AlternativeIndicatorID class are:
4505 restriction
4506 Optional. ENUM. See Section 3.3.1.
4508 ext-restriction
4509 Optional. STRING. A means by which to extend the restriction
4510 attribute. See Section 5.1.1.
4512 3.29.3. Observable Class
4514 The Observable class describes a feature and phenomenon that can be
4515 observed or measured for the purposes of detecting malicious
4516 behavior.
4518 +------------------------+
4519 | Observable |
4520 +------------------------+
4521 | ENUM restriction |<>--{0..1}--[ System ]
4522 | STRING ext-restriction |<>--{0..1}--[ Address ]
4523 | |<>--{0..1}--[ DomainData ]
4524 | |<>--{0..1}--[ Service ]
4525 | |<>--{0..1}--[ EmailData ]
4526 | |<>--{0..1}--[ WindowsRegistryKeysModified ]
4527 | |<>--{0..1}--[ FileData ]
4528 | |<>--{0..1}--[ CertificateData ]
4529 | |<>--{0..1]--[ RegistryHandle ]
4530 | |<>--{0..1}--[ RecordData ]
4531 | |<>--{0..1}--[ EventData ]
4532 | |<>--{0..1}--[ Incident ]
4533 | |<>--{0..1}--[ Expectation ]
4534 | |<>--{0..1}--[ Reference ]
4535 | |<>--{0..1}--[ Assessment ]
4536 | |<>--{0..1}--[ DetectionPattern ]
4537 | |<>--{0..1}--[ HistoryItem ]
4538 | |<>--{0..1}--[ BulkObservable ]
4539 | |<>--{0..*}--[ AdditionalData ]
4540 +------------------------+
4542 Figure 62: The Observable Class
4544 The aggregate classes of the Observable class are:
4546 System
4547 Zero or one. An System observable. See Section 3.17.
4549 Address
4550 Zero or one. An Address observable. See Section 3.18.1.
4552 DomainData
4553 Zero or one. A DomainData observable. See Section 3.19.
4555 Service
4556 Zero or one. A Service observable. See Section 3.20.
4558 EmailData
4559 Zero or one. A EmailData observable. See Section 3.21.
4561 WindowsRegistryKeysModified
4562 Zero or one. A WindowsRegistryKeysModified observable. See
4563 Section 3.23.
4565 FileData
4566 Zero or one. A FileData observable. See Section 3.25.
4568 CertificateData
4569 Zero or one. A CertificateData observable. See Section 3.24.
4571 RegistryHandle
4572 Zero or one. A RegistryHandle observable. See Section 3.9.1.
4574 RecordData
4575 Zero or one. A RecordData observable. See Section 3.22.1.
4577 EventData
4578 Zero or one. An EventData observable. See Section 3.14.
4580 Incident
4581 Zero or one. An Incident observable. See Section 3.2.
4583 Expectation
4584 Zero or one. An Expectation observable. See Section 3.15.
4586 Reference
4587 Zero or one. A Reference observable. See Section 3.11.1.
4589 Assessment
4590 Zero or one. An Assessment observable. See Section 3.12.
4592 DetectionPattern
4593 Zero or one. A DetectionPattern observable. See Section 3.12.
4595 HistoryItem
4596 Zero or one. A HistoryItem observable. See Section 3.13.1.
4598 BulkObservable
4599 Zero or one. A bulk list of observables. See Section 3.29.3.1.
4601 AdditionalData
4602 Zero or more. EXTENSION. Mechanism by which to extend the data
4603 model.
4605 The Observable class MUST have exactly one of the possible child
4606 classes.
4608 The attributes of the Observable class are:
4610 restriction
4611 Optional. ENUM. See Section 3.3.1.
4613 ext-restriction
4614 Optional. STRING. A means by which to extend the restriction
4615 attribute. See Section 5.1.1.
4617 3.29.3.1. BulkObservable Class
4619 The BulkObservable class allows the enumeration of a single type of
4620 observables without requiring each one to be encoded individually in
4621 multiple instances of the same class.
4623 The type attribute describes the type of observable listed in the
4624 child BulkObservableList class. The BulkObservableFormat class
4625 optionally provides additional meta-data.
4627 +---------------------------+
4628 | BulkObservable |
4629 +---------------------------+
4630 | ENUM type |<>--{0..1}--[ BulkObservableFormat ]
4631 | STRING ext-type |<>----------[ BulkObservableList ]
4632 | |<>--{0..*}--[ AdditionalData ]
4633 +---------------------------+
4635 Figure 63: The BulkObservable Class
4637 The aggregate classes of the BulkObservable class are:
4639 BulkObservableFormat
4640 Zero or one. Provides additional meta-data about the observables
4641 enumerated in the BulkObservableList class. See
4642 Section 3.29.3.1.1.
4644 BulkObservableList
4645 One. STRING. A list of observables, one per line. Each line is
4646 separated with either a LF character or CR-and-LF characters. The
4647 type attribute specifies which observables will be listed.
4649 AdditionalData
4650 Zero or more. EXTENSION. Mechanism by which to extend the data
4651 model.
4653 The attributes of the BulkObservable class are:
4655 type
4656 Optional. ENUM. The type of the observable listed in the child
4657 ObservableList class. These values are maintained in the
4658 "BulkObservable-type" IANA registry per Section 10.2.
4660 1. asn. Autonomous System Number (per the Address@category
4661 attribute).
4663 2. atm. Asynchronous Transfer Mode (ATM) address (per the
4664 Address@category attribute).
4666 3. e-mail. Email address (per the Address@category attribute).
4668 4. ipv4-addr. IPv4 host address in dotted-decimal notation
4669 (e.g., 192.0.2.1) (per the Address@category attribute).
4671 5. ipv4-net. IPv4 network address in dotted-decimal notation,
4672 slash, significant bits (e.g., 192.0.2.0/24) (per the
4673 Address@category attribute).
4675 6. ipv4-net-mask. IPv4 network address in dotted-decimal
4676 notation, slash, network mask in dotted-decimal notation
4677 (i.e., 192.0.2.0/255.255.255.0) (per the Address@category
4678 attribute).
4680 7. ipv6-addr. IPv6 host address (e.g., 2001:DB8::3) (per the
4681 Address@category attribute).
4683 8. ipv6-net. IPv6 network address, slash, significant bits
4684 (e.g., 2001:DB8::/32) (per the Address@category attribute).
4686 9. ipv6-net-mask. IPv6 network address, slash, network mask
4687 (per the Address@category attribute).
4689 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f)
4690 (per the Address@category attribute).
4692 11. site-uri. A URL or URI for a resource (per the
4693 Address@category attribute).
4695 12. domain-name. A fully qualified domain name or part of a
4696 name. (e.g., fqdn.example.com, example.com).
4698 13. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as
4699 a comma separated list (e.g., "fqdn.example.com, 192.0.2.1").
4701 14. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as
4702 a comma separated list (e.g., "fqdn.example.com,
4703 2001:DB8::3").
4705 15. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a
4706 timestamp (in the DATETIME format) of the resolution (e.g.,
4707 "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00").
4709 16. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a
4710 timestamp (in the DATETIME format) of the resolution (e.g.,
4711 "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00").
