idnits 2.17.1
draft-ietf-mile-rfc5070-bis-26.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
== There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
in the document. If these are example addresses, they should be changed.
-- The draft header indicates that this document obsoletes RFC6685, but the
abstract doesn't seem to mention this, which it should.
-- The draft header indicates that this document obsoletes RFC5070, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== The document seems to lack the recommended RFC 2119 boilerplate, even if
it appears to use RFC 2119 keywords.
(The document does seem to have the reference to RFC 2119 which the
ID-Checklist requires).
== Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please
use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
mean).
Found 'MUST not' in this paragraph:
Certain characters have special meaning in XML and MUST not appear
in literal form. Per Section 2.4 of [W3C.XML], these characters MUST be
escaped with a numeric character or entity reference.
== The document seems to contain a disclaimer for pre-RFC5378 work, but was
first submitted on or after 10 November 2008. The disclaimer is usually
necessary only for documents that revise or obsolete older RFCs, and that
take significant amounts of text from those RFCs. If you can contact all
authors of the source material and they are willing to grant the BCP78
rights to the IETF Trust, you can and should remove the disclaimer.
Otherwise, the disclaimer is needed and you can ignore this comment.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (October 5, 2016) is 2731 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: '0-9' is mentioned on line 7192, but not defined
== Missing Reference: '0-4' is mentioned on line 7192, but not defined
== Missing Reference: '0-5' is mentioned on line 7192, but not defined
== Missing Reference: 'O1' is mentioned on line 4904, but not defined
== Missing Reference: 'O2' is mentioned on line 4905, but not defined
== Missing Reference: 'O3' is mentioned on line 4894, but not defined
-- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX'
-- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217'
** Downref: Normative reference to an Informational RFC: RFC 2781
-- Possible downref: Non-RFC (?) normative reference: ref. 'ISO19770'
-- Obsolete informational reference (is this intentional?): RFC 5070
(Obsoleted by RFC 7970)
-- Obsolete informational reference (is this intentional?): RFC 6685
(Obsoleted by RFC 7970)
-- Obsolete informational reference (is this intentional?): RFC 5226
(Obsoleted by RFC 8126)
-- Obsolete informational reference (is this intentional?): RFC 2818
(Obsoleted by RFC 9110)
-- Obsolete informational reference (is this intentional?): RFC 5246
(Obsoleted by RFC 8446)
Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 11 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 MILE Working Group R. Danyliw
3 Internet-Draft CERT
4 Obsoletes: 5070, 6685 (if approved) October 5, 2016
5 Intended status: Standards Track
6 Expires: April 8, 2017
8 The Incident Object Description Exchange Format v2
9 draft-ietf-mile-rfc5070-bis-26
11 Abstract
13 The Incident Object Description Exchange Format (IODEF) defines a
14 data representation for security incident reports and indicators
15 commonly exchanged by operational security teams for mitigation and
16 watch and warning. This document describes an updated information
17 model for the IODEF and provides an associated data model specified
18 with XML Schema. This new information and data model obsoletes
19 Request for Comment (RFC) 5070 and 6685.
21 Status of This Memo
23 This Internet-Draft is submitted in full conformance with the
24 provisions of BCP 78 and BCP 79.
26 Internet-Drafts are working documents of the Internet Engineering
27 Task Force (IETF). Note that other groups may also distribute
28 working documents as Internet-Drafts. The list of current Internet-
29 Drafts is at http://datatracker.ietf.org/drafts/current/.
31 Internet-Drafts are draft documents valid for a maximum of six months
32 and may be updated, replaced, or obsoleted by other documents at any
33 time. It is inappropriate to use Internet-Drafts as reference
34 material or to cite them other than as "work in progress."
36 This Internet-Draft will expire on April 8, 2017.
38 Copyright Notice
40 Copyright (c) 2016 IETF Trust and the persons identified as the
41 document authors. All rights reserved.
43 This document is subject to BCP 78 and the IETF Trust's Legal
44 Provisions Relating to IETF Documents
45 (http://trustee.ietf.org/license-info) in effect on the date of
46 publication of this document. Please review these documents
47 carefully, as they describe your rights and restrictions with respect
48 to this document. Code Components extracted from this document must
49 include Simplified BSD License text as described in Section 4.e of
50 the Trust Legal Provisions and are provided without warranty as
51 described in the Simplified BSD License.
53 This document may contain material from IETF Documents or IETF
54 Contributions published or made publicly available before November
55 10, 2008. The person(s) controlling the copyright in some of this
56 material may not have granted the IETF Trust the right to allow
57 modifications of such material outside the IETF Standards Process.
58 Without obtaining an adequate license from the person(s) controlling
59 the copyright in such materials, this document may not be modified
60 outside the IETF Standards Process, and derivative works of it may
61 not be created outside the IETF Standards Process, except to format
62 it for publication as an RFC or to translate it into languages other
63 than English.
65 Table of Contents
67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
68 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
69 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
70 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 6
71 1.4. Changelog . . . . . . . . . . . . . . . . . . . . . . . . 7
72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8
73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8
74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
77 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10
78 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10
79 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 10
80 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10
81 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11
82 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
83 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
84 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 11
85 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 11
86 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12
87 2.13. Uniform Resource Locator strings . . . . . . . . . . . . 12
88 2.14. Identifiers and Identifier References . . . . . . . . . . 12
89 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 12
90 2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 13
91 2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 14
92 3. The IODEF Information Model . . . . . . . . . . . . . . . . . 17
93 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 17
94 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 18
95 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 22
96 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 22
97 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 23
98 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 24
99 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 25
100 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 25
101 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 27
102 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 28
103 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 29
104 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 32
105 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 33
106 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 34
107 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 35
108 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 36
109 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 38
110 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 39
111 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 40
112 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 41
113 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 43
114 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 45
115 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 47
116 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 49
117 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 50
118 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 51
119 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 52
120 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 54
121 3.14.1. Relating the Incident and EventData Classes . . . . 56
122 3.14.2. Recursive Definition of EventData . . . . . . . . . 56
123 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 57
124 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 60
125 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 61
126 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 64
127 3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 65
128 3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 66
129 3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 70
130 3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 72
131 3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 74
132 3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 75
133 3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 75
134 3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 77
135 3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 78
136 3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 78
137 3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 80
138 3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 81
139 3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 82
140 3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 84
141 3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 85
142 3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 86
143 3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 86
144 3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 87
145 3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 88
146 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 89
147 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91
148 3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91
149 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 92
150 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 93
151 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93
152 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 96
153 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96
154 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 97
155 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 103
156 3.29.5. Expressions with IndicatorExpression . . . . . . . . 105
157 3.29.6. ObservableReference Class . . . . . . . . . . . . . 106
158 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 107
159 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 108
160 4. Processing Considerations . . . . . . . . . . . . . . . . . . 108
161 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 109
162 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 109
163 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 109
164 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 110
165 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 111
166 5.1. Extending the Enumerated Values of Attributes . . . . . . 111
167 5.1.1. Private Extension of Enumerated Values . . . . . . . 111
168 5.1.2. Public Extension of Enumerated Values . . . . . . . . 112
169 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 112
170 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 114
171 6. Internationalization Issues . . . . . . . . . . . . . . . . . 115
172 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 116
173 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 116
174 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 116
175 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 118
176 9. Security Considerations . . . . . . . . . . . . . . . . . . . 157
177 9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 157
178 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 158
179 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 159
180 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 159
181 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 160
182 10.3. Expert Review of IODEF-Related XML Registry Entries . . 163
183 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 163
184 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 163
185 12.1. Normative References . . . . . . . . . . . . . . . . . . 163
186 12.2. Informative References . . . . . . . . . . . . . . . . . 166
187 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 167
189 1. Introduction
191 Organizations require help from other parties to mitigate malicious
192 activity targeting their network and to gain insight into potential
193 threats. This coordination might entail working with an ISP to
194 filter attack traffic, contacting a remote site to take down a
195 botnet, or sharing watch-lists of known malicious indicators in a
196 consortium.
198 The Incident Object Description Exchange Format (IODEF) is a format
199 for representing computer security information commonly exchanged
200 between Computer Security Incident Response Teams (CSIRTs) or other
201 operational security teams. It provides an XML representation for
202 conveying:
204 o indicators to characterize a threat;
206 o security incident reports to document attacks against an
207 organization;
209 o response activity taken or that could be taken in response to an
210 incident; and
212 o meta-data so that these various classes of information can be
213 exchanged among parties.
215 The purpose of the IODEF is to enhance the operational capabilities
216 of CSIRTs. Adoption of the IODEF will improve the ability of a CSIRT
217 to resolve security incidents; understand threats; and coordinate
218 response activities and proactive mitigations by simplifying
219 collaboration and data sharing with its partners. This structured
220 format provided by the IODEF allows for:
222 o machine-to-machine exchange of incident and indicator data;
224 o automated processing of this data whereby allowing more rapid
225 execution of appropriate courses of action; and
227 o the development of an ecosystem of interoperable tools enabling
228 security operations.
230 Sharing and coordinating with other organizations is not strictly a
231 technical problem. There are numerous procedural, cultural, legal
232 and trust-related barriers to overcome. The IODEF does not attempt
233 to address them directly. However, operational implementations of
234 the IODEF will need to consider these challenges.
236 Section 1 provides the background for the IODEF. Sections 3 and 8
237 specify the IODEF information and data model respectively. The data
238 types used in this document are described in Section 2. Processing
239 considerations, extending the specification, internationalization and
240 security issues are covered in Sections 4, 5, 6 and 9 respectively.
241 Examples are listed in Section 7.
243 1.1. Terminology
245 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
246 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
247 document are to be interpreted as described in [RFC2119].
249 1.2. Notations
251 The IODEF is specified as an Extensible Markup Language (XML)
252 [W3C.XML] Schema [W3C.SCHEMA]. The normative IODEF data model is
253 found in the XML schema in Section 8. To aid in the understanding of
254 the data elements, Section 3 also depicts the underlying information
255 model using Unified Modeling Language (UML). This abstract
256 presentation of the IODEF is not normative.
258 For clarity in this document, the term "XML document" will be used
259 when referring generically to any instance of an XML document. The
260 term "IODEF document" will be used to refer to an XML document
261 conforming to the IODEF specification. The terms "schema" will be
262 used to refer to Section 8 of this document. The terms "data model"
263 and "schema" will be used interchangeably. The terms "class" and
264 "element" will be used to reference either the corresponding data
265 element in the UML-based information or XML Schema-based data models,
266 respectively.
268 1.3. About the IODEF Data Model
270 A number of considerations were made in the design of the IODEF data
271 model.
273 o The data model found in this document is an evolution of the one
274 previously specified in [RFC5070]. New fields were added to
275 represent additional information. [RFC5070] was developed
276 primarily to represent incident reports. This document builds
277 upon it by adding support for indicators and revising it to
278 reflect the current challenges faced by CSIRTs. An attempt was
279 made to preserve backward compatibility but this was not possible
280 in all cases. See Section 4.4. This document obsoletes
281 [RFC5070].
283 o The IODEF is a transport format. Therefore, the data model may
284 not be the optimal archival or in-memory processing format.
286 o The IODEF is intended to be a framework to convey only commonly
287 exchanged information. It ensures that there are mechanisms for
288 extensibility to support organization-specific information and
289 techniques to reference information kept outside of the data
290 model.
292 o Not all commonly exchanged information has a well-defined format
293 or taxonomy. The IODEF attempts to strike a balance between
294 enforcing sufficient structure to allow automated processing and
295 supporting free-form content that enables maximum flexibility.
297 o The IODEF fits into a broader ecosystem of standards and
298 conventions. An attempt was made to harmonize the data model with
299 this context.
301 1.4. Changelog
303 A detailed list of additions made to the [RFC5070] data model are
304 enumerated in this section. See Section 4.4 for a list of
305 incompatible changes.
307 o Updated the data types (Section 2) to improve
308 internationalization, clarify ambiguity, and ensure consistency in
309 extensions.
311 o Added the observable-id attribute (Section 3.3.2) and
312 IndicatorData (Section 3.28) class (Section 3.28) to represent
313 indicators.
315 o Added the private-enum-name and -id attributes to the IODEF-
316 Document class (Section 3.1) to disambiguate private extensions.
318 o Updated the Incident class (Section 3.2) to represent additional
319 timing and workflow information.
321 o Added the ThreatActor (Section 3.7) and Campaign (Section 3.8)
322 classes to represent attack attribution information.
324 o Updated the Contact class (Section 3.9) and its children to
325 improve internationalization and represent additional information
326 about an entity.
328 o Updated the Method class (Section 3.11) to improve extensibility
329 through externally referenced resources.
331 o Added the Discovery class (Section 3.10) to describe how an
332 incident was discovered.
334 o Updated the Assessment class (Section 3.12) to enable more
335 descriptive characterizations of the impact of an incident.
337 o Updated the HistoryItem (Section 3.13.1) and Expectation
338 (Section 3.15) classes to support a reference to a course of
339 action.
341 o Updated the EventData class (Section 3.14) with additional meta-
342 data added to the Incident class.
344 o Updated the System (Section 3.17) class with additional meta-data.
346 o Updated the Counter class (Section 3.18.3) to support additional
347 rate metrics.
349 o Added the DomainData (Section 3.19), EmailData (Section 3.21),
350 WindowsRegistryKeysModified (Section 3.23), CertificateData
351 (Section 3.24) and FileData (Section 3.25) to improve the
352 description of an incident and support this data as indicators.
354 o Added the SignatureData (Section 3.27) and HashData classes
355 (Section 3.26) to represent digital signatures and hashes.
357 o Added support for public enumerated attribute extensions using
358 IANA registries (Section 5.1.2).
360 o Updated numerous enumerated attributes for completeness.
362 2. IODEF Data Types
364 The IODEF uses a number of simple and complex types. This section
365 describes these data types.
367 2.1. Integers
369 An integer is represented in the information model by the INTEGER
370 data type. Integer data MUST be encoded in Base 10.
372 The INTEGER data type is implemented in the data model as a
373 "xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES].
375 2.2. Real Numbers
377 A real (floating-point) number is represented in the information
378 model by the REAL data type. Real data MUST be encoded in Base 10.
380 The REAL data type is implemented in the data model as a "xs:float"
381 type per Section 3.2.4 of [W3C.SCHEMA.DTYPES].
383 2.3. Characters and Strings
385 A single character is represented in the information model by the
386 CHARACTER data type. A string is represented by the STRING data
387 type. Special characters MUST be encoded using entity references.
388 See Section 4.1.
390 The CHARACTER and STRING data types are implemented in the data model
391 as a "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
393 2.4. Multilingual Strings
395 A string that needs to be represented in a human-readable language
396 different than the default encoding of the document is represented in
397 the information model by the ML_STRING data type.
399 The ML_STRING data type is implemented in the data model as the
400 "iodef:MLStringType" type. This type extends the "xs:string" to
401 include two attributes.
403 +------------------------+
404 | iodef:MLStringType |
405 +------------------------+
406 | xs:string |
407 | |
408 | ENUM xml:lang |
409 | STRING translation-id |
410 +------------------------+
412 Figure 1: The iodef:MLStringType Type
414 The content of the class is a character string of type "xs:string"
415 whose language MAY be specified by the xml:lang attribute.
417 The attributes of the iodef:MLStringType type are:
419 xml:lang
420 Optional. ENUM. A language identifier per Section 2.12 of
421 [W3C.XML] whose values and format are described in [RFC5646]. The
422 interpretation of this code is described in Section 6.
424 translation-id
425 Optional. STRING. An identifier to relate other instances of
426 this class with the same parent as translations of this text. The
427 scope of this identifier is limited to all of the direct, peer
428 child classes of a given parent class.
430 Using this class enables representing translations of the same text
431 in multiple languages. Each translation is a distinct instance of
432 this class with a common parent. A group of classes each with a
433 translated instance of text is related by setting a common identifier
434 in the translation-id attribute. The language of a given class is
435 set by the xml:lang attribute. See Section 6 for more details on
436 representing translations of free-form text.
438 2.5. Binary Strings
440 Binary octets can be represented with two encodings.
442 2.5.1. Base64 Bytes
444 A binary octet encoded with Base64 is represented in the information
445 model by the BYTE data type. A sequence of these octets is of the
446 BYTE[] data type.
448 The BYTE and BYTE[] data types are implemented in the data model as a
449 "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES].
451 2.5.2. Hexadecimal Bytes
453 A binary octet encoded as a character tuple consistent of two
454 hexadecimal digits is represented in the information model by the
455 HEXBIN data type. A sequence of these octets is of the HEXBIN[] data
456 type.
458 The HEXBIN and HEXBIN[] data types are implemented in the data model
459 as a "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES].
461 2.6. Enumerated Types
463 An enumerated type is represented in the information model by the
464 ENUM data type. It is an ordered list of acceptable string values.
465 Each value has a representative keyword. Within the data model, the
466 enumerated type keywords are used as attribute values.
468 The ENUM data type is implemented in the data model as values of a
469 "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES].
471 2.7. Date-Time String
473 A date-time strings that describes a particular instant in time is
474 represented in the information model by the DATETIME data type.
475 Ranges are not supported.
477 The DATETIME data type is implemented in the data model as a
478 "xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES].
480 2.8. Timezone String
482 A timezone offset from UTC is represented in the information model by
483 the TIMEZONE data type. It is formatted according to the following
484 regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
486 The TIMEZONE data type is implemented in the data model as an
487 "iodef:TimezoneType" type.
489 2.9. Port Lists
491 A list of network ports is represented in the information model by
492 the PORTLIST data type. A PORTLIST consists of a comma-separated
493 list of numbers and ranges (N-M means ports N through M, inclusive).
494 It is formatted according to the following regular expression:
495 "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example,
496 "2,5-15,30,32,40-50,55-60".
498 The PORTLIST data type is implemented in the data model as an
499 "iodef:PortlistType" type.
501 2.10. Postal Address
503 A postal address is represented in the information model by the
504 POSTAL data type. The format of the POSTAL data type is documented
505 in Section 2.23 of [RFC4519] as a free-form multi-line string
506 separated by the "$" character.
508 The POSTAL data type is implemented in the data model as an
509 "iodef:MLStringType" type.
511 2.11. Telephone Number
513 A telephone number is represented in the information model by the
514 PHONE data type. The format of the PHONE data type is documented in
515 [E.164].
517 The PHONE data type is implemented in the data model as a "xs:string"
518 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
520 2.12. Email String
522 An email address is represented in the information model by the EMAIL
523 data type. The format of the EMAIL data type is documented in
524 Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531].
526 The EMAIL data type is implemented in the data model as a "xs:string"
527 type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
529 2.13. Uniform Resource Locator strings
531 A uniform resource locator (URL) is represented in the information
532 model by the URL data type. The format of the URL data type is
533 documented in [RFC3986].
535 The URL data type is implemented as a "xs:anyURI" type per
536 Section 3.2.17 of [W3C.SCHEMA.DTYPES].
538 2.14. Identifiers and Identifier References
540 An identifier unique to the IODEF document is represented in the
541 information model by the ID data type. A reference to this
542 identifier is represented by the IDREF data type.
544 The ID and IDREF data types are implemented in the model as "xs:ID"
545 and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of
546 [W3C.SCHEMA.DTYPES].
548 2.15. Software
550 A particular version of software is represented in the information
551 model by the SOFTWARE data type. This software can be described by
552 using a reference, a URL or with free-form text.
554 The SOFTWARE data type is implemented in the data model as the
555 "iodef:SoftwareType" type.
557 +--------------------+
558 | iodef:SoftwareType |
559 +--------------------+
560 | |<>--{0..1}--[ SoftwareReference ]
561 | |<>--{0..*}--[ URL ]
562 | |<>--{0..*}--[ Description ]
563 +--------------------+
565 Figure 2: The SoftwareType Type
567 The aggregate classes of the SoftwareType type are:
569 SoftwareReference
570 Zero or one. Reference to a software application. See
571 Section 2.15.1.
573 URL
574 Zero or more. URL. A URL to a resource describing the software.
576 Description
577 Zero or more. ML_STRING. A free-form text description of the
578 software.
580 At least one of these classes MUST be present.
582 The iodef:SoftwareType type has no attributes.
584 2.15.1. SoftwareReference Class
586 The SoftwareReference class is a reference to a particular version of
587 software.
589 +----------------------+
590 | SoftwareReference |
591 +----------------------+
592 | xs:any |
593 | |
594 | ENUM spec-name |
595 | STRING ext-spec-name |
596 | ENUM dtype |
597 | STRING ext-dtype |
598 +----------------------+
600 Figure 3: The SoftwareReference Class
602 The element content varies according to the value of the spec-name
603 attribute. It is defined in the data model as "xs:any" per
604 [W3C.SCHEMA].
606 The attributes of the SoftwareReference class are:
608 spec-name
609 Required. ENUM. Identifies the format and semantics of the
610 element body of this class. Formal standards and specifications
611 can be referenced as well as a free-form text description with a
612 user-provided data type. These values are maintained in the
613 "SoftwareReference-spec-id" IANA registry per Section 10.2
614 1. custom. The element content is free-form and of the data type
615 specified by the dtype attribute. If this value is selected,
616 then the dtype attribute MUST be set.
618 2. cpe. The element content describes a Common Platform
619 Enumeration (CPE) entry per [NIST.CPE].
621 3. swid. The element content describes a software identification
622 (SWID) tag per [ISO19770].
624 4. ext-value. A value used to indicate that this attribute is
625 extended and the actual value is provided using the
626 corresponding ext-* attribute. See Section 5.1.1.
628 ext-spec-name
629 Optional. STRING. A means by which to extend the spec-name
630 attribute. See Section 5.1.1.
632 dtype
633 Optional. ENUM. The data type of the element content. The
634 permitted values for this attribute are shown below. The default
635 value is "string". These values are maintained in the
636 "SoftwareReference-dtype" IANA registry per Section 10.2.
638 1. bytes. The element content is of type HEXBIN.
640 2. integer. The element content is of type INTEGER.
642 3. real. The element content is of type REAL.
644 4. string. The element content is of type STRING.
646 5. xml. The element content is XML. See Section 5.2.
648 6. ext-value. A value used to indicate that this attribute is
649 extended and the actual value is provided using the
650 corresponding ext-* attribute. See Section 5.1.1.
652 ext-dtype
653 Optional. STRING. A means by which to extend the dtype
654 attribute. See Section 5.1.1.
656 2.16. Extension
658 Information not otherwise represented in the IODEF can be added using
659 the EXTENSION data type. This data type is a generic extension
660 mechanism.
662 The EXTENSION data type is implemented in the data model as the
663 "iodef:ExtensionType" type.
665 The data type of an EXTENSION is described by the dtype attribute.
666 For simple information, atomic data types (e.g., integers, strings)
667 are supported. Their semantics are further described by the meaning
668 and formatid attributes. Encapsulating XML documents conforming to
669 another schema is also supported. A detailed discussion of extending
670 the schema can be found in Section 5. Additional coordination may be
671 required to ensure that a recipient of a document using this type can
672 parse and process it.
674 +------------------------+
675 | iodef:ExtensionType |
676 +------------------------+
677 | xs:any |
678 | |
679 | STRING name |
680 | ENUM dtype |
681 | STRING ext-dtype |
682 | STRING meaning |
683 | STRING formatid |
684 | ENUM restriction |
685 | STRING ext-restriction |
686 | ID observable-id |
687 +------------------------+
689 Figure 4: The iodef:ExtensionType Type
691 The element content of this type is the extension being added to the
692 data model. This content is defined in the data model as "xs:any"
693 per [W3C.SCHEMA].
695 The attributes of the iodef:ExtensionType type are:
697 name
698 Optional. STRING. A free-form name of the field or data element.
700 dtype
701 Required. ENUM. The data type of the element content. The
702 default value is "string". These values are maintained in the
703 "ExtensionType-dtype" IANA registry per Section 10.2.
705 1. boolean. The element content is of type BOOLEAN.
707 2. byte. The element content is of type BYTE.
709 3. bytes. The element content is of type HEXBIN.
711 4. character. The element content is of type CHARACTER.
713 5. date-time. The element content is of type DATETIME.
715 6. ntpstamp. Same as date-time.
717 7. integer. The element content is of type INTEGER.
719 8. portlist. The element content is of type PORTLIST.
721 9. real. The element content is of type REAL.
723 10. string. The element content is of type STRING.
725 11. file. The element content is a base64 encoded binary file
726 encoded as a BYTE[] type.
728 12. path. The element content is a file-system path encoded as a
729 STRING type.
731 13. frame. The element content is a layer-2 frame encoded as a
732 HEXBIN type.
734 14. packet. The element content is a layer-3 packet encoded as a
735 HEXBIN type.
737 15. ipv4-packet. The element content is an IPv4 packet encoded
738 as a HEXBIN type.
740 16. ipv6-packet. The element content is an IPv6 packet encoded
741 as a HEXBIN type.
743 17. url. The element content is of type URL.
745 18. csv. The element content is a common separated value (CSV)
746 list per Section 2 of [RFC4180] encoded as a STRING type.
748 19. winreg. The element content is a Windows registry key
749 encoded as a STRING type.
751 20. xml. The element content is XML. See Section 5.
753 21. ext-value. A value used to indicate that this attribute is
754 extended and the actual value is provided using the
755 corresponding ext-* attribute. See Section 5.1.1.
757 ext-dtype
758 Optional. STRING. A means by which to extend the dtype
759 attribute. See Section 5.1.1.
761 meaning
762 Optional. STRING. A free-form text description of the element
763 content.
765 formatid
766 Optional. STRING. An identifier referencing the format or
767 semantics of the element content.
769 restriction
770 Optional. ENUM. See Section 3.3.1.
772 ext-restriction
773 Optional. STRING. A means by which to extend the restriction
774 attribute. See Section 5.1.1.