4713 17. ipv4-port. An IPv4 address, port and protocol tuple (e.g.,
4714 192.0.2.1, 80, tcp). The protocol name corresponds to the
4715 "Keyword" column in the [IANA.Protocols] registry.
4717 18. ipv6-port. An IPv6 address, port and protocol tuple (e.g.,
4718 2001:DB8::3, 80, tcp). The protocol name corresponds to the
4719 "Keyword" column in the [IANA.Protocols] registry.
4721 19. windows-reg-key. A Microsoft Windows Registry key.
4723 20. file-hash. A file hash. The format of this hash is
4724 described in the Hash class that MUST be present in a sibling
4725 BulkObservableFormat class.
4727 21. email-x-mailer. An X-Mailer field from an email.
4729 22. email-subject. An email subject line.
4731 23. http-user-agent. A User Agent field from an HTTP request
4732 header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0)
4733 Gecko/20100101 Firefox/38.0").
4735 24. http-request-uri. The Request URI from an HTTP request
4736 header.
4738 25. mutex. The name of a system mutex.
4740 26. file-path. A file path (e.g., "/tmp/local/file",
4741 "c:\windows\system32\file.sys")
4743 27. user-name. A username.
4745 28. ext-value. A value used to indicate that this attribute is
4746 extended and the actual value is provided using the
4747 corresponding ext-* attribute. See Section 5.1.1.
4749 ext-type
4750 Optional. STRING. A means by which to extend the type attribute.
4751 See Section 5.1.1.
4753 3.29.3.1.1. BulkObservableFormat Class
4755 The ObservableFormat class specifies meta-data about the format of an
4756 observable enumerated in a sibling BulkObservableList class.
4758 +---------------------------+
4759 | BulkObservableFormat |
4760 +---------------------------+
4761 | |<>--{0..1}--[ Hash ]
4762 | |<>--{0..*}--[ AdditionalData ]
4763 +---------------------------+
4765 Figure 64: The BulkObservableFormat Class
4767 The aggregate classes of the BulkObservableFormat class are:
4769 Hash
4770 Zero or one. Describes the format of a hash. See Section 3.26.1.
4772 AdditionalData
4773 Zero or more. EXTENSION. Mechanism by which to extend the data
4774 model.
4776 The BulkObservableFormat class has no attributes.
4778 Either Hash or AdditionalData MUST be present.
4780 3.29.4. IndicatorExpression Class
4782 The IndicatorExpression describes an expression composed of observed
4783 phenomenon or features, or indicators. Elements of the expression
4784 can be described directly, reference relevant data from other parts
4785 of a given IODEF document, or reference previously defined
4786 indicators.
4788 All child classes of a given instance of IndicatorExpression form a
4789 boolean algebraic expression where the operator between them is
4790 determined by the operator attribute.
4792 +--------------------------+
4793 | IndicatorExpression |
4794 +--------------------------+
4795 | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
4796 | STRING ext-operator |<>--{0..*}--[ Observable ]
4797 | |<>--{0..*}--[ ObservableReference ]
4798 | |<>--{0..*}--[ IndicatorReference ]
4799 | |<>--{0..1}--[ Confidence ]
4800 | |<>--{0..*}--[ AdditionalData ]
4801 +--------------------------+
4803 Figure 65: The IndicatorExpression Class
4805 The aggregate classes of the IndicatorExpression class are:
4807 IndicatorExpression
4808 Zero or more. An expression composed of other observables or
4809 indicators. See Section 3.29.4.
4811 Observable
4812 Zero or more. A description of an observable. See
4813 Section 3.29.3.
4815 ObservableReference
4816 Zero or more. A reference to an observable. See Section 3.29.6.
4818 IndicatorReference
4819 Zero or more. A reference to an indicator. See Section 3.29.7.
4821 Confidence
4822 Zero or one. An estimate of the confidence in the quality of the
4823 terms expressed in the expression. See Section 3.12.5.
4825 AdditionalData
4826 Zero or more. EXTENSION. Mechanism by which to extend the data
4827 model.
4829 The attributes of the IndicatorExpression class are:
4831 operator
4832 Optional. ENUM. The operator to be applied between the child
4833 elements. See Section 3.29.5 for parsing guidance. The default
4834 value is "and". These values are maintained in the
4835 "IndicatorExpression-operator" IANA registry per Section 10.2.
4837 1. not. negation operator.
4839 2. and. conjunction operator.
4841 3. or. disjunction operator.
4843 4. xor. exclusive disjunction operator.
4845 ext-operator
4846 Optional. STRING. A means by which to extend the operator
4847 attribute. See Section 5.1.1.
4849 3.29.5. Expressions with IndicatorExpression
4851 Boolean algebraic expressions can be used to specify relationships
4852 between observables and indicator. These expressions are constructed
4853 through the use of the operator attribute and parent-child
4854 relationships in IndicatorExpressions. These expressions should be
4855 parsed as follows:
4857 1. The operator specified by the operator attribute is applied
4858 between each of the child elements of the immediate parent
4859 IndicatorExpression element. If no operator attribute is
4860 specified, it should be assumed to be the conjunction operator
4861 (i.e., operator="and").
4863 2. A nested IndicatorExpression element with a parent
4864 IndicatorExpression is the equivalent of a parentheses in the
4865 expression.
4867 The following four examples in Figure 66 through Figure 70 illustrate
4868 these parsing rules:
4870 1 :
4871 2 [O1]: ..
4872 3 [O2]: ..
4873 4 :
4875 Equivalent expression: (O1 AND O2)
4877 Figure 66: Nested elements in an IndicatorExpression without an
4878 operator attribute specified
4880 1 :
4881 2 [O1]: ..
4882 3 [O2]: ..
4883 4 :
4885 Equivalent expression: (O1 OR O2)
4887 Figure 67: Nested elements in an IndicatorExpression with an operator
4888 attribute specified
4890 1 :
4891 2 :
4892 3 [O1]: ..
4893 4 [O2]: ..
4894 5 :
4895 6 [O3]: ..
4896 7 :
4898 Equivalent expression: ((O1 OR O2) OR O3)
4900 Figure 68: Nested elements with a recursive IndicatorExpression with
4901 an operator attribute specified
4903 1 :
4904 2 :
4905 3 [O1]: ..
4906 4 [O2]: ..
4907 5 :
4908 6 :
4910 Equivalent expression: (NOT (O1 AND O2))
4912 Figure 69: A recursive IndicatorExpression with an operator attribute
4913 specified
4915 1 :
4916 2 :
4917 3 [O1 with low confidence] : ..
4918 4 :
4919 5 :
4920 6 :
4921 7 [O2 with high confidence]: ..
4922 8 :
4923 9 :
4924 10 :
4926 Equivalent expression: ((O1) OR (O2))
4928 Figure 70: Varying confidence on particular Observables
4930 Invalid algebraic expressions while valid XML, MUST NOT be specified.
4932 3.29.6. ObservableReference Class
4934 The ObservableReference describes a reference to an observable
4935 feature or phenomenon described elsewhere in the document.