776 observable-id
777 Optional. ID. See Section 3.3.2.
779 3. The IODEF Information Model
781 The specifics of the IODEF information model are discussed in this
782 section. Each class and its relationships with the other classes is
783 described. When necessary, clarifications are made about translating
784 this information model to the schema in Section 8.
786 3.1. IODEF-Document Class
788 The IODEF-Document class is the top level class in the IODEF data
789 model. All IODEF documents are an instance of this class.
791 +--------------------------+
792 | IODEF-Document |
793 +--------------------------+
794 | STRING version |<>--{1..*}--[ Incident ]
795 | ENUM xml:lang |<>--{0..*}--[ AdditionalData ]
796 | STRING format-id |
797 | STRING private-enum-name |
798 | STRING private-enum-id |
799 +--------------------------+
801 Figure 5: IODEF-Document Class
803 The aggregate classes of the IODEF-Document class are:
805 Incident
806 One or more. The information related to a single incident. See
807 Section 3.2.
809 AdditionalData
810 Zero or more. EXTENSION. Mechanism by which to extend the data
811 model.
813 The attributes of the IODEF-Document class are:
815 version
816 Required. STRING. The IODEF specification version number to
817 which this IODEF document conforms. The value of this attribute
818 MUST be "2.00"
820 xml:lang
821 Optional. ENUM. A language identifier per Section 2.12 of
822 [W3C.XML] whose values and form are described in [RFC5646]. The
823 interpretation of this code is described in Section 6.
825 format-id
826 Optional. STRING. A free-form string to convey processing
827 instructions to the recipient of the document. Its semantics must
828 be negotiated out-of-band.
830 private-enum-name
831 Optional. STRING. A globally unique identifier for the CSIRT
832 generating the document to deconflict private extensions used in
833 the document. The fully qualified domain name associated with the
834 CSIRT MUST be used as the identifier. See Section 5.3.
836 private-enum-id
837 Optional. STRING. An organizationally unique identifier for an
838 extension used in the document. If this attribute is set, the
839 private-enum-name MUST also be set. See Section 5.3.
841 3.2. Incident Class
843 The Incident class describes commonly exchanged information when
844 reporting or sharing derived analysis from security incidents.
846 +-------------------------+
847 | Incident |
848 +-------------------------+
849 | ENUM purpose |<>----------[ IncidentID ]
850 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
851 | ENUM status |<>--{0..*}--[ RelatedActivity ]
852 | STRING ext-status |<>--{0..1}--[ DetectTime ]
853 | ENUM xml:lang |<>--{0..1}--[ StartTime ]
854 | ENUM restriction |<>--{0..1}--[ EndTime ]
855 | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ]
856 | ID observable-id |<>--{0..1}--[ ReportTime ]
857 | |<>----------[ GenerationTime ]
858 | |<>--{0..*}--[ Description ]
859 | |<>--{0..*} [ Discovery ]
860 | |<>--{0..*}--[ Assessment ]
861 | |<>--{0..*}--[ Method ]
862 | |<>--{1..*}--[ Contact ]
863 | |<>--{0..*}--[ EventData ]
864 | |<>--{0..1}--[ IndicatorData ]
865 | |<>--{0..1}--[ History ]
866 | |<>--{0..*}--[ AdditionalData ]
867 +-------------------------+
869 Figure 6: The Incident Class
871 The aggregate classes of the Incident class are:
873 IncidentID
874 One. An incident tracking number assigned to this incident by the
875 CSIRT that generated the IODEF document. See Section 3.4.
877 AlternativeID
878 Zero or one. The incident tracking numbers used by other CSIRTs
879 to refer to the incident described in the document. See
880 Section 3.5.
882 RelatedActivity
883 Zero or more. Related activity and attribution of this activity.
884 See Section 3.6.
886 DetectTime
887 Zero or one. DATETIME. The time the incident was first detected.
889 StartTime
890 Zero or one. DATETIME. The time the incident started.
892 EndTime
893 Zero or one. DATETIME. The time the incident ended.
895 RecoveryTime
896 Zero or one. DATETIME. The time the site recovered from the
897 incident.
899 ReportTime
900 Zero or one. DATETIME. The time the incident was reported.
902 GenerationTime
903 One. DATETIME. The time the content in this Incident class was
904 generated.
906 Description
907 Zero or more. ML_STRING. A free-form text description of the
908 incident.
910 Discovery
911 Zero or more. The means by which this incident was detected. See
912 Section 3.10.
914 Assessment
915 Zero or more. A characterization of the impact of the incident.
916 See Section 3.12.
918 Method
919 Zero or more. The techniques used by the threat actor in the
920 incident. See Section 3.11.
922 Contact
923 One or more. Contact information for the parties involved in the
924 incident. See Section 3.9.
926 EventData
927 Zero or more. Description of the events comprising the incident.
928 See Section 3.14.
930 IndicatorData
931 Zero or one. Indicators from the analysis of an incident. See
932 Section 3.28.
934 History
935 Zero or one. A log of significant events or actions that occurred
936 during the course of handling the incident. See Section 3.13.
938 AdditionalData
939 Zero or more. EXTENSION. Mechanism by which to extend the data
940 model.
942 The attributes of the Incident class are:
944 purpose
945 Required. ENUM. The purpose attribute represents describes the
946 rational for document the information in this class. It is
947 closely related to the Expectation class (Section 3.15). These
948 values are maintained in the "Incident-purpose" IANA registry per
949 Section 10.2. This attribute is defined as an enumerated list:
951 1. traceback. The Incident was sent for trace-back purposes.
953 2. mitigation. The Incident was sent to request aid in
954 mitigating the described activity.
956 3. reporting. The Incident was sent to comply with reporting
957 requirements.
959 4. watch. The Incident was sent to convey indicators that should
960 be monitored.
962 5. other. The Incident was sent for purposes specified in the
963 Expectation class.
965 6. ext-value. A value used to indicate that this attribute is
966 extended and the actual value is provided using the
967 corresponding ext-* attribute. See Section 5.1.1.
969 ext-purpose
970 Optional. STRING. A means by which to extend the purpose
971 attribute. See Section 5.1.1.
973 status
974 Optional. ENUM. The status attribute conveys the state in a
975 workflow where the incident is currently found. These values are
976 maintained in the "Incident-status" IANA registry per
977 Section 10.2. This attribute is defined as an enumerated list:
979 1. new. The Incident is newly reported and has not been
980 actioned.
982 2. in-progress. The contents of this Incident are under
983 investigation.
985 3. forwarded. The Incident has been forwarded to another party
986 for handling.
988 4. resolved. The investigation into the activity in this
989 Incident has concluded.
991 5. future. The described activity has not yet been detected.
993 6. ext-value. A value used to indicate that this attribute is
994 extended and the actual value is provided using the
995 corresponding ext-* attribute. See Section 5.1.1.
997 ext-status
998 Optional. STRING. A means by which to extend the status
999 attribute. See Section 5.1.1.
1001 xml:lang
1002 Optional. ENUM. A language identifier per Section 2.12 of
1003 [W3C.XML] whose values and form are described in [RFC5646]. The
1004 interpretation of this code is described in Section 6.
1006 restriction
1007 Optional. ENUM. See Section 3.3.1. The default value is
1008 "private".
1010 ext-restriction
1011 Optional. STRING. A means by which to extend the restriction
1012 attribute. See Section 5.1.1.
1014 observable-id
1015 Optional. ID. See Section 3.3.2.
1017 3.3. Common Attributes
1019 There are a number of recurring attributes used in the information
1020 model. They are documented in this section.
1022 3.3.1. restriction Attribute
1024 The restriction attribute indicates the disclosure guidelines to
1025 which the sender expects the recipient to adhere for the information
1026 represented in this class and its children. This guideline provides
1027 no security since there are no technical means to ensure that the
1028 recipient of the document handles the information as the sender
1029 requested.
1031 The value of this attribute is logically inherited by the children of
1032 this class. That is to say, the disclosure rules applied to this
1033 class, also apply to its children.
1035 It is possible to set a granular disclosure policy, since all of the
1036 high-level classes (i.e., children of the Incident class) have a
1037 restriction attribute. Therefore, a child can override the
1038 guidelines of a parent class, be it to restrict or relax the
1039 disclosure rules (e.g., a child has a weaker policy than an ancestor;
1040 or an ancestor has a weak policy, and the children selectively apply
1041 more rigid controls). The implicit value of the restriction
1042 attribute for a class that did not specify one can be found in the
1043 closest ancestor that did specify a value.
1045 This attribute is defined as an enumerated value with a default value
1046 of "private". Note that the default value of the restriction
1047 attribute is only defined in the context of the Incident class. In
1048 other classes where this attribute is used, no default is specified.
1050 These values are maintained in the "Restriction" IANA registry per
1051 Section 10.2.
1053 1. public. The information can be freely distributed without
1054 restriction.
1056 2. partner. The information may be shared within a closed
1057 community of peers, partners, or affected parties, but cannot be
1058 openly published.
1060 3. need-to-know. The information may be shared only within the
1061 organization with individuals that have a need to know.
1063 4. private. The information may not be shared.
1065 5. default. The information can be shared according to an
1066 information disclosure policy pre-arranged by the communicating
1067 parties.
1069 6. white. Same as 'public'.
1071 7. green. Same as 'partner'.
1073 8. amber. Same as 'need-to-know'.
1075 9. red. Same as 'private'.
1077 10. ext-value. A value used to indicate that this attribute is
1078 extended and the actual value is provided using the
1079 corresponding ext-* attribute. See Section 5.1.1.
1081 3.3.2. observable-id Attribute
1083 The observable-id attribute tags information in the document as an
1084 observable so that it can be referenced later in the description of
1085 an indicator. The value of this attribute is a unique identifier in
1086 the scope of the document. It is used by the ObservableReference
1087 class to enumerate observables when defining an indicator with the
1088 IndicatorData class.
1090 3.4. IncidentID Class
1092 The IncidentID class represents a tracking number that is unique in
1093 the context of the CSIRT. It serves as an identifier for an incident
1094 or a document identifier when sharing indicators. This identifier
1095 would serve as an index into a CSIRT's incident handling or knowledge
1096 management system.
1098 The combination of the name attribute and the string in the element
1099 content MUST be a globally unique identifier describing the activity.
1100 Documents generated by a given CSIRT MUST NOT reuse the same value
1101 unless they are referencing the same incident.
1103 +------------------------+
1104 | IncidentID |
1105 +------------------------+
1106 | STRING |
1107 | |
1108 | STRING name |
1109 | STRING instance |
1110 | ENUM restriction |
1111 | STRING ext-restriction |
1112 +------------------------+
1114 Figure 7: The IncidentID Class
1116 The content of the class is an incident identifier of type STRING.
1118 The attributes of the IncidentID class are:
1120 name
1121 Required. STRING. An identifier describing the CSIRT that
1122 created the document. In order to have a globally unique CSIRT
1123 name, the fully qualified domain name associated with the CSIRT
1124 MUST be used.
1126 instance
1127 Optional. STRING. An identifier referencing a subset of the
1128 named incident.
1130 restriction
1131 Optional. ENUM. See Section 3.3.1.
1133 ext-restriction
1134 Optional. STRING. A means by which to extend the restriction
1135 attribute. See Section 5.1.1.
1137 3.5. AlternativeID Class
1139 The AlternativeID class lists the tracking numbers used by CSIRTs,
1140 other than the one generating the document, to refer to the identical
1141 activity described in the IODEF document. A tracking number listed
1142 as an AlternativeID references the same incident detected by another
1143 CSIRT. The tracking numbers of the CSIRT that generated the IODEF
1144 document must never be considered an AlternativeID.
1146 +------------------------+
1147 | AlternativeID |
1148 +------------------------+
1149 | ENUM restriction |<>--{1..*}--[ IncidentID ]
1150 | STRING ext-restriction |
1151 +------------------------+
1153 Figure 8: The AlternativeID Class
1155 The aggregate class of the AlternativeID class is:
1157 IncidentID
1158 One or more. The tracking number of another CSIRT. See
1159 Section 3.4.
1161 The attributes of the AlternativeID class are:
1163 restriction
1164 Optional. ENUM. See Section 3.3.1.
1166 ext-restriction
1167 Optional. STRING. A means by which to extend the restriction
1168 attribute. See Section 5.1.1.
1170 3.6. RelatedActivity Class
1172 The RelatedActivity class relates the information described in the
1173 rest of the document to previously observed incidents or activity;
1174 and allows attribution to a specific actor or campaign.
1176 +------------------------+
1177 | RelatedActivity |
1178 +------------------------+
1179 | ENUM restriction |<>--{0..*}--[ IncidentID ]
1180 | STRING ext-restriction |<>--{0..*}--[ URL ]
1181 | |<>--{0..*}--[ ThreatActor ]
1182 | |<>--{0..*}--[ Campaign ]
1183 | |<>--{0..*}--[ IndicatorID ]
1184 | |<>--{0..1}--[ Confidence ]
1185 | |<>--{0..*}--[ Description ]
1186 | |<>--{0..*}--[ AdditionalData ]
1187 +------------------------+
1189 Figure 9: RelatedActivity Class
1191 The aggregate classes of the RelatedActivity class are:
1193 IncidentID
1194 Zero or more. The tracking number of a related incident. See
1195 Section 3.4.
1197 URL
1198 Zero or more. URL. A URL to activity related to this incident.
1200 ThreatActor
1201 Zero or more. The threat actor to whom the incident activity is
1202 attributed. See Section 3.7.
1204 Campaign
1205 Zero or more. The campaign of a given threat actor to whom the
1206 described activity is attributed. See Section 3.8.
1208 IndicatorID
1209 Zero or more. A reference to a related indicator. See
1210 Section 3.4.
1212 Confidence
1213 Zero or one. An estimate of the confidence in attributing this
1214 RelatedActivity to the events described in the document. See
1215 Section 3.12.5.
1217 Description
1218 Zero or more. ML_STRING. A description of how these
1219 relationships were derived.
1221 AdditionalData
1222 Zero or more. EXTENSION. A mechanism by which to extend the data
1223 model.
1225 The RelatedActivity class MUST have at least one instance of any of
1226 the following child classes: IncidentID, URL, ThreatActor, Campaign,
1227 Description or AdditionalData.
1229 The attributes of the RelatedActivity class are:
1231 restriction
1232 Optional. ENUM. See Section 3.3.1.
1234 ext-restriction
1235 Optional. STRING. A means by which to extend the restriction
1236 attribute. See Section 5.1.1.
1238 3.7. ThreatActor Class
1240 The ThreatActor class describes a threat actor.
1242 +------------------------+
1243 | ThreatActor |
1244 +------------------------+
1245 | ENUM restriction |<>--{0..*}--[ ThreatActorID ]
1246 | STRING ext-restriction |<>--{0..*}--[ URL ]
1247 | |<>--{0..*}--[ Description ]
1248 | |<>--{0..*}--[ AdditionalData ]
1249 +------------------------+
1251 Figure 10: ThreatActor Class
1253 The aggregate classes of the ThreatActor class are:
1255 ThreatActorID
1256 Zero or more. STRING. An identifier for the threat actor.
1258 URL
1259 Zero or more. URL. A URL to a reference describing the threat
1260 actor.
1262 Description
1263 Zero or more. ML_STRING. A description of the threat actor.
1265 AdditionalData
1266 Zero or more. EXTENSION. A mechanism by which to extend the data
1267 model.
1269 The ThreatActor class MUST have at least one instance of a child
1270 class.
1272 The attributes of the ThreatActor class are:
1274 restriction
1275 Optional. ENUM. See Section 3.3.1.
1277 ext-restriction
1278 Optional. STRING. A means by which to extend the restriction
1279 attribute. See Section 5.1.1.
1281 3.8. Campaign Class
1283 The Campaign class describes a campaign of attacks by a threat actor.
1285 +------------------------+
1286 | Campaign |
1287 +------------------------+
1288 | ENUM restriction |<>--{0..*}--[ CampaignID ]
1289 | STRING ext-restriction |<>--{0..*}--[ URL ]
1290 | |<>--{0..*}--[ Description ]
1291 | |<>--{0..*}--[ AdditionalData ]
1292 +------------------------+
1294 Figure 11: Campaign Class
1296 The aggregate classes of the Campaign class are:
1298 CampaignID
1299 Zero or more. STRING. An identifier for the campaign.
1301 URL
1302 Zero or more. URL. A URL to a reference describing the campaign.
1304 Description
1305 Zero or more. ML_STRING. A description of the campaign.
1307 AdditionalData
1308 Zero or more. EXTENSION. A mechanism by which to extend the data
1309 model.
1311 The Campaign class MUST have at least one instance of a child class.
1313 The attributes of the Campaign class are:
1315 restriction
1316 Optional. ENUM. See Section 3.3.1.
1318 ext-restriction
1319 Optional. STRING. A means by which to extend the restriction
1320 attribute. See Section 5.1.1.
1322 3.9. Contact Class
1324 The Contact class describes contact information for organizations and
1325 personnel involved in the incident. This class allows for the naming
1326 of the involved party, specifying contact information for them, and
1327 identifying their role in the incident.
1329 People and organizations are treated interchangeably as contacts; one
1330 can be associated with the other using the recursive definition of
1331 the class (the Contact class is aggregated into the Contact class).
1332 The 'type' attribute disambiguates the type of contact information
1333 being provided.
1335 The recursive definition of Contact provides a way to relate
1336 information without requiring the explicit use of identifiers or
1337 duplication of data. A complete point of contact is derived by a
1338 particular traversal from the root Contact class to the leaf Contact
1339 class. Each child Contact class logically inherits contact
1340 information from its ancestors.
1342 +------------------------+
1343 | Contact |
1344 +------------------------+
1345 | ENUM role |<>--{0..*}--[ ContactName ]
1346 | STRING ext-role |<>--{0..*}--[ ContactTitle ]
1347 | ENUM type |<>--{0..*}--[ Description ]
1348 | STRING ext-type |<>--{0..*}--[ RegistryHandle ]
1349 | ENUM restriction |<>--{0..*}--[ PostalAddress ]
1350 | STRING ext-restriction |<>--{0..*}--[ Email ]
1351 | |<>--{0..*}--[ Telephone ]
1352 | |<>--{0..1}--[ Timezone ]
1353 | |<>--{0..*}--[ Contact ]
1354 | |<>--{0..*}--[ AdditionalData ]
1355 +------------------------+
1357 Figure 12: The Contact Class
1359 The aggregate classes of the Contact class are:
1361 ContactName
1362 Zero or more. ML_STRING. The name of the contact. The contact
1363 may either be an organization or a person. The type attribute
1364 disambiguates the semantics.
1366 ContactTitle
1367 Zero or more. ML_STRING. The title for the individual named in
1368 the ContactName.
1370 Description
1371 Zero or more. ML_STRING. A free-form text description of the
1372 contact.
1374 RegistryHandle
1375 Zero or more. A handle name into the registry of the contact.
1376 See Section 3.9.1.
1378 PostalAddress
1379 Zero or more. The postal address of the contact. See
1380 Section 3.9.2.
1382 Email
1383 Zero or more. The email address of the contact. See
1384 Section 3.9.3.
1386 Telephone
1387 Zero or more. The telephone number of the contact. See
1388 Section 3.9.4.
1390 Timezone
1391 Zero or one. TIMEZONE. The timezone in which the contact
1392 resides.
1394 Contact
1395 Zero or more. A recursive definition of the Contact class. This
1396 definition can be used to group common data pertaining to multiple
1397 points of contact and is especially useful when listing multiple
1398 contacts at the same organization.
1400 AdditionalData
1401 Zero or more. EXTENSION. A mechanism by which to extend the data
1402 model.
1404 At least one of the aggregate classes MUST be present in an instance
1405 of the Contact class.
1407 The attributes of the Contact class are:
1409 role
1410 Required. ENUM. Indicates the role the contact fulfills. These
1411 values are maintained in the "Contact-role" IANA registry per
1412 Section 10.2.
1414 1. creator. The entity that generate the document.
1416 2. reporter. The entity that reported the information.
1418 3. admin. An administrative contact or business owner for an
1419 asset or organization.
1421 4. tech. An entity responsible for the day-to-day management of
1422 technical issues for an asset or organization.
1424 5. provider. An external hosting provider for an asset.
1426 6. user. An end-user of an asset or part of an organization.
1428 7. billing. An entity responsible for billing issues for an
1429 asset or organization.
1431 8. legal. An entity responsible for legal issue related to an
1432 asset or organization.
1434 9. irt. An entity responsible for handling security issues for
1435 an asset or organization.
1437 10. abuse. An entity responsible for handling abuse originating
1438 from an asset or organization.
1440 11. cc. An entity that is to be kept informed about the events
1441 related to an asset or organization.
1443 12. cc-irt. A CSIRT or information sharing organization
1444 coordinating activity related to an asset or organization.
1446 13. leo. A law enforcement organization supporting the
1447 investigation of activity affecting an asset or organization.
1449 14. vendor. The vendor that produces an asset.
1451 15. vendor-support. A vendor that provides services.
1453 16. victim. A victim in the incident.
1455 17. victim-notified. A victim in the incident who has been
1456 notified.
1458 18. ext-value. A value used to indicate that this attribute is
1459 extended and the actual value is provided using the
1460 corresponding ext-* attribute. See Section 5.1.1.
1462 ext-role
1463 Optional. STRING. A means by which to extend the role attribute.
1464 See Section 5.1.1.
1466 type
1467 Required. ENUM. Indicates the type of contact being described.
1468 This attribute is defined as an enumerated list. These values are
1469 maintained in the "Contact-type" IANA registry per Section 10.2.
1471 1. person. The information for this contact references an
1472 individual.
1474 2. organization. The information for this contact references an
1475 organization.
1477 3. ext-value. A value used to indicate that this attribute is
1478 extended and the actual value is provided using the
1479 corresponding ext-* attribute. See Section 5.1.1.
1481 ext-type
1482 Optional. STRING. A means by which to extend the type attribute.
1483 See Section 5.1.1.
1485 restriction
1486 Optional. ENUM. See Section 3.3.1.
1488 ext-restriction
1489 Optional. STRING. A means by which to extend the restriction
1490 attribute. See Section 5.1.1.
1492 3.9.1. RegistryHandle Class
1494 The RegistryHandle class represents a handle into an Internet
1495 registry or community-specific database.
1497 +---------------------+
1498 | RegistryHandle |
1499 +---------------------+
1500 | STRING |
1501 | |
1502 | ENUM registry |
1503 | STRING ext-registry |
1504 +---------------------+
1506 Figure 13: The RegistryHandle Class
1508 The content of the class is a handle into a registry of type STRING.
1510 The attributes of the RegistryHandle class are:
1512 registry
1513 Required. ENUM. The database to which the handle belongs. These
1514 values are maintained in the "RegistryHandle-registry" IANA
1515 registry per Section 10.2. The possible values are:
1517 1. internic. Internet Network Information Center
1519 2. apnic. Asia Pacific Network Information Center
1521 3. arin. American Registry for Internet Numbers
1523 4. lacnic. Latin-American and Caribbean IP Address Registry
1525 5. ripe. Reseaux IP Europeens
1527 6. afrinic. African Internet Numbers Registry
1529 7. local. A database local to the CSIRT
1531 8. ext-value. A value used to indicate that this attribute is
1532 extended and the actual value is provided using the
1533 corresponding ext-* attribute. See Section 5.1.1.
1535 ext-registry
1536 Optional. STRING. A means by which to extend the registry
1537 attribute. See Section 5.1.1.
1539 3.9.2. PostalAddress Class
1541 The PostalAddress class specifies an postal address and associated
1542 annotation.
1544 +--------------------+
1545 | PostalAddress |
1546 +--------------------+
1547 | ENUM type |<>----------[ PAddress ]
1548 | STRING ext-type |<>--{0..*}--[ Description ]
1549 +--------------------+
1551 Figure 14: The PostalAddress Class
1553 The aggregate classes of the PostalAddress class are:
1555 PAddress
1556 One. POSTAL. A postal address.
1558 Description
1559 Zero or more. ML_STRING. A free-form text description of the
1560 address.
1562 The attributes of the PostalAddress class are:
1564 type
1565 Optional. ENUM. Categorizes the type of address described in the
1566 PAddress class. These values are maintained in the
1567 "PostalAddress-type" IANA registry per Section 10.2.
1569 1. street. An address describing a physical location.
1571 2. mailing. An address to which correspondence should be sent.
1573 3. ext-value. A value used to indicate that this attribute is
1574 extended and the actual value is provided using the
1575 corresponding ext-* attribute. See Section 5.1.1.
1577 ext-type
1578 Optional. STRING. A means by which to extend the type attribute.
1579 See Section 5.1.1.
1581 3.9.3. Email Class
1583 The Email class specifies an email address and associated annotation.
1585 +--------------------+
1586 | Email |
1587 +--------------------+
1588 | ENUM type |<>----------[ EmailTo ]
1589 | STRING ext-type |<>--{0..*}--[ Description ]
1590 +--------------------+
1592 Figure 15: The Email Class
1594 The aggregate classes of the Email class are:
1596 EmailTo
1597 One. EMAIL. An email address.
1599 Description
1600 Zero or more. ML_STRING. A free-form text description of the
1601 email address.
1603 The attributes of the Email class are:
1605 type
1606 Optional. ENUM. Categorizes the type of email address described
1607 in the EmailTo class. These values are maintained in the "Email-
1608 type" IANA registry per Section 10.2.
1610 1. direct. A email address of an individual.
1612 2. hotline. A email address regularly monitored for operational
1613 purposes.
1615 3. ext-value. A value used to indicate that this attribute is
1616 extended and the actual value is provided using the
1617 corresponding ext-* attribute. See Section 5.1.1.