4937 The ObservableReference class has no content.
4939 +-------------------------+
4940 | ObservableReference |
4941 +-------------------------+
4942 | IDREF uid-ref |
4943 +-------------------------+
4945 Figure 71: The ObservableReference Class
4947 The ObservableReference class has no content.
4949 The attribute of the ObservableReference class is:
4951 uid-ref
4952 Required. IDREF. An identifier that serves as a reference to a
4953 class in the IODEF document. The referenced class will have this
4954 identifier set in its observable-id attribute.
4956 3.29.7. IndicatorReference Class
4958 The IndicatorReference describes a reference to an indicator. This
4959 reference may be to an indicator described in this IODEF document or
4960 in a previously exchanged IODEF document.
4962 The IndicatorReference class has no content.
4964 +--------------------------+
4965 | IndicatorReference |
4966 +--------------------------+
4967 | IDREF uid-ref |
4968 | STRING euid-ref |
4969 | STRING version |
4970 +--------------------------+
4972 Figure 72: The IndicatorReference Class
4974 The attributes of the IndicatorReference class are:
4976 uid-ref
4977 Optional. IDREF. An identifier that references an Indicator
4978 class in the IODEF document. The referenced Indicator class will
4979 have this identifier set in its IndicatorID class.
4981 euid-ref
4982 Optional. STRING. An identifier that references an IndicatorID
4983 not in this IODEF document.
4985 version
4986 Optional. STRING. A version number of an indicator.
4988 Either the uid-ref or the euid-ref attribute MUST be set.
4990 3.29.8. AttackPhase Class
4992 The AttackPhase class describes a particular phase of an attack
4993 lifecycle.
4995 +------------------------+
4996 | AttackPhase |
4997 +------------------------+
4998 | |<>--{0..*}--[ AttackPhaseID ]
4999 | |<>--{0..*}--[ URL ]
5000 | |<>--{0..*}--[ Description ]
5001 | |<>--{0..*}--[ AdditionalData ]
5002 +------------------------+
5004 Figure 73: AttackPhase Class
5006 The aggregate classes of the AttackPhase class are:
5008 AttackPhaseID
5009 Zero or more. STRING. An identifier for the phase of the attack.
5011 URL
5012 Zero or more. URL. A URL to a resource describing this phase of
5013 the attack.
5015 Description
5016 Zero or more. ML_STRING. A free-form text description of this
5017 phase of the attack.
5019 AdditionalData
5020 Zero or more. EXTENSION. A mechanism by which to extend the data
5021 model.
5023 AttackPhase MUST have at least one instance of a child class.
5025 The AttackPhase class has no attributes.
5027 4. Processing Considerations
5029 This section provides additional requirements and guidance on
5030 creating and processing IODEF documents.
5032 4.1. Encoding
5034 Every IODEF document MUST begin with an XML declaration and MUST
5035 specify the XML version used. The character encoding MUST also be
5036 explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16
5037 [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD
5038 NOT be used. The IODEF conforms to all XML data encoding conventions
5039 and constraints.
5041 The XML declaration with UTF-8 character encoding will read as
5042 follows:
5044
5046 Certain characters have special meaning in XML and MUST not appear in
5047 literal form. Per Section 2.4 of [W3C.XML], these characters MUST be
5048 escaped with a numeric character or entity reference.
5050 4.2. IODEF Namespace
5052 The IODEF schema declares a namespace of
5053 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS].
5054 Each IODEF document MUST include a valid reference to the IODEF
5055 schema using the "xsi:schemaLocation" attribute. An example of such
5056 a declaration would look as follows:
5058
5063 4.3. Validation
5065 IODEF documents MUST be well-formed XML. It is RECOMMENDED that
5066 recipients validate the document against the schema described in
5067 Section 8. However, mere conformance to this schema is not
5068 sufficient for a semantically valid IODEF document. The text of
5069 Section 3 describes further formatting and constraints; some that
5070 cannot be conveniently encoded in the schema. These MUST must also
5071 be considered by an IODEF implementation. Furthermore, the
5072 enumerated values present in this document are a static list that
5073 will be incomplete over time as select attributes can be extended by
5074 a corresponding IANA registry per Section 10.2. Therefore, IODEF
5075 implementations MUST periodically update their schema and MAY need to
5076 update their parsing algorithms to incorporate newly registered
5077 values.
5079 4.4. Incompatibilities with v1
5081 The IODEF data model in this document makes a number of changes to
5082 [RFC5070]. These changes were largely additive -- classes and
5083 enumerated values were added. However, some incompatibilities
5084 between [RFC5070] and this new specification were introduced. These
5085 incompatibilities are as follows:
5087 o The IODEF-Document@version attribute is set to "2.0".
5089 o Attributes with enumerated values can now also be extended with
5090 IANA registries.
5092 o All iodef:MLStringType classes use xml:lang. IODEF-Document also
5093 uses xml:lang.
5095 o The Service@ip_protocol attribute was renamed to @ip-protocol.
5097 o The Node/NodeName class was removed in favor of representing
5098 domain names with Node/DomainData/Name class. The Node/DataTime
5099 class was also removed so that the Node/DomainData/
5100 DateDomainWasChecked class can represent the time at which the
5101 name to address resolution occurred.
5103 o The Node/NodeRole class was moved to System/NodeRole.
5105 o The Reference class is now defined by [RFC7495].
5107 o The data previously represented in the Impact class is now in the
5108 SystemImpact and IncidentCategory classes. The Impact class has
5109 been removed.
5111 o The semantics of Counter@type are now represented in Counter@unit.
5113 o The IODEF-Document@formatid attribute has been renamed to @format-
5114 id.
5116 o Incident/ReportTime is no longer mandatory. However,
5117 GenerationTime is.
5119 o The Fax class was removed and is now represented by a generic
5120 Telephone class.
5122 o The Telephone, Email and PostalAddress classes were redefined from
5123 improved internationalization.
5125 o The "ipv6-net-mask" value was remove from category attribute of
5126 Address.
5128 5. Extending the IODEF
5130 In order to support the dynamic nature of security operations, the
5131 IODEF data model will need to continue to evolve. This section
5132 discusses how new data elements can be incorporated into the IODEF.
5133 There is support to add additional enumerated values and new classes.
5134 Adding additional attributes to existing classes is not supported.
5136 These extension mechanisms are designed so that adding new data
5137 elements is possible without requiring a modifications to this
5138 document. Extensions can be implemented publicly or privately. With
5139 proven value, well documented extensions can be incorporated into
5140 future versions of the specification.
5142 5.1. Extending the Enumerated Values of Attributes
5144 Additional enumerated values can be added to select attributes either
5145 through the use of specially marked attributes with the "ext-" prefix
5146 or through a set of corresponding IANA registries. The former
5147 approach allows for the extension to remain private. The latter
5148 approach is public.
5150 5.1.1. Private Extension of Enumerated Values
5152 The data model supports adding new enumerated values to an attribute
5153 without public registration. For each attribute that supports this
5154 extension technique, there is a corresponding attribute in the same
5155 element whose name is identical but with a prefix of "ext-". This
5156 special attribute is referred to as the extension attribute. The
5157 attribute being extended is referred to as an extensible attribute.
5158 For example, an extensible attribute named "foo" will have a
5159 corresponding extension attribute named "ext-foo". An element may
5160 have many extensible attributes.
5162 In addition to a corresponding extension attribute, each extensible
5163 attribute has "ext-value" as one its possible enumerated values.