1619 ext-type
1620 Optional. STRING. A means by which to extend the type attribute.
1621 See Section 5.1.1.
1623 3.9.4. Telephone Class
1625 The Telephone class describes a telephone number and associated
1626 annotation.
1628 +--------------------+
1629 | Telephone |
1630 +--------------------+
1631 | ENUM type |<>----------[ TelephoneNumber ]
1632 | STRING ext-type |<>--{0..*}--[ Description ]
1633 +--------------------+
1635 Figure 16: The Telephone Class
1637 The aggregate classes of the Telephone class are:
1639 TelephoneNumber
1640 One. PHONE. A telephone number.
1642 Description
1643 Zero or more. ML_STRING. A free-form text description of the
1644 phone number.
1646 The attributes of the Telephone class are:
1648 type
1649 Optional. ENUM. Categorizes the type of telephone number
1650 described in the TelephoneNumber class. These values are
1651 maintained in the "Telephone-type" IANA registry per Section 10.2.
1653 1. wired. A number of a wire-line (land-line) phone.
1655 2. mobile. A number of a mobile phone.
1657 3. fax. A number to a fax machine.
1659 4. hotline. A number to a regularly monitored operational
1660 hotline.
1662 5. ext-value. A value used to indicate that this attribute is
1663 extended and the actual value is provided using the
1664 corresponding ext-* attribute. See Section 5.1.1.
1666 ext-type
1667 Optional. STRING. A means by which to extend the type attribute.
1668 See Section 5.1.1.
1670 3.10. Discovery Class
1672 The Discovery class describes how an incident was detected.
1674 +------------------------+
1675 | Discovery |
1676 +------------------------+
1677 | ENUM source |<>--{0..*}--[ Description ]
1678 | STRING ext-source |<>--{0..*}--[ Contact ]
1679 | ENUM restriction |<>--{0..*}--[ DetectionPattern ]
1680 | STRING ext-restriction |
1681 +------------------------+
1683 Figure 17: The Discovery Class
1685 The aggregate classes of the Discovery class are:
1687 Description
1688 Zero or more. ML_STRING. A free-form text description of how
1689 this incident was detected.
1691 Contact
1692 Zero or more. Contact information for the party that discovered
1693 the incident. See Section 3.9.
1695 DetectionPattern
1696 Zero or more. Describes an application-specific configuration
1697 that detected the incident. See Section 3.10.1.
1699 The attributes of the Discovery class are:
1701 source
1702 Optional. ENUM. Categorizes the techniques used to discover the
1703 incident. These values are partially derived from Table 3-1 of
1704 [NIST800.61rev2]. These values are maintained in the "Discovery-
1705 source" IANA registry per Section 10.2.
1707 1. nidps. Network Intrusion Detection or Prevention system.
1709 2. hips. Host-based Intrusion Prevention system.
1711 3. siem. Security Information and Event Management System.
1713 4. av. Antivirus or and antispam software.
1715 5. third-party-monitoring. Contracted third-party monitoring
1716 service.
1718 6. incident. The activity was discovered while investigating an
1719 unrelated incident.
1721 7. os-log. Operating system logs.
1723 8. application-log. Application logs.
1725 9. device-log. Network device logs.
1727 10. network-flow. Network flow analysis.
1729 11. passive-dns. Passive DNS analysis.
1731 12. investigation. Manual investigation initiated based on
1732 notification of a new vulnerability or exploit.
1734 13. audit. Security audit.
1736 14. internal-notification. A party within the organization
1737 reported the activity
1739 15. external-notification. A party outside of the organization
1740 reported the activity.
1742 16. leo. A law enforcement organization notified the victim
1743 organization.
1745 17. partner. A customer or business partner reported the
1746 activity to the victim organization.
1748 18. actor. The threat actor directly or indirectly reported this
1749 activity to the victim organization.
1751 19. unknown. Unknown detection approach.
1753 20. ext-value. A value used to indicate that this attribute is
1754 extended and the actual value is provided using the
1755 corresponding ext-* attribute. See Section 5.1.1.
1757 ext-source
1758 Optional. STRING. A means by which to extend the source
1759 attribute. See Section 5.1.1.
1761 restriction
1762 Optional. ENUM. See Section 3.3.1.
1764 ext-restriction
1765 Optional. STRING. A means by which to extend the restriction
1766 attribute. See Section 5.1.1.
1768 3.10.1. DetectionPattern Class
1770 The DetectionPattern class describes a configuration or signature
1771 that can be used by an IDS/IPS, SIEM, anti-virus, end-point
1772 protection, network analysis, malware analysis, or host forensics
1773 tool to identify a particular phenomenon. This class requires the
1774 identification of the target application and allows the configuration
1775 to be described in either free-form or machine readable form.
1777 +------------------------+
1778 | DetectionPattern |
1779 +------------------------+
1780 | ENUM restriction |<>----------[ Application ]
1781 | STRING ext-restriction |<>--{0..*}--[ Description ]
1782 | ID observable-id |<>--{0..*}--[ DetectionConfiguration ]
1783 +------------------------+
1785 Figure 18: The DetectionPattern Class
1787 The aggregate classes of the DetectionPattern class are:
1789 Application
1790 One. SOFTWARE. The application for which the
1791 DetectionConfiguration or Description is being provided.
1793 Description
1794 Zero or more. ML_STRING. A free-form text description of how to
1795 use the Application or provided DetectionConfiguration.
1797 DetectionConfiguration
1798 Zero or more. STRING. A machine consumable configuration to find
1799 a pattern of activity.
1801 Either an instance of the Description or DetectionConfiguration class
1802 MUST be present.
1804 The attributes of the DetectionPattern class are:
1806 restriction
1807 Optional. ENUM. See Section 3.3.1.
1809 ext-restriction
1810 Optional. STRING. A means by which to extend the restriction
1811 attribute. See Section 5.1.1.
1813 observable-id
1814 Optional. ID. See Section 3.3.2.
1816 3.11. Method Class
1818 The Method class describes the tactics, techniques, procedures or
1819 weakness used by the threat actor in an incident. This class
1820 consists of both a list of references describing the attack methods
1821 and weaknesses and a free-form text description.
1823 +------------------------+
1824 | Method |
1825 +------------------------+
1826 | ENUM restriction |<>--{0..*}--[ Reference ]
1827 | STRING ext-restriction |<>--{0..*}--[ Description ]
1828 | |<>--{0..*}--[ sci:AttackPattern ]
1829 | |<>--{0..*}--[ sci:Vulnerability ]
1830 | |<>--{0..*}--[ sci:Weakness ]
1831 | |<>--{0..*}--[ AdditionalData ]
1832 +------------------------+
1834 Figure 19: The Method Class
1836 The aggregate classes of the Method class are:
1838 Reference
1839 Zero or more. A reference to a vulnerability, malware sample,
1840 advisory, or analysis of an attack technique. See Section 3.11.1.
1842 Description
1843 Zero or more. ML_STRING. A free-form text description of
1844 techniques, tactics, or procedures used by the threat actor.
1846 sci:AttackPattern
1847 Zero or more. A reference to an pattern of attack or exploitation
1848 per [RFC7203]
1850 sci:Vulnerability
1851 Zero or more. A reference to a vulnerability per [RFC7203]
1853 sci:Weakness
1854 Zero or more. A reference to the exploited weakness per [RFC7203]
1856 AdditionalData
1857 Zero or more. EXTENSION. A mechanism by which to extend the data
1858 model.
1860 An instance of one of these child MUST be present.
1862 The attributes of the Method class are:
1864 restriction
1865 Optional. ENUM. See Section 3.3.1.
1867 ext-restriction
1868 Optional. STRING. A means by which to extend the restriction
1869 attribute. See Section 5.1.1.
1871 3.11.1. Reference Class
1873 The Reference class is an external reference to relevant information
1874 such a vulnerability, IDS alert, malware sample, advisory, or attack
1875 technique.
1877 +-------------------------+
1878 | Reference |
1879 +-------------------------+
1880 | ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
1881 | |<>--{0..*}--[ URL ]
1882 | |<>--{0..*}--[ Description ]
1883 +-------------------------+
1885 Figure 20: The Reference Class
1887 The aggregate classes of the Reference class are:
1889 enum:ReferenceName
1890 Zero or one. Reference identifier per [RFC7495].
1892 URL
1893 Zero or more. URL. A URL to a reference.
1895 Description
1896 Zero or more. ML_STRING. A free-form text description of this
1897 reference.
1899 At least one of these classes MUST be present.
1901 The attribute of the Reference class is:
1903 observable-id
1904 Optional. ID. See Section 3.3.2.
1906 3.12. Assessment Class
1908 The Assessment class describes the repercussions of the incident to
1909 the victim.
1911 +-------------------------+
1912 | Assessment |
1913 +-------------------------+
1914 | ENUM occurrence |<>--{0..*}--[ IncidentCategory ]
1915 | ENUM restriction |<>--{0..*}--[ SystemImpact ]
1916 | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ]
1917 | ID observable-id |<>--{0..*}--[ TimeImpact ]
1918 | |<>--{0..*}--[ MonetaryImpact ]
1919 | |<>--{0..*}--[ IntendedImpact ]
1920 | |<>--{0..*}--[ Counter ]
1921 | |<>--{0..*}--[ MitigatingFactor ]
1922 | |<>--{0..*}--[ Cause ]
1923 | |<>--{0..1}--[ Confidence ]
1924 | |<>--{0..*}--[ AdditionalData ]
1925 +-------------------------+
1927 Figure 21: Assessment Class
1929 The aggregate classes of the Assessment class are:
1931 IncidentCategory
1932 Zero or more. ML_STRING. A free-form text description
1933 categorizing the type of Incident.
1935 SystemImpact
1936 Zero or more. A technical characterization of the impact of the
1937 incident activity on the victim's enterprise. See Section 3.12.1.
1939 BusinessImpact
1940 Zero or more. Impact of the incident activity on the business
1941 functions of the victim organization. See Section 3.12.2.
1943 TimeImpact
1944 Zero or more. A characterization of the victim organization due
1945 to the incident activity as a function of time. See
1946 Section 3.12.3.
1948 MonetaryImpact
1949 Zero or more. The financial loss due to the incident activity.
1950 See Section 3.12.4.
1952 IntendedImpact
1953 Zero or more. The intended outcome to the victim sought by the
1954 threat actor. Defined identically to the BusinessImpact defined
1955 in Section 3.12.2, but describes intent rather than the realized
1956 impact.
1958 Counter
1959 Zero or more. A counter with which to summarize the magnitude of
1960 the activity. See Section 3.18.3.
1962 MitigatingFactor
1963 Zero or more. ML_STRING. A description of a mitigating factor
1964 relative to the impact on the victim organization.
1966 Cause
1967 Zero or more. ML_STRING. A description of an underlying cause of
1968 the impact.
1970 Confidence
1971 Zero or one. An estimate of confidence in the impact assessment.
1972 See Section 3.12.5.
1974 AdditionalData
1975 Zero or more. EXTENSION. A mechanism by which to extend the data
1976 model.
1978 A least one instance of the possible five impact classes (i.e.,
1979 SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or
1980 IntendedImpact) MUST be present.
1982 The attributes of the Assessment class are:
1984 occurrence
1985 Optional. ENUM. Specifies whether the assessment is describing
1986 actual or potential outcomes.
1988 1. actual. This assessment describes activity that has occurred.
1990 2. potential. This assessment describes potential activity that
1991 might occur.
1993 restriction
1994 Optional. ENUM. See Section 3.3.1.
1996 ext-restriction
1997 Optional. STRING. A means by which to extend the restriction
1998 attribute. See Section 5.1.1.
2000 observable-id
2001 Optional. ID. See Section 3.3.2.
2003 3.12.1. SystemImpact Class
2005 The SystemImpact class describes the technical impact of the incident
2006 to the systems on the network.
2008 +-----------------------+
2009 | SystemImpact |
2010 +-----------------------+
2011 | ENUM severity |<>--{0..*}--[ Description ]
2012 | ENUM completion |
2013 | ENUM type |
2014 | STRING ext-type |
2015 +-----------------------+
2017 Figure 22: SystemImpact Class
2019 The aggregate class of the SystemImpact class is:
2021 Description
2022 Zero or more. ML_STRING. A free-form text description of the
2023 impact to the system.
2025 The attributes of the SystemImpact class are:
2027 severity
2028 Optional. ENUM. An estimate of the relative severity of the
2029 activity. The permitted values are shown below. There is no
2030 default value.
2032 1. low. Low severity
2034 2. medium. Medium severity
2036 3. high. High severity
2038 completion
2039 Optional. ENUM. An indication whether the described activity was
2040 successful. The permitted values are shown below. There is no
2041 default value.
2043 1. failed. The attempted activity was not successful.
2045 2. succeeded. The attempted activity succeeded.
2047 type
2048 Required. ENUM. Classifies the impact. The permitted values are
2049 shown below. The default value is "unknown". These values are
2050 maintained in the "SystemImpact-type" IANA registry per
2051 Section 10.2.
2053 1. takeover-account. Control was taken of a given account.
2055 2. takeover-service. Control was taken of a given service.
2057 3. takeover-system. Control was taken of a given system.
2059 4. cps-manipulation. A cyber-physical system was manipulated.
2061 5. cps-damage. A cyber-physical system was damaged.
2063 6. availability-data. Access to particular data was degraded or
2064 denied.
2066 7. availability-account. Access to an account was degraded or
2067 denied.
2069 8. availability-service. Access to a service was degraded or
2070 denied.
2072 9. availability-system. Access to a system was degraded or
2073 denied.
2075 10. damaged-system. Hardware on a system was irreparably
2076 damaged.
2078 11. damaged-data. Data on a system was deleted.
2080 12. breach-proprietary. Sensitive or proprietary information was
2081 accessed or exfiltrated.
2083 13. breach-privacy. Personally identifiable information was
2084 accessed or exfiltrated.
2086 14. breach-credential. Credential information was accessed or
2087 exfiltrated.
2089 15. breach-configuration. System configuration or data inventory
2090 was access or exfiltrated.
2092 16. integrity-data. Data on the system was modified.
2094 17. integrity-configuration. Application or system configuration
2095 was modified.
2097 18. integrity-hardware. Firmware of a hardware component was
2098 modified.
2100 19. traffic-redirection. Network traffic on the system was
2101 redirected
2103 20. monitoring-traffic. Network traffic emerging from a host or
2104 enclave was monitored.
2106 21. monitoring-host. System activity (e.g., running processes,
2107 keystrokes) were monitored.
2109 22. policy. Activity violated the system owner's acceptable use
2110 policy.
2112 23. unknown. The impact is unknown.
2114 24. ext-value. A value used to indicate that this attribute is
2115 extended and the actual value is provided using the
2116 corresponding ext-* attribute. See Section 5.1.1.
2118 ext-type
2119 Optional. STRING. A means by which to extend the type attribute.
2120 See Section 5.1.1.
2122 3.12.2. BusinessImpact Class
2124 The BusinessImpact class describes and characterizes the degree to
2125 which the function of the organization was impacted by the Incident.
2127 +-------------------------+
2128 | BusinessImpact |
2129 +-------------------------+
2130 | ENUM severity |<>--{0..*}--[ Description ]
2131 | STRING ext-severity |
2132 | ENUM type |
2133 | STRING ext-type |
2134 +-------------------------+
2136 Figure 23: BusinessImpact Class
2138 The aggregate class of the BusinessImpact class is:
2140 Description
2141 Zero or more. ML_STRING. A free-form text description of the
2142 impact to the organization.
2144 The attributes of the BusinessImpact class are:
2146 severity
2147 Optional. ENUM. Characterizes the severity of the incident on
2148 business functions. The permitted values are shown below. They
2149 were derived from Table 3-2 of [NIST800.61rev2]. The default
2150 value is "unknown". These values are maintained in the
2151 "BusinessImpact-severity" IANA registry per Section 10.2.
2153 1. none. No effect to the organization's ability to provide all
2154 services to all users.
2156 2. low. Minimal effect as the organization can still provide all
2157 critical services to all users but has lost efficiency.
2159 3. medium. The organization has lost the ability to provide a
2160 critical service to a subset of system users.
2162 4. high. The organization is no longer able to provide some
2163 critical services to any users.
2165 5. unknown. The impact is not known.
2167 6. ext-value. A value used to indicate that this attribute is
2168 extended and the actual value is provided using the
2169 corresponding ext-* attribute. See Section 5.1.1.
2171 ext-severity
2172 Optional. STRING. A means by which to extend the severity
2173 attribute. See Section 5.1.1.
2175 type
2176 Required. ENUM. Characterizes the effect this incident had on
2177 the business. The permitted values are shown below. The default
2178 value is "unknown". These values are maintained in the
2179 "BusinessImpact-type" IANA registry per Section 10.2.
2181 1. breach-proprietary. Sensitive or proprietary information was
2182 accessed or exfiltrated.
2184 2. breach-privacy. Personally identifiable information was
2185 accessed or exfiltrated.
2187 3. breach-credential. Credential information was accessed or
2188 exfiltrated.
2190 4. loss-of-integrity. Sensitive or proprietary information was
2191 changed or deleted.
2193 5. loss-of-service. Service delivery was disrupted.
2195 6. theft-financial. Money was stolen.
2197 7. theft-service. Services were misappropriated.
2199 8. degraded-reputation. The reputation of the organization's
2200 brand was diminished.
2202 9. asset-damage. A cyber-physical system was damaged.
2204 10. asset-manipulation. A cyber-physical system was manipulated.
2206 11. legal. The incident resulted in legal or regulatory action.
2208 12. extortion. The incident resulted in actors extorting the
2209 victim organization.
2211 13. unknown. The impact is unknown.
2213 14. ext-value. A value used to indicate that this attribute is
2214 extended and the actual value is provided using the
2215 corresponding ext-* attribute. See Section 5.1.1.
2217 ext-type
2218 Optional. STRING. A means by which to extend the type attribute.
2219 See Section 5.1.1.
2221 3.12.3. TimeImpact Class
2223 The TimeImpact class describes the impact of the incident on an
2224 organization as a function of time. It provides a way to convey down
2225 time and recovery time.
2227 +---------------------+
2228 | TimeImpact |
2229 +---------------------+
2230 | REAL |
2231 | |
2232 | ENUM severity |
2233 | ENUM metric |
2234 | STRING ext-metric |
2235 | ENUM duration |
2236 | STRING ext-duration |
2237 +---------------------+
2239 Figure 24: TimeImpact Class
2241 The content of the class is of type REAL and specifies an amount of
2242 time. The duration attribute provides units for this content; and
2243 the metric attribute explains what this content is measuring.
2245 The attributes of the TimeImpact class are:
2247 severity
2248 Optional. ENUM. An estimate of the relative severity of the
2249 activity. The permitted values are shown below. There is no
2250 default value.
2252 1. low. Low severity
2254 2. medium. Medium severity
2256 3. high. High severity
2258 metric
2259 Required. ENUM. Defines the meaning of the value in the element
2260 content. These values are maintained in the "TimeImpact-metric"
2261 IANA registry per Section 10.2.
2263 1. labor. Total staff-time to recovery from the activity (e.g.,
2264 2 employees working 4 hours each would be 8 hours).
2266 2. elapsed. Elapsed time from the beginning of the recovery to
2267 its completion (i.e., wall-clock time).
2269 3. downtime. Duration of time for which some provided service(s)
2270 was not available.
2272 4. ext-value. A value used to indicate that this attribute is
2273 extended and the actual value is provided using the
2274 corresponding ext-* attribute. See Section 5.1.1.
2276 ext-metric
2277 Optional. STRING. A means by which to extend the metric
2278 attribute. See Section 5.1.1.
2280 duration
2281 Optional. ENUM. Defines the unit of time for the value in the
2282 element content. The default value is "hour". These values are
2283 maintained in the "TimeImpact-duration" IANA registry per
2284 Section 10.2.
2286 1. second. The unit of the element content is seconds.
2288 2. minute. The unit of the element content is minutes.
2290 3. hour. The unit of the element content is hours.
2292 4. day. The unit of the element content is days.
2294 5. month. The unit of the element content is months.
2296 6. quarter. The unit of the element content is quarters.
2298 7. year. The unit of the element content is years.
2300 8. ext-value. A value used to indicate that this attribute is
2301 extended and the actual value is provided using the
2302 corresponding ext-* attribute. See Section 5.1.1.
2304 ext-duration
2305 Optional. STRING. A means by which to extend the duration
2306 attribute. See Section 5.1.1.
2308 3.12.4. MonetaryImpact Class
2310 The MonetaryImpact class describes the financial impact of the
2311 activity on an organization. For example, this impact may consider
2312 losses due to the cost of the investigation or recovery, diminished
2313 productivity of the staff, or a tarnished reputation that will affect
2314 future opportunities.
2316 +------------------+
2317 | MonetaryImpact |
2318 +------------------+
2319 | REAL |
2320 | |
2321 | ENUM severity |
2322 | STRING currency |
2323 +------------------+
2325 Figure 25: MonetaryImpact Class
2327 The content of the class is of type REAL and specifies a quantity of
2328 money. The currency attribute defines the currently of this value.
2330 The attributes of the MonetaryImpact class are:
2332 severity
2333 Optional. ENUM. An estimate of the relative severity of the
2334 activity. The permitted values are shown below. There is no
2335 default value.
2337 1. low. Low severity
2339 2. medium. Medium severity
2341 3. high. High severity
2343 currency
2344 Optional. STRING. Defines the currency in which the value in the
2345 element content is expressed. The permitted values are defined in
2346 "Codes for the representation of currencies and funds" of
2347 [ISO4217]. There is no default value.
2349 3.12.5. Confidence Class
2351 The Confidence class represents an estimate of the validity and
2352 accuracy of data expressed in the document. This estimate can be
2353 expressed as a category or a numeric calculation.
2355 +-------------------+
2356 | Confidence |
2357 +-------------------+
2358 | REAL |
2359 | |
2360 | ENUM rating |
2361 | STRING ext-rating |
2362 +-------------------+
2364 Figure 26: Confidence Class
2366 The content of the class is of type REAL and specifies a numerical
2367 assessment in the confidence of the data when the value of the rating
2368 attribute is "numeric". Otherwise, this element MUST be empty.
2370 The attributes of the Confidence class are:
2372 rating
2373 Required. ENUM. A qualitative assessment of confidence. These
2374 values are maintained in the "Confidence-rating" IANA registry per
2375 Section 10.2
2377 1. low. Low confidence.
2379 2. medium. Medium confidence.
2381 3. high. High confidence.
2383 4. numeric. The element content contains a number that conveys
2384 the confidence of the data. The semantics of this number
2385 outside the scope of this specification.
2387 5. unknown. The confidence rating value is not known.
2389 6. ext-value. A value used to indicate that this attribute is
2390 extended and the actual value is provided using the
2391 corresponding ext-* attribute. See Section 5.1.1.
2393 ext-rating
2394 Optional. STRING. A means by which to extend the rating
2395 attribute. See Section 5.1.1.
2397 3.13. History Class
2399 The History class is a log of the significant events or actions
2400 performed by the involved parties during the course of handling the
2401 incident.
2403 The level of detail maintained in this log is left up to the
2404 discretion of those handling the incident.
2406 +------------------------+
2407 | History |
2408 +------------------------+
2409 | ENUM restriction |<>--{1..*}--[ HistoryItem ]
2410 | STRING ext-restriction |
2411 +------------------------+
2413 Figure 27: The History Class
2415 The aggregate classes of the History class are:
2417 HistoryItem
2418 One or more. An entry in the history log of significant events or
2419 actions performed by the involved parties. See Section 3.13.1.
2421 The attributes of the History class are:
2423 restriction
2424 Optional. ENUM. See Section 3.3.1.
2426 ext-restriction
2427 Optional. STRING. A means by which to extend the restriction
2428 attribute. See Section 5.1.1.
2430 3.13.1. HistoryItem Class
2432 The HistoryItem class is an entry in the History (Section 3.13) log
2433 that documents a particular action or event that occurred in the
2434 course of handling the incident. The details of the entry are a
2435 free-form text description, but each can be categorized with the type
2436 attribute.
2438 +-------------------------+
2439 | HistoryItem |
2440 +-------------------------+
2441 | ENUM action |<>----------[ DateTime ]
2442 | STRING ext-action |<>--{0..1}--[ IncidentID ]
2443 | ENUM restriction |<>--{0..1}--[ Contact ]
2444 | STRING ext-restriction |<>--{0..*}--[ Description ]
2445 | ID observable-id |<>--{0..*}--[ DefinedCOA ]
2446 | |<>--{0..*}--[ AdditionalData ]
2447 +-------------------------+
2449 Figure 28: HistoryItem Class
2451 The aggregate classes of the HistoryItem class are:
2453 DateTime
2454 One. DATETIME. A timestamp of this entry in the history log.
2456 IncidentID
2457 Zero or One. In a history log created by multiple parties, the
2458 IncidentID provides a mechanism to specify which CSIRT created a
2459 particular entry and references this organization's tracking
2460 number. When a single organization is maintaining the log, this
2461 class can be ignored. See Section 3.4.
2463 Contact
2464 Zero or One. Provides contact information for the entity that
2465 performed the action documented in this class. See Section 3.9.
2467 Description
2468 Zero or more. ML_STRING. A free-form text description of the
2469 action or event.
2471 DefinedCOA
2472 Zero or more. STRING. An identifier meaningful to the sender and
2473 recipient of this document that references a course of action
2474 (COA). This class MUST be present if the action attribute is set
2475 to "defined-coa".
2477 AdditionalData
2478 Zero or more. EXTENSION. A mechanism by which to extend the data
2479 model.