5164 Selection of this particular value in an extensible attribute signals
5165 that the extension attribute contains data. Otherwise, this "ext-
5166 value" value has no meaning.
5168 In order to add a new enumerated value to an extensible attribute,
5169 the value of this attribute MUST be set to "ext-value", and the new
5170 desired value MUST be set in the corresponding extension attribute.
5171 For example, extending the type attribute of the SystemImpact class
5172 would look as follows:
5174
5176 A given extension attribute MUST NOT be set unless the corresponding
5177 extensible attribute has been set to "ext-value".
5179 5.1.2. Public Extension of Enumerated Values
5181 The data model also supports publicly extending select enumerated
5182 attributes. A new entry can be added by registering a new entry in
5183 the appropriate IANA registry. Section 10.2 provides a mapping
5184 between the extensible attributes and their corresponding registry.
5185 Section 4.3 discusses the XML Validation implications of this type of
5186 extension. All extensible attributes that support private extensions
5187 also support public extensions.
5189 5.2. Extending Classes
5191 Classes of the EXTENSION (iodef:ExtensionType) type can extend the
5192 data model. They provide the ability to have new atomic or XML-
5193 encoded data elements in all of the top-level classes of the Incident
5194 class and a few of the complex subordinate classes. As there are
5195 multiple instances of the extensible classes in the data model, there
5196 is discretion on where to add a new data element. It is RECOMMENDED
5197 that the extension be placed in the most closely related class to the
5198 new information.
5200 Extensions using the atomic data types (i.e., all values of the dtype
5201 attributes other than "xml") MUST:
5203 1. Set the element content to the desired value, and
5205 2. Set the dtype attribute to correspond to the data type of the
5206 element content.
5208 The following guidelines exist for extensions using XML (i.e.,
5209 dtype="xml"):
5211 1. The element content of the extensible class MUST be set to the
5212 desired value and the dtype attribute MUST be set to "xml".
5214 2. The extension schema MUST declare a separate namespace. It is
5215 RECOMMENDED that these extensions have the prefix "iodef-". This
5216 recommendation makes readability of the document easier by
5217 allowing the reader to infer which namespaces relate to IODEF by
5218 inspection.
5220 3. It is RECOMMENDED that extension schemas follow the naming
5221 convention of the IODEF data model. This too improves the
5222 readability of extended IODEF documents. The names of all
5223 elements SHOULD be capitalized. For elements with composed
5224 names, a capital letter SHOULD be used for each word. Attribute
5225 names SHOULD be in lower case. Attributes with composed names
5226 SHOULD be separated by a hyphen.
5228 4. Implementations that encounter an unrecognized element, attribute
5229 or attribute value in a supported namespace SHOULD reject the
5230 document as a syntax error.
5232 5. There are security and performance implications in requiring
5233 implementations to dynamically download schemas at run time.
5234 Therefore, implementations MUST NOT download schemas at runtime
5235 unless the appropriate precautions are taken. Implementations
5236 also need to contend with the potential of significant network
5237 and processing issues.
5239 6. Some adopters of the IODEF may have private schema definitions
5240 that are not publicly available. Thus implementations may
5241 encounter IODEF documents with references to private schemas that
5242 may not be resolvable. Hence, IODEF document recipients MUST be
5243 prepared for a schema definition in an IODEF document never to
5244 resolve.
5246 The following schema and XML document excerpt provide a template for
5247 an extension schema and its use in the IODEF document.
5249 This example schema defines a namespace of "iodef-extension1" and a
5250 single element named "newdata".
5252
5256 attributeFormDefault="unqualified"
5257 elementFormDefault="qualified">
5258
5262
5263
5265 The following XML excerpt demonstrates the use of the above schema as
5266 an extension to the IODEF.
5268
5275
5276 ...
5277
5278
5279 Field that could not be represented elsewhere
5280
5281
5282
5283
5310 If an unrecognized private extension is encountered in processing,
5311 the recipient MAY reject the entire document as a syntax error.
5313 6. Internationalization Issues
5315 Internationalization and localization is of specific concern to the
5316 IODEF as it facilitates operational coordination with a diverse set
5317 of partners. The IODEF implements internationalization by relying on
5318 XML constructs and through explicit design choices in the data model.
5320 Since the IODEF is implemented as an XML Schema, it supports
5321 different character encodings, such as UTF-8 and UTF-16, possible
5322 with XML. Additionally, each IODEF document MUST specify the
5323 language in which its content is encoded. The language can be
5324 specified with the attribute "xml:lang" (per Section 2.12 of
5325 [W3C.XML]) in the top-level element (i.e., IODEF-Document) and
5326 letting all other elements inherit that definition. All IODEF
5327 classes with a free-form text definition (i.e., all those defined
5328 with type iodef:MLStringType) can also specify a language different
5329 from the rest of the document.
5331 The data model supports multiple translations of free-form text. All
5332 ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality
5333 to their parent. This allows the identical text translated into
5334 different languages to be encoded in different instances of the same
5335 class with a common parent. This design also enables the creation of
5336 a single document containing all the translations. The IODEF
5337 implementation SHOULD extract the appropriate language relevant to
5338 the recipient.
5340 Related instances of a given iodef:MLStringType class that are
5341 translations of each other are identified by a common identifier set
5342 in the translation-id attribute. The example below shows three
5343 instances of a Description class expressed in three different
5344 languages. The relationship between these three instances of the
5345 Description class is conveyed by the common value of "1" in the
5346 translation-id attribute.
5348
5350 ...
5351 English
5353 Englisch
5355 Anglais
5358 The IODEF balances internationalization support with the need for
5359 interoperability. While the IODEF supports different languages, the
5360 data model also relies heavily on standardized enumerated attributes
5361 that can crudely approximate the contents of the document. With this
5362 approach, a CSIRT should be able to make some sense of an IODEF
5363 document it receives even if the free-form text data elements are
5364 written in a language unfamiliar to the recipient.
5366 7. Examples
5368 This section provides example of IODEF documents. These examples do
5369 not represent the full capabilities of the data model or the the only
5370 way to encode particular information.
5372 7.1. Minimal Example
5374 A document containing only the mandatory elements and attributes.
5376
5377
5378
5384
5385 492382
5386 2015-07-18T09:00:00-05:00
5387
5388
5389 contact@csirt.example.com
5390
5391
5392
5393
5394
5396 7.2. Indicators from a Campaign
5398 An example of C2 domains from a given campaign.
5400
5401
5402
5408
5409 897923
5410
5411
5412
5413 TA-12-AGGRESSIVE-BUTTERFLY
5414
5415 Aggressive Butterfly
5416
5417
5418 C-2015-59405
5419 Orange Giraffe
5420
5421
5422 2015-10-02T11:18:00-05:00
5423 Summarizes the Indicators of Compromise
5424 for the Orange Giraffe campaign of the Aggressive
5425 Butterfly crime gang.
5426
5427
5428
5429
5430
5431 CSIRT for example.com
5432
5433 contact@csirt.example.com
5434
5435
5436
5437
5438
5439 G90823490
5440
5441 C2 domains
5442 2014-12-02T11:18:00-05:00
5443
5444
5445
5446 kj290023j09r34.example.com
5447 09ijk23jfj0k8.example.net
5448 klknjwfjiowjefr923.example.org
5449 oimireik79msd.example.org
5450
5451
5452
5453
5455
5456
5457
5459 8. The IODEF Data Model (XML Schema)
5461
5462
5471
5474
5477
5480
5482
5483
5484 Incident Object Description Exchange Format v2.0
5485
5486
5487
5492
5493
5494
5495
5496
5498
5499
5500
5501
5502
5504
5506
5507
5508
5513
5514
5515
5516
5517
5518
5520
5521
5522
5523
5524
5525
5526
5528
5530
5532
5534
5535
5537
5538
5539
5541
5542
5544
5546
5547
5549
5550
5553
5555
5556
5557
5558
5559
5560
5561
5562
5563
5564
5565
5566
5567
5568
5569
5570
5571
5572
5573
5574
5575
5576
5577
5578
5583
5584
5585
5586
5587
5588
5590
5592
5594
5595
5596
5597
5602
5603
5604
5605
5606
5607
5609
5611
5612
5613
5618
5619
5620
5621
5623
5625
5627
5629
5631
5632
5634
5636
5637
5639
5641
5642
5643
5644
5645
5646
5648
5649
5651
5653
5654
5656
5658
5659
5660
5661
5662
5663
5664
5666
5668
5670
5672
5673
5675
5677
5678
5679
5680
5685
5686
5687
5688
5690
5692
5694
5696
5698
5700
5702
5703
5705
5707
5708
5710
5712
5714
5716
5718
5720
5721
5722
5723
5724
5725
5726
5727
5728
5729
5730
5731
5732
5733
5734
5735
5736
5737
5738
5739
5740
5741
5742
5744
5745
5746
5747
5748
5749
5750
5751
5752
5753
5754
5755
5756
5757
5758
5760
5762
5763
5764
5765
5766
5767
5768
5769
5770
5771
5772
5773
5774
5775
5776
5777
5778
5779
5780
5781
5782
5784
5785
5787
5788
5789
5790
5791
5792
5793
5794
5795
5796
5797
5798
5799
5800
5801
5802
5804
5805
5807
5808
5809
5810
5811
5812
5813
5814
5815
5816
5817
5818
5819
5820
5821
5822
5823
5824
5826
5827
5829
5830
5831
5832
5833
5834
5835
5836
5837
5838
5839
5844
5845
5846
5847
5848
5849
5850
5851
5852
5857
5858
5859
5860
5861
5862
5864
5866
5867
5868
5869
5870
5871
5872
5873
5874
5876
5878
5880
5881
5883
5885
5887
5889
5890
5891
5892
5893
5898
5899
5900
5901
5903
5905
5906
5907
5908
5909
5911
5913
5914
5916
5918
5919
5920
5921
5926
5927
5928
5929
5931
5933
5935
5936
5939
5941
5943
5945
5946
5947
5948
5949
5950
5951
5952
5953
5954
5955
5956
5957
5958
5959
5960
5961
5962
5963
5964
5965
5966
5967
5968
5969
5970
5971
5972
5973
5974
5975
5977
5980
5981
5983
5985
5986
5987
5988
5993
5994
5995
5996
5998
6000
6002
6004
6006
6008
6009
6011
6013
6014
6015
6020
6021
6022
6023
6024
6026
6028
6029
6030
6031
6032
6037
6038
6039
6040
6042
6043
6044
6045
6046
6047
6048
6049
6051
6053
6055
6056
6058
6059
6060
6061
6062
6063
6064
6065
6066
6067
6069
6071
6072
6073
6074
6075
6076
6077
6078
6079
6080
6081
6082
6084
6085
6087
6090
6093
6094
6095
6096
6097
6098
6099
6100
6101
6102
6103
6104
6105
6106
6107
6108
6109
6110
6111
6112
6113
6114
6115
6116
6117
6118
6119
6120
6121
6122
6123
6124
6125
6126
6127
6129
6130
6131
6132
6133
6135
6136
6138
6140
6143
6144
6145
6146
6147
6148
6149
6150
6151
6152
6153
6154
6155
6156
6157
6158
6159
6160
6161
6162
6163
6164
6165
6166
6167
6168
6169
6170
6171
6172
6173
6174
6175
6176
6177
6178
6180
6182
6183
6185
6186
6187
6188
6189
6190
6191
6192
6193
6194
6195
6196
6197
6198
6199
6200
6201
6202
6203
6204
6205
6206
6207
6208
6209
6211
6213
6214
6215
6216
6217
6218
6219
6220
6221
6222
6223
6224
6225
6230
6231
6232
6233
6235
6236
6237
6238
6239
6240
6242
6244
6245
6247
6249
6251
6252
6254
6256
6257
6259
6261
6262
6263
6264
6269
6270
6271
6272
6274
6275
6276
6277
6282
6283
6284
6285
6286
6288
6290
6292
6294
6297
6299
6301
6302
6303
6305
6306
6308
6311
6313
6315
6317
6319
6320
6321
6322
6323
6324
6325
6326
6327
6328
6329
6330
6331
6332
6333
6334
6335
6336
6337
6338
6339
6340
6341
6342
6343
6344
6349
6350
6351
6352
6353
6355
6357
6358
6359
6361
6363
6364
6365
6366
6367
6368
6369
6370
6373
6375
6376
6377
6379
6380
6381
6382
6383
6384
6385
6386
6387
6388
6389
6390
6391
6392
6393
6394
6395
6396
6397
6398
6399
6400
6401
6402
6403
6404
6406
6407
6409
6411
6412
6413
6414
6415
6416
6417
6418
6419
6420
6421
6422
6423
6424
6425
6426
6427
6428
6429
6430
6431
6432
6433
6434
6435
6436
6437
6438
6439
6440
6441
6442
6443
6444
6445
6446
6447
6448
6449
6450
6451
6452
6453
6454
6455
6456
6457
6458
6459
6460
6461
6462
6463
6464
6465
6466
6467
6468
6469
6470
6471
6476
6477
6478
6479
6480
6481
6482
6483
6484
6485
6486
6487
6488
6489
6491
6492
6493
6494
6495
6496
6497
6498
6499
6500
6501
6502
6504
6505
6506
6507
6509
6510
6511
6512
6515
6517
6519
6520
6521
6522
6523
6524
6529
6530
6531
6532
6533
6535
6537
6539
6541
6543
6544
6546
6547
6548
6549
6550
6551
6552
6553
6554
6555
6556
6557
6558
6559
6560
6561
6562
6563
6564
6565
6566
6567
6568
6569
6570
6571
6572
6573
6574
6579
6580
6581
6582
6584
6585
6586
6587
6589
6590
6591
6592
6594
6596
6597
6598
6599
6600
6601
6602
6603
6604
6605
6606
6607
6608
6613
6614
6615
6616
6617
6619
6621
6623
6625
6627
6629
6630
6632
6634
6636
6638
6639
6640
6641
6642
6643
6644
6645
6646
6647
6648
6649
6650
6651
6652
6653
6654
6655
6656
6657
6658
6659
6660
6661
6662
6663
6664
6665
6666
6667
6668
6669
6670
6671
6672
6673
6674
6675
6676
6677
6678
6679
6680
6681
6682
6683
6684
6686
6687
6688
6689
6690
6695
6696
6697
6698
6699
6700
6702
6704
6705
6706
6707
6708
6709
6710
6712
6713
6715
6717
6719
6721
6723
6725
6727
6728
6730
6732
6733
6734
6735
6736
6737
6738
6739
6742
6744
6746
6749
6751
6753
6754
6756
6757
6758
6759
6760
6761
6762
6763
6764
6765
6766
6767
6768
6769
6770
6771
6772
6773
6774
6779
6780
6781
6782
6783
6784
6785
6786
6787
6788
6789
6790
6791