2481 The attributes of the HistoryItem class are:
2483 action
2484 Required. ENUM. Classifies a performed action or occurrence
2485 documented in this history log entry. As activity will likely
2486 have been instigated either through a previously conveyed
2487 expectation or internal investigation. This attribute is
2488 identical to the action attribute of the Expectation class. The
2489 difference is only one of tense. When an action is in this class,
2490 it has been completed. See Section 3.15.
2492 ext-action
2493 Optional. STRING. A means by which to extend the action
2494 attribute. See Section 5.1.1.
2496 restriction
2497 Optional. ENUM. See Section 3.3.1.
2499 ext-restriction
2500 Optional. STRING. A means by which to extend the restriction
2501 attribute. See Section 5.1.1.
2503 observable-id
2504 Optional. ID. See Section 3.3.2.
2506 3.14. EventData Class
2508 The EventData class is a container class to organize data about
2509 events that occurred during an incident.
2511 +-------------------------+
2512 | EventData |
2513 +-------------------------+
2514 | ENUM restriction |<>--{0..*}--[ Description ]
2515 | STRING ext-restriction |<>--{0..1}--[ DetectTime ]
2516 | ID observable-id |<>--{0..1}--[ StartTime ]
2517 | |<>--{0..1}--[ EndTime ]
2518 | |<>--{0..1}--[ RecoveryTime ]
2519 | |<>--{0..1}--[ ReportTime ]
2520 | |<>--{0..*}--[ Contact ]
2521 | |<>--{0..*}--[ Discovery ]
2522 | |<>--{0..1}--[ Assessment ]
2523 | |<>--{0..*}--[ Method ]
2524 | |<>--{0..*}--[ Flow ]
2525 | |<>--{0..*}--[ Expectation ]
2526 | |<>--{0..1}--[ Record ]
2527 | |<>--{0..*}--[ EventData ]
2528 | |<>--{0..*}--[ AdditionalData ]
2529 +-------------------------+
2531 Figure 29: The EventData Class
2533 The aggregate classes of the EventData class are:
2535 Description
2536 Zero or more. ML_STRING. A free-form text description of the
2537 event.
2539 DetectTime
2540 Zero or one. DATETIME. The time the event was detected.
2542 StartTime
2543 Zero or one. DATETIME. The time the event started.
2545 EndTime
2546 Zero or one. DATETIME. The time the event ended.
2548 RecoveryTime
2549 Zero or one. DATETIME. The time the site recovered from the
2550 event.
2552 ReportTime
2553 Zero or one. DATETIME. The time the event was reported.
2555 Contact
2556 Zero or more. Contact information for the parties involved in the
2557 event. See Section 3.9.
2559 Discovery
2560 Zero or more. The means by which the event was detected. See
2561 Section 3.10.
2563 Assessment
2564 Zero or one. The impact of the event on the victim and the
2565 actions taken. See Section 3.12.
2567 Method
2568 Zero or more. The technique used by the threat actor in the
2569 event. See Section 3.11.
2571 Flow
2572 Zero or more. A description of the systems or networks involved.
2573 See Section 3.16.
2575 Expectation
2576 Zero or more. The expected action to be performed by the
2577 recipient for the described event. See Section 3.15.
2579 Record
2580 Zero or one. Supportive data (e.g., log files) that provides
2581 additional information about the event. See Section 3.22.
2583 EventData
2584 Zero or more. A recursive definition of the EventData class. See
2585 Section 3.14.2 for an explanation on using this class.
2587 AdditionalData
2588 Zero or more. EXTENSION. An extension mechanism for data not
2589 explicitly represented in the data model.
2591 At least one of the aggregate classes MUST be present in an instance
2592 of the EventData class.
2594 The attributes of the EventData class are:
2596 restriction
2597 Optional. ENUM. See Section 3.3.1. The default value is
2598 "default".
2600 ext-restriction
2601 Optional. STRING. A means by which to extend the restriction
2602 attribute. See Section 5.1.1.
2604 observable-id
2605 Optional. ID. See Section 3.3.2.
2607 3.14.1. Relating the Incident and EventData Classes
2609 There is substantial overlap in the child classes aggregated in the
2610 Incident and EventData classes. Nevertheless, the semantics of these
2611 classes are quite different. The Incident class provides summary
2612 information about the entire incident, while the EventData class
2613 provides information about the individual events comprising the
2614 incident. In the common case, the EventData class will provide more
2615 specific information for the general description provided in the
2616 Incident class. However, in the case where the summarized
2617 information in the Incident class conflicts the detailed information
2618 in an EventData class the more specific EventData class MUST
2619 supersede the more generic information provided in Incident class.
2621 3.14.2. Recursive Definition of EventData
2623 The EventData class is container for the properties of an event in an
2624 incident. These properties include: the hosts involved, impact of
2625 the incident activity on the hosts, forensic logs, etc. The
2626 recursive definition of EventData allows for the grouping of related
2627 information with common properties. This approach eliminates the
2628 need for explicit identifiers to relate information or duplicate it.
2629 Instead, the relative depth (nesting) of a class is used to group
2630 (relate) information.
2632 For example, consider a case where two hosts experience different
2633 impacts during an incident. However, these two hosts have common
2634 contact information. A depiction of how this situation would be
2635 represented can be found in Figure 30. EventData (2) and (3) group
2636 each of the two hosts with their unique impact. EventData (1)
2637 describes the common Contact class these two hosts share.
2639 +------------------+
2640 | EventData (1) |
2641 +------------------+
2642 | |<>----[ Contact ]
2643 | |
2644 | |<>----[ EventData (2) ]<>----[ Flow ]
2645 | | [ ]<>----[ Assessment ]
2646 | |
2647 | |<>----[ EventData (3) ]<>----[ Flow ]
2648 | | [ ]<>----[ Assessment ]
2649 +------------------+
2651 Figure 30: Recursion in the EventData Class
2653 3.15. Expectation Class
2655 The Expectation class conveys to the recipient of the IODEF document
2656 the actions the sender is requesting.
2658 +-------------------------+
2659 | Expectation |
2660 +-------------------------+
2661 | ENUM action |<>--{0..*}--[ Description ]
2662 | STRING ext-action |<>--{0..*}--[ DefinedCOA ]
2663 | ENUM severity |<>--{0..1}--[ StartTime ]
2664 | ENUM restriction |<>--{0..1}--[ EndTime ]
2665 | STRING ext-restriction |<>--{0..1}--[ Contact ]
2666 | ID observable-id |
2667 +-------------------------+
2669 Figure 31: The Expectation Class
2671 The aggregate classes of the Expectation class are:
2673 Description
2674 Zero or more. ML_STRING. A free-form text description of the
2675 desired action(s).
2677 DefinedCOA
2678 Zero or more. STRING. A unique identifier meaningful to the
2679 sender and recipient of this document that references a course of
2680 action. This class MUST be present if the action attribute is set
2681 to "defined-coa".
2683 StartTime
2684 Zero or one. DATETIME. The time at which the sender would like
2685 the action performed. A timestamp that is earlier than the
2686 ReportTime specified in the Incident class denotes that the sender
2687 would like the action performed as soon as possible. The absence
2688 of this element indicates no expectations of when the recipient
2689 would like the action performed.
2691 EndTime
2692 Zero or one. DATETIME. The time by which the sender expects the
2693 recipient to complete the action. If the recipient cannot
2694 complete the action before EndTime, the recipient MUST NOT carry
2695 out the action. Because of transit delays and clock drift the
2696 sender MUST be prepared for the recipient to have carried out the
2697 action, even if it completes past EndTime.
2699 Contact
2700 Zero or one. The entity expected to perform the action. See
2701 Section 3.9.
2703 The attributes of the Expectation class are:
2705 action
2706 Optional. ENUM. Classifies the type of action requested. The
2707 default value of "other". These values are maintained in the
2708 "Expectation-action" IANA registry per Section 10.2.
2710 1. nothing. No action is requested. Do nothing with the
2711 information.
2713 2. contact-source-site. Contact the site(s) identified as the
2714 source of the activity.
2716 3. contact-target-site. Contact the site(s) identified as the
2717 target of the activity.
2719 4. contact-sender. Contact the originator of the document.
2721 5. investigate. Investigate the systems(s) listed in the event.
2723 6. block-host. Block traffic from the machine(s) listed as
2724 sources the event.
2726 7. block-network. Block traffic from the network(s) lists as
2727 sources in the event.
2729 8. block-port. Block the port listed as sources in the event.
2731 9. rate-limit-host. Rate-limit the traffic from the machine(s)
2732 listed as sources in the event.
2734 10. rate-limit-network. Rate-limit the traffic from the
2735 network(s) lists as sources in the event.
2737 11. rate-limit-port. Rate-limit the port(s) listed as sources in
2738 the event.
2740 12. redirect-traffic. Redirect traffic from the intended
2741 recipient for further analysis.
2743 13. honeypot. Redirect traffic from systems listed in the event
2744 to a honeypot for further analysis.
2746 14. upgrade-software. Upgrade or patch the software or firmware
2747 on an asset listed in the event.
2749 15. rebuild-asset. Reinstall the operating system or
2750 applications on an asset listed in the event.
2752 16. harden-asset. Change the configuration an asset listed in
2753 the event to reduce the attack surface.
2755 17. remediate-other. Remediate the activity in a way other than
2756 by rate limiting or blocking.
2758 18. status-triage. Confirm receipt and begin triaging the
2759 incident.
2761 19. status-new-info. Notify the sender when new information is
2762 received for this incident.
2764 20. watch-and-report. Watch for the described activity or
2765 indicators; and notify the sender when seen.
2767 21. training. Train user to identify or mitigate the described
2768 threat.
2770 22. defined-coa. Perform a predefined course of action (COA).
2771 The COA is named in the DefinedCOA class.
2773 23. other. Perform a custom action described in the Description
2774 class.
2776 24. ext-value. A value used to indicate that this attribute is
2777 extended and the actual value is provided using the
2778 corresponding ext-* attribute. See Section 5.1.1.
2780 ext-action
2781 Optional. STRING. A means by which to extend the action
2782 attribute. See Section 5.1.1.
2784 severity
2785 Optional. ENUM. Indicates the desired priority of the action.
2786 This attribute is an enumerated list with no default value, and
2787 the semantics of these relative measures are context dependent.
2789 1. low. Low priority
2791 2. medium. Medium priority
2793 3. high. High priority
2795 restriction
2796 Optional. ENUM. See Section 3.3.1. The default value is
2797 "default".
2799 ext-restriction
2800 Optional. STRING. A means by which to extend the restriction
2801 attribute. See Section 5.1.1.
2803 observable-id
2804 Optional. ID. See Section 3.3.2.
2806 3.16. Flow Class
2808 The Flow class describes the systems and networks involved in the
2809 incident; and the relationships between them.
2811 +------------------+
2812 | Flow |
2813 +------------------+
2814 | |<>--{1..*}--[ System ]
2815 +------------------+
2817 Figure 32: The Flow Class
2819 The aggregate class of the Flow class is:
2821 System
2822 One or More. A host or network involved in an event. See
2823 Section 3.17.
2825 The Flow class has no attributes.
2827 3.17. System Class
2829 The System class describes a system or network involved in an event.
2831 +------------------------+
2832 | System |
2833 +------------------------+
2834 | ENUM category |<>----------[ Node ]
2835 | STRING ext-category |<>--{0..*}--[ NodeRole ]
2836 | STRING interface |<>--{0..*}--[ Service ]
2837 | ENUM spoofed |<>--{0..*}--[ OperatingSystem ]
2838 | ENUM virtual |<>--{0..*}--[ Counter ]
2839 | ENUM ownership |<>--{0..*}--[ AssetID ]
2840 | STRING ext-ownership |<>--{0..*}--[ Description ]
2841 | ENUM restriction |<>--{0..*}--[ AdditionalData ]
2842 | STRING ext-restriction |
2843 | ID observable-id |
2844 +------------------------+
2846 Figure 33: The System Class
2848 The aggregate classes of the System class are:
2850 Node
2851 One. A host or network involved in the incident. See
2852 Section 3.18.
2854 NodeRole
2855 Zero or more. The intended purpose of the system. See
2856 Section 3.18.2.
2858 Service
2859 Zero or more. A network service running on the system. See
2860 Section 3.20.
2862 OperatingSystem
2863 Zero or more. SOFTWARE. The operating system running on the
2864 system.
2866 Counter
2867 Zero or more. A counter with which to summarize properties of
2868 this host or network. See Section 3.18.3.
2870 AssetID
2871 Zero or more. STRING. An asset identifier for the System.
2873 Description
2874 Zero or more. ML_STRING. A free-form text description of the
2875 System.
2877 AdditionalData
2878 Zero or more. EXTENSION. A mechanism by which to extend the data
2879 model.
2881 The attributes of the System class are:
2883 category
2884 Optional. ENUM. Classifies the role the host or network played
2885 in the incident. These values are maintained in the "System-
2886 category" IANA registry per Section 10.2.
2888 1. source. The System was the source of the event.
2890 2. target. The System was the target of the event.
2892 3. intermediate. The System was an intermediary in the event.
2894 4. sensor. The System was a sensor monitoring the event.