6792
6793
6795
6797
6798
6799
6800
6801
6802
6803
6804
6805
6806
6807
6808
6809
6810
6811
6812
6813
6818
6819
6820
6821
6823
6824
6826
6828
6829
6830
6831
6832
6833
6834
6835
6836
6837
6839
6840
6841
6842
6844
6845
6846
6847
6848
6849
6850
6851
6852
6853
6858
6859
6860
6861
6862
6864
6866
6867
6869
6870
6871
6872
6873
6874
6875
6876
6877
6878
6879
6880
6881
6882
6883
6884
6885
6886
6887
6888
6889
6890
6891
6893
6894
6895
6896
6897
6898
6899
6900
6902
6903
6905
6906
6907
6908
6909
6914
6915
6916
6917
6918
6919
6920
6921
6926
6927
6928
6929
6930
6931
6933
6935
6936
6937
6938
6939
6940
6941
6942
6944
6945
6946
6947
6948
6953
6954
6955
6956
6958
6959
6960
6961
6962
6963
6964
6965
6967
6969
6970
6971
6972
6974
6975
6976
6977
6978
6979
6980
6982
6984
6986
6988
6989
6991
6993
6994
6995
6996
6997
6998
6999
7000
7002
7003
7004
7005
7006
7007
7008
7009
7010
7011
7013
7015
7016
7017
7018
7019
7020
7021
7022
7023
7024
7025
7027
7028
7029
7030
7031
7032
7033
7034
7035
7036
7037
7038
7039
7041
7042
7045
7047
7048
7049
7050
7051
7052
7053
7054
7056
7057
7059
7060
7061
7062
7063
7064
7065
7066
7067
7068
7069
7070
7071
7072
7073
7074
7075
7076
7077
7078
7079
7080
7081
7082
7083
7084
7085
7086
7087
7088
7089
7090
7091
7092
7093
7094
7095
7096
7097
7099
7100
7101
7102
7103
7104
7105
7106
7107
7108
7109
7110
7111
7112
7113
7115
7116
7119
7121
7122
7123
7124
7125
7126
7127
7128
7129
7130
7131
7132
7133
7134
7135
7136
7137
7138
7139
7140
7142
7143
7144
7145
7146
7147
7149
7150
7152
7154
7155
7156
7157
7158
7163
7164
7165
7166
7171
7172
7173
7174
7175
7176
7177
7178
7179
7181
7182
7183
7184
7185
7186
7187
7188
7189
7190
7191
7192
7194
7195
7196
7197
7198
7200
7202
7203
7205
7206
7207
7208
7210
7212
7213
7214
7215
7216
7217
7219
7221
7222
7223
7224
7225
7226
7228
7229
7232
7234
7237
7239
7240
7241
7242
7243
7244
7245
7246
7247
7248
7249
7250
7251
7252
7253
7254
7255
7256
7257
7258
7259
7264
7265
7266
7267
7268
7269
7270
7271
7272
7273
7274
7275
7276
7277
7278
7279
7280
7281
7282
7283
7284
7285
7286
7287
7288
7289
7290
7291
7292
7293
7294
7295
7296
7297
7298
7299
7300
7301
7302
7303
7304
7305
7306
7307
7308
7309
7310
7311
7312
7313
7314
7315
7316
7317
7318
7319
7320
7321
7322
7323
7324
7325
7326
7327
7328
7329
7330
7331
7332
7333
7334
7335
7336
7337
7338
7339
7340
7341
7342
7343
7344
7345
7346
7347
7348
7349
7350
7351
7352
7353
7354
7355
7356
7358 9. Security Considerations
7360 The IODEF data model does not directly introduce security or privacy
7361 issues. However, as the data encoded by the IODEF might be
7362 considered sensitive by the parties exchanging it or by those
7363 described by it, care needs to be taken to ensure appropriate
7364 handling during the document construction, exchange, processing,
7365 archiving, subsequent retrieval and analysis.
7367 9.1. Security
7369 The underlying messaging format and protocol used to exchange
7370 instances of the IODEF MUST provide appropriate guarantees of
7371 confidentiality, integrity, and authenticity. The use of a
7372 standardized security protocol is encouraged. The Real-time Inter-
7373 network Defense (RID) protocol [RFC6545] and its associated transport
7374 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.
7376 An IODEF implementation may act on the data in the document. These
7377 actions might be explicitly requested in the document or the result
7378 of analytical logic that triggered on data in the document. For this
7379 reason, care must be taken by IODEF implementations to properly
7380 authenticate the sender and receiver of the document. The sender
7381 needs confidence that sensitive information and timely requests for
7382 action are sent to the correct recipient. The recipient may
7383 interpret the contents of the document differently based on who sent
7384 it; or vary actions based on the sender. While the sender of the
7385 document may explicitly convey confidence in the data in a granular
7386 way using the Confidence class, the recipient is free to ignore or
7387 refine this information to make its own assessment.
7389 Certain classes may require out-of-band coordination to agree upon
7390 their semantics (e.g., Confidence@rating="low" or DefinedCOA). This
7391 coordination MUST occur prior to operational data exchange to prevent
7392 the incorrect interpretation of these select data elements. When
7393 parsing these data elements, implementations should validate, when
7394 possible, that they conform to the agreed upon semantics. These
7395 semantics may need to be periodically reevaluated.
7397 Executable content of various forms could be embedded into the IODEF
7398 document directly or through an extension. Implementation MUST
7399 handle this content with care to prevent unintentional automated
7400 execution. The following classes are explicitly intended to
7401 represent content that might be executable:
7403 o All classes of type iodef:ExtensionType and the RecordPattern
7404 class can represent arbitrary binary strings such as legitimate
7405 software programs or malware.
7407 o The EmailMessage and EmailBody classes can represent email
7408 attachments that can contain arbitrary content.
7410 o The DetectionPattern class could specify a machine-readable
7411 configuration that directs the execution of the corresponding
7412 tool.
7414 Per Section 4.3, IODEF implementations will need to periodically
7415 consult the IANA registries specified in Section 10.2 to discover
7416 newly registered enumerated attribute values. These implementations
7417 MUST communicate with IANA in a way that ensures the integrity of the
7418 values and the authenticity of the source. HTTPS over TLS
7419 [RFC2818][RFC5246] provides such security.
7421 9.2. Privacy
7423 The IODEF contains numerous fields that are identifiers which could
7424 be linked to an individual or organization. IODEF documents may
7425 contain sensitive information about these identified parties; and
7426 repeated document exchanges about the same and related parties may
7427 enable the correlation of data about them. Likewise, a party may
7428 report on another to a third party without their knowledge.
7430 When creating an IODEF document, careful consideration must be given
7431 to what information is shared. Personal identifiers and attributable
7432 sensitive information should only be shared when necessary.
7434 When exchanging documents, transport security MUST provide document-
7435 level confidentiality. XML element-level confidentiality can also be
7436 provided by using [W3C.XMLENC].
7438 In order to suggest data processing and handling guidelines of the
7439 encoded information, the IODEF allows a document sender to convey a
7440 privacy policy using the restriction attribute. The various
7441 instances of this attribute allow different data elements of the
7442 document to be covered by dissimilar policies. While flexible, it
7443 must be stressed that this approach only serves as a guideline from
7444 the sender, as the recipient is free to ignore it.
7446 Although outside of the scope of an IODEF implementation, the
7447 contents of IODEF documents and any derived analysis should be
7448 archived with at appropriate confidentiality controls. Likewise,
7449 access to retrieve and analyze this data should be restricted to
7450 authorized users.
7452 10. IANA Considerations
7454 This document registers a namespace, an XML schema, and a number of
7455 registries that map to enumerated values defined in the data model.
7456 It also defines an expert review process for IODEF-related XML
7457 registry entries.
7459 10.1. Namespace and Schema
7461 This document uses URNs to describe an XML namespace and schema
7462 conforming to a registry mechanism described in [RFC3688]
7464 Registration for the IODEF namespace:
7466 o URI: urn:ietf:params:xml:ns:iodef-2.0
7468 o Registrant Contact: See the first author of the "Author's Address"
7469 section of this document.
7471 o XML: None. Namespace URIs do not represent an XML specification.
7473 Registration for the IODEF XML schema:
7475 o URI: urn:ietf:params:xml:schema:iodef-2.0
7476 o Registrant Contact: See the first author of the "Author's Address"
7477 section of this document.
7479 o XML: See Section 8 of this document.
7481 10.2. Enumerated Value Registries
7483 This document creates 34 identically structured registries to be
7484 managed by IANA:
7486 o Name of the parent registry: "Incident Object Description Exchange
7487 Format v2 (IODEF)"
7489 o URL of the registry: http://www.iana.org/assignments/iodef2
7491 o Namespace format: A registry entry consists of:
7493 * Value. A value for a given IODEF attribute. It MUST conform
7494 to the formatting specified by the IODEF ENUM data type which
7495 is implemented as an "xs:NMTOKEN" type per Section 3.3.4 of
7496 [W3C.SCHEMA.DTYPES]. The value SHOULD conform to the
7497 convention specified in Section 5.2.
7499 * Description. A short description of the enumerated value.
7501 * Reference. An optional list of URIs to further describe the
7502 value.
7504 o Allocation policy: Expert Review per [RFC5226]. This reviewer
7505 will ensure that the requested registry entry conforms to the
7506 prescribed formatting. The reviewer will also ensure that the
7507 entry is an appropriate value for the attribute per the
7508 information model (Section 3).
7510 The registries to be created are named in the "Registry Name" column
7511 of Table 1. Each registry is initially populated with values and
7512 descriptions that come from an attribute specified in the IODEF
7513 schema (Section 8) whose description is found in a sub-section of the
7514 information model (Section 3). The initial values for the Value and
7515 Description fields of a given registry are listed in the "IV (Value)"
7516 and "IV (Description)" columns respectively. The "IV (Value)" points
7517 to a given schema type per Section 8. Each enumerated value in the
7518 schema gets a corresponding entry in a given registry. The "IV
7519 (Description)" points to a section in the text of this document that
7520 describes each enumerated value. The initial value of the Reference
7521 field of every registry entry described below should be this
7522 document.
7524 +-----------------------+---------------------------+---------------+
7525 | Registry Name | IV (Value) | IV |
7526 | | | (Description) |
7527 +-----------------------+---------------------------+---------------+
7528 | Restriction | iodef-restriction-type | Section 3.3.1 |
7529 | | | |
7530 | Incident-purpose | incident-purpose-type | Section 3.2 |
7531 | | | |
7532 | Incident-status | incident-status-type | Section 3.2 |
7533 | | | |
7534 | Contact-role | contact-role-type | Section 3.9 |
7535 | | | |
7536 | Contact-type | contact-type-type | Section 3.9 |
7537 | | | |
7538 | RegistryHandle- | registryhandle-registry- | Section 3.9.1 |
7539 | registry | type | |
7540 | | | |
7541 | PostalAddress-type | postaladdress-type-type | Section 3.9.2 |
7542 | | | |
7543 | Telephone-type | telephone-type-type | Section 3.9.4 |
7544 | | | |
7545 | Email-type | email-type-type | Section 3.9.3 |
7546 | | | |
7547 | Expectation-action | action-type | Section 3.15 |
7548 | | | |
7549 | Discovery-source | discovery-source-type | Section 3.10 |
7550 | | | |
7551 | SystemImpact-type | systemimpact-type-type | Section |
7552 | | | 3.12.1 |
7553 | | | |
7554 | BusinessImpact- | businessimpact-severity- | Section |
7555 | severity | type | 3.12.2 |
7556 | | | |
7557 | BusinessImpact-type | businessimpact-type-type | Section |
7558 | | | 3.12.2 |
7559 | | | |
7560 | TimeImpact-metric | timeimpact-metric-type | Section |
7561 | | | 3.12.3 |
7562 | | | |
7563 | TimeImpact-duration | duration-type | Section |
7564 | | | 3.12.3 |
7565 | | | |
7566 | Confidence-rating | confidence-rating-type | Section |
7567 | | | 3.12.5 |
7568 | | | |
7569 | NodeRole-category | noderole-category-type | Section |
7570 | | | 3.18.2 |
7571 | | | |
7572 | System-category | system-category-type | Section 3.17 |
7573 | | | |
7574 | System-ownership | system-ownership-type | Section 3.17 |
7575 | | | |
7576 | Address-category | address-category-type | Section |
7577 | | | 3.18.1 |
7578 | | | |
7579 | Counter-type | counter-type-type | Section |
7580 | | | 3.18.3 |
7581 | | | |
7582 | Counter-unit | counter-unit-type | Section |
7583 | | | 3.18.3 |
7584 | | | |
7585 | DomainData-system- | domaindata-system-status- | Section 3.19 |
7586 | status | type | |
7587 | | | |
7588 | DomainData-domain- | domaindata-domain-status- | Section 3.19 |
7589 | status | type | |
7590 | | | |
7591 | RecordPattern-type | recordpattern-type-type | Section |
7592 | | | 3.22.2 |
7593 | | | |
7594 | RecordPattern- | recordpattern-offsetunit- | Section |
7595 | offsetunit | type | 3.22.2 |
7596 | | | |
7597 | Key-registryaction | key-registryaction-type | Section |
7598 | | | 3.23.1 |
7599 | | | |
7600 | HashData-scope | hashdata-scope-type | Section 3.26 |
7601 | | | |
7602 | BulkObservable-type | bulkobservable-type-type | Section |
7603 | | | 3.29.3.1 |
7604 | | | |
7605 | IndicatorExpression- | indicatorexpression- | Section |
7606 | operator | operator-type | 3.29.4 |
7607 | | | |
7608 | ExtensionType-dtype | dtype-type | Section 2.16 |
7609 | | | |
7610 | SoftwareReference- | softwarereference-spec- | Section |
7611 | spec-id | id-type | 2.15.1 |
7612 | | | |
7613 | SoftwareReference- | softwarereference-dtype- | Section |
7614 | dtype | type | 2.15.1 |
7615 +-----------------------+---------------------------+---------------+
7617 Table 1: IANA Enumerated Value Registries
7619 10.3. Expert Review of IODEF-Related XML Registry Entries
7621 IODEF class extensions, per Section 5.2, could register their
7622 namespaces and schemas with the IANA XML Namespace ("ns",
7623 http://www.iana.org/assignments/xml-registry/xml-registry.xhtml#ns)
7624 and Schema registries ("schema", http://www.iana.org/assignments/xml-
7625 registry/xml-registry.xhtml#schema) described in [RFC3688]. In
7626 addition to any reviews required by IANA, changes to the XML Schema
7627 registry for schema names beginning with
7628 "urn:ietf:params:xml:schema:iodef" are subject to an additional IODEF
7629 Expert Review [RFC5226] to ensure compatibility with IODEF and other
7630 existing IODEF extensions.
7632 The IODEF expert(s) for these reviews will be designated by the IETF
7633 Security Area Directors.
7635 This document obsoletes [RFC6685].
7637 11. Acknowledgments
7639 Thanks to Paul Stockler for his editorial leadership in the
7640 transition of RFC5070bis to this document.
7642 Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi
7643 Takahashi, David Waltermire and Sean Turner as the MILE working group
7644 chairs, secretary or area directors for providing feedback and
7645 coordination of this document.
7647 Thanks to the following individuals (listed alphabetically) who
7648 provided feedback during the meetings, on the mailing list or through
7649 implementation experience: Jerome Athias, David Black, Eric Burger,
7650 Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris
7651 Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam
7652 Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio
7653 Suzuki and Nik Teague.
7655 12. References
7657 12.1. Normative References
7659 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language
7660 (XML) 1.0 (Fifth Edition)", W3C Recommendation , November
7661 2008, .
7663 [W3C.SCHEMA]
7664 World Wide Web Consortium, "XML XML Schema Part 1:
7665 Structures Second Edition", W3C Recommendation , October
7666 2004, .
7668 [W3C.SCHEMA.DTYPES]
7669 World Wide Web Consortium, "XML Schema Part 2: Datatypes
7670 Second Edition", W3C Recommendation , October 2004,
7671 .
7673 [W3C.XMLNS]
7674 World Wide Web Consortium, "Namespaces in XML 1.0 (Third
7675 Edition)", W3C Recommendation , December 2009,
7676 .
7678 [W3C.XPATH]
7679 World Wide Web Consortium, "XML Path Language (XPath)
7680 3.1", W3C Candidate Recommendation , December 2015,
7681 .
7683 [W3C.XMLSIG]
7684 World Wide Web Consortium, "XML Signature Syntax and
7685 Processing 2.0", W3C Recommendation , June 2008,
7686 .
7688 [IEEE.POSIX]
7689 Institute of Electrical and Electronics Engineers,
7690 "Information Technology - Portable Operating System
7691 Interface (POSIX) - Part 1: Base Definitions",
7692 IEEE 1003.1, June 2001.
7694 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
7695 Requirement Levels", RFC 2119, March 1997.
7697 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of
7698 Languages", RFC 5646, September 2009.
7700 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
7701 Resource Identifiers (URI): Generic Syntax", RFC 3986,
7702 January 2005`.
7704 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519,
7705 June 2006.
7707 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October
7708 2008.
7710 [RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized
7711 Email", RFC 6531, February 2012.
7713 [RFC7495] Montville, A. and D. Black, "IODEF Enumeration Reference
7714 Format", RFC 7495, January 2015.
7716 [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
7717 Incident Object Description Exchange Format (IODEF)
7718 Extension for Structured Cybersecurity Information",
7719 RFC 7203, April 2014.
7721 [ISO4217] International Organization for Standardization,
7722 "International Standard: Codes for the representation of
7723 currencies and funds, ISO 4217:2001", ISO 4217:2001,
7724 August 2001.
7726 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January
7727 2004.
7729 [IANA.Ports]
7730 Internet Assigned Numbers Authority, "Service Name and
7731 Transport Protocol Port Number Registry", January 2014,
7732 .
7735 [IANA.Protocols]
7736 Internet Assigned Numbers Authority, "Assigned Internet
7737 Protocol Numbers", January 2014,
7738 .
7741 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
7742 10646", RFC 3629, November 2003.
7744 [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
7745 10646", RFC 2781, February 2000.
7747 [IANA.Media]
7748 Internet Assigned Numbers Authority, "Media Types", March
7749 2015, .
7752 [NIST.CPE]
7753 The National Institute of Standards and Technology,
7754 "Common Platform Enumeration", 2014,
7755 .
7757 [ISO19770]
7758 International Organization for Standardization,
7759 "Information technology -- Software asset management --
7760 Part 2: Software identification tag, ISO/IEC
7761 19770-2:2015", ISO 19770-2:2015, October 2015.
7763 [E.164] ITU Telecommunication Standardization Sector, "The
7764 International Public Telecommunication Numbering Plan",
7765 ITU-T Recommendation E.164 (02/05), February 2005.
7767 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
7768 Address Text Representation", RFC 5952, August 2010.
7770 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
7771 Architecture", RFC 4291, February 2006.
7773 12.2. Informative References
7775 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
7776 Object Description Exchange Format", RFC 5070, December
7777 2007.
7779 [RFC6685] Trammell, B., "Expert Review for Incident Object
7780 Description Exchange Format (IODEF) Extensions in IANA XML
7781 Registry", RFC 6685, July 2012.
7783 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
7784 RFC 6545, April 2012.
7786 [RFC6546] Trammell, B., "Transport of Real-time Inter-network
7787 Defense (RID) Messages over HTTP/TLS", RFC 6546, April
7788 2012.
7790 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
7791 Class for Reporting Phishing", RFC 5901, July 2010.
7793 [NIST800.61rev2]
7794 Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
7795 "NIST Special Publication 800-61 Revision 2: Computer
7796 Security Incident Handling Guide", January 2012,
7797 .
7800 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
7801 Type for the Internet Registry Information Service
7802 (IRIS)", RFC 3982, January 2005.
7804 [KB310516]
7805 Microsoft Corporation, "How to add, modify, or delete
7806 registry subkeys and values by using a registration
7807 entries (.reg) file", December 2007.
7809 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-
7810 Separated Values (CSV) File", RFC 4180, October 2005.
7812 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
7813 IANA Considerations Section in RFCs", RFC 5226, May 2008.
7815 [W3C.XMLENC]
7816 World Wide Web Consortium, "XML Encryption Syntax and
7817 Processing Version 1.1", W3C Recommendation , April 2013,
7818 .
7820 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
7822 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
7823 (TLS) Protocol Version 1.2", RFC 5246, August 2008.
7825 Author's Address
7827 Roman Danyliw
7828 CERT - Carnegie Mellon University
7829 4500 Fifth Avenue
7830 Pittsburgh, PA
7831 USA
7833 EMail: rdd@cert.org