2896 5. infrastructure. The System was an infrastructure node of
2897 IODEF document exchange.
2899 6. ext-value. A value used to indicate that this attribute is
2900 extended and the actual value is provided using the
2901 corresponding ext-* attribute. See Section 5.1.1.
2903 ext-category
2904 Optional. STRING. A means by which to extend the category
2905 attribute. See Section 5.1.1.
2907 interface
2908 Optional. STRING. Specifies the interface on which the event(s)
2909 on this System originated. If the Node class specifies a network
2910 rather than a host, this attribute has no meaning.
2912 spoofed
2913 Optional. ENUM. An indication of confidence in whether this
2914 System was the true target or attacking host. The permitted
2915 values for this attribute are shown below. The default value is
2916 "unknown".
2918 1. unknown. The accuracy of the category attribute value is
2919 unknown.
2921 2. yes. The category attribute value is likely incorrect. In
2922 the case of a source, the System is likely a decoy; with a
2923 target, the System was likely not the intended victim.
2925 3. no. The category attribute value is believed to be correct.
2927 virtual
2928 Optional. ENUM. Indicates whether this System is a virtual or
2929 physical device. The default value is "unknown".
2931 1. yes. The System is a virtual device.
2933 2. no. The System is a physical device.
2935 3. unknown. It is not known if the System is virtual.
2937 ownership
2938 Optional. ENUM. Describes the ownership of this System relative
2939 to the victim in the incident. These values are maintained in the
2940 "System-ownership" IANA registry per Section 10.2.
2942 1. organization. Corporate or enterprise-owned.
2944 2. personal. Personally-owned by an employee or affiliate of the
2945 corporation or enterprise.
2947 3. partner. Owned by a partner of the corporation or enterprise.
2949 4. customer. Owned by a customer of the corporation or
2950 enterprise.
2952 5. no-relationship. Owned by an entity that has no known
2953 relationship with victim organization.
2955 6. unknown. Ownership is unknown.
2957 7. ext-value. A value used to indicate that this attribute is
2958 extended and the actual value is provided using the
2959 corresponding ext-* attribute. See Section 5.1.1.
2961 ext-ownership
2962 Optional. STRING. A means by which to extend the ownership
2963 attribute. See Section 5.1.1.
2965 restriction
2966 Optional. ENUM. See Section 3.3.1.
2968 ext-restriction
2969 Optional. STRING. A means by which to extend the restriction
2970 attribute. See Section 5.1.1.
2972 observable-id
2973 Optional. ID. See Section 3.3.2.
2975 3.18. Node Class
2977 The Node class identifies a system, asset or network; and its
2978 location.
2980 +---------------+
2981 | Node |
2982 +---------------+
2983 | |<>--{0..*}--[ DomainData ]
2984 | |<>--{0..*}--[ Address ]
2985 | |<>--{0..1}--[ PostalAddress ]
2986 | |<>--{0..*}--[ Location ]
2987 | |<>--{0..*}--[ Counter ]
2988 +---------------+
2990 Figure 34: The Node Class
2992 The aggregate classes of the Node class are:
2994 DomainData
2995 Zero or more. The domain (DNS) information associated with this
2996 Node. If an Address is not provided, at least one DomainData MUST
2997 be specified. See Section 3.19.
2999 Address
3000 Zero or more. The hardware, network, or application address of
3001 the Node. If a DomainData is not provided, at least one Address
3002 MUST be specified. See Section 3.18.1.
3004 PostalAddress
3005 Zero or one. POSTAL. The postal address of the node.
3007 Location
3008 Zero or more. ML_STRING. A free-form text description of the
3009 physical location of the Node. This description may provide a
3010 more detailed description of where in the PostalAddress this Node
3011 is found (e.g., room number, rack number, slot number in a
3012 chassis).
3014 Counter
3015 Zero or more. A counter with which to summarizes properties of
3016 this host or network. See Section 3.18.3.
3018 The Node class has no attributes.
3020 3.18.1. Address Class
3022 The Address class represents a hardware (layer-2), network (layer-3),
3023 or application (layer-7) address.
3025 +-------------------------+
3026 | Address |
3027 +-------------------------+
3028 | STRING |
3029 | |
3030 | ENUM category |
3031 | STRING ext-category |
3032 | STRING vlan-name |
3033 | INTEGER vlan-num |
3034 | ID observable-id |
3035 +-------------------------+
3037 Figure 35: The Address Class
3039 The content of the class is an address of type STRING whose semantics
3040 are determined by the category attribute.
3042 The attributes of the Address class are:
3044 category
3045 Required. ENUM. The type of address represented. The default
3046 value is "ipv6-addr". These values are maintained in the
3047 "Address-category" IANA registry per Section 10.2.
3049 1. asn. Autonomous System Number.
3051 2. atm. Asynchronous Transfer Mode (ATM) address.
3053 3. e-mail. Email address, per the EMAIL data type.
3055 4. ipv4-addr. IPv4 host address in dotted-decimal notation
3056 (a.b.c.d).
3058 5. ipv4-net. IPv4 network address in dotted-decimal notation,
3059 slash, significant bits (i.e., a.b.c.d/nn).
3061 6. ipv4-net-masked. A sanitized IPv4 address with significant
3062 bits per "ipv4-net" but with the character 'x' replacing any
3063 digit(s) in the address or prefix.
3065 7. ipv4-net-mask. IPv4 network address in dotted-decimal
3066 notation, slash, network mask in dotted-decimal notation
3067 (i.e., a.b.c.d/w.x.y.z).
3069 8. ipv6-addr. IPv6 host address per Section 4 of [RFC5952].
3071 9. ipv6-net. IPv6 network address, slash, prefix per
3072 Section 2.3 of [RFC4291].
3074 10. ipv6-net-masked. A sanitized IPv6 address and prefix per
3075 "ipv6-net" but with the character 'x' replacing any
3076 hexadecimal digit(s) in the address or digit(s) in the
3077 prefix.
3079 11. mac. Media Access Control (MAC) address (i.e.,
3080 aa:bb:cc:dd:ee:ff).
3082 12. site-uri. A URL or URI for a resource, per the URL data
3083 type.
3085 13. ext-value. A value used to indicate that this attribute is
3086 extended and the actual value is provided using the
3087 corresponding ext-* attribute. See Section 5.1.1.
3089 ext-category
3090 Optional. STRING. A means by which to extend the category
3091 attribute. See Section 5.1.1.
3093 vlan-name
3094 Optional. STRING. The name of the Virtual LAN to which the
3095 address belongs.
3097 vlan-num
3098 Optional. INTEGER. The number of the Virtual LAN to which the
3099 address belongs.
3101 observable-id
3102 Optional. ID. See Section 3.3.2.
3104 3.18.2. NodeRole Class
3106 The NodeRole class describes the function performed by or role of a
3107 particular system, asset or network.
3109 +-----------------------+
3110 | NodeRole |
3111 +-----------------------+
3112 | ENUM category |<>--{0..*}--[ Description ]
3113 | STRING ext-category |
3114 +-----------------------+
3116 Figure 36: The NodeRole Class
3118 The aggregate class of the NodeRole class is:
3120 Description
3121 Zero or more. ML_STRING. A free-form text description of the
3122 role of the system.
3124 The attributes of the NodeRole class are:
3126 category
3127 Required. ENUM. Function or role of a node. These values are
3128 maintained in the "NodeRole-category" IANA registry per
3129 Section 10.2.
3131 1. client. Client computer.
3133 2. client-enterprise. Client computer on the enterprise
3134 network.
3136 3. client-partner. Client computer on network of a partner.
3138 4. client-remote. Client computer remotely connected to the
3139 enterprise network.
3141 5. client-kiosk. Client computer serving as a kiosk.
3143 6. client-mobile. Mobile device.
3145 7. server-internal. Server with internal services.
3147 8. server-public. Server with public services.
3149 9. www. WWW server.
3151 10. mail. Mail server.
3153 11. webmail. Web mail server.
3155 12. messaging. Messaging server (e.g., NNTP, IRC, IM).
3157 13. streaming. Streaming-media server.
3159 14. voice. Voice server (e.g., SIP, H.323).
3161 15. file. File server.
3163 16. ftp. FTP server.
3165 17. p2p. Peer-to-peer node.
3167 18. name. Name server (e.g., DNS, WINS).
3169 19. directory. Directory server (e.g., LDAP, finger, whois).
3171 20. credential. Credential server (e.g., domain controller,
3172 Kerberos).
3174 21. print. Print server.
3176 22. application. Application server.
3178 23. database. Database server.
3180 24. backup. Backup server.
3182 25. dhcp. DHCP server.
3184 26. assessment. Assessment server (e.g., vulnerability scanner,
3185 end-point assessment).
3187 27. source-control. Source code control server.
3189 28. config-management. Configuration management server.
3191 29. monitoring. Security monitoring server (e.g., IDS).
3193 30. infra. Infrastructure server (e.g., router, firewall, DHCP).
3195 31. infra-firewall. Firewall.
3197 32. infra-router. Router.
3199 33. infra-switch. Switch.
3201 34. camera. Camera and video system.
3203 35. proxy. Proxy server.
3205 36. remote-access. Remote access server.
3207 37. log. Log server (e.g., syslog).
3209 38. virtualization. Server running virtual machines.
3211 39. pos. Point-of-sale device.
3213 40. scada. Supervisory control and data acquisition (SCADA)
3214 system.
3216 41. scada-supervisory. Supervisory system for a SCADA.
3218 42. sinkhole. Traffic sinkhole destination.
3220 43. honeypot. Honeypot server.
3222 44. anonymization. Anonymization server (e.g., Tor node).
3224 45. c2-server. Malicious command and control server.
3226 46. malware-distribution. Server that distributes malware
3228 47. drop-server. Server to which exfiltrated content is
3229 uploaded.
3231 48. hop-point. Intermediary server used to get to a victim.
3233 49. reflector. A system used in a reflector attack.
3235 50. phishing-site. Site hosting phishing content.
3237 51. spear-phishing-site. Site hosting spear-phishing content.
3239 52. recruiting-site. Site to recruit.
3241 53. fraudulent-site. Fraudulent site.
3243 54. ext-value. A value used to indicate that this attribute is
3244 extended and the actual value is provided using the
3245 corresponding ext-* attribute. See Section 5.1.1.
3247 ext-category
3248 Optional. STRING. A means by which to extend the category
3249 attribute. See Section 5.1.1.
3251 3.18.3. Counter Class
3253 The Counter class summarizes multiple occurrences of an event or
3254 conveys counts or rates of various features.
3256 The complete semantics of this class are context dependent based on
3257 the class in which it is aggregated.
3259 +---------------------+
3260 | Counter |
3261 +---------------------+
3262 | REAL |
3263 | |
3264 | ENUM type |
3265 | STRING ext-type |
3266 | ENUM unit |
3267 | STRING ext-unit |
3268 | STRING meaning |
3269 | ENUM duration |
3270 | STRING ext-duration |
3271 +---------------------+
3273 Figure 37: The Counter Class
3275 The content of the class is a value of type REAL whose meaning and
3276 units are determined by the type and duration attributes,
3277 respectively. If the duration attribute is present, the element
3278 content is a rather. Otherwise, it is a simple counter.
3280 The attributes of the Counter class are:
3282 type
3283 Required. ENUM. Specifies the type of counter specified in the
3284 element content. These values are maintained in the "Counter-
3285 type" IANA registry per Section 10.2.
3287 1. count. The Counter class value is a counter.
3289 2. peak. The Counter class value is a peak value.
3291 3. average. The Counter class value is an average.
3293 4. ext-value. A value used to indicate that this attribute is
3294 extended and the actual value is provided using the
3295 corresponding ext-* attribute. See Section 5.1.1.
3297 ext-type
3298 Optional. STRING. A means by which to extend the type attribute.
3299 See Section 5.1.1.
3301 unit
3302 Required. ENUM. Specifies the units of the element content.
3303 These values are maintained in the "Counter-unit" IANA registry
3304 per Section 10.2.
3306 1. byte. Bytes transferred.
3308 2. mbit. Megabits (Mbits) transfered.
3310 3. packet. Packets.
3312 4. flow. Network flow records.
3314 5. session. Sessions.
3316 6. alert. Notifications generated by another system (e.g., IDS
3317 or SIM).
3319 7. message. Messages (e.g., mail messages).
3321 8. event. Events.
3323 9. host. Hosts.
3325 10. site. Site.
3327 11. organization. Organizations.
3329 12. ext-value. A value used to indicate that this attribute is
3330 extended and the actual value is provided using the
3331 corresponding ext-* attribute. See Section 5.1.1.
3333 ext-unit
3334 Optional. STRING. A means by which to extend the unit attribute.
3335 See Section 5.1.1.
3337 meaning
3338 Optional. STRING. A free-form text description of the metric
3339 represented by the Counter.
3341 duration
3342 Optional. ENUM. If present, the Counter class represents a rate.
3343 This attribute specifies unit of time over which the rate whose
3344 units are specified in the unit attribute is being conveyed. This
3345 attribute is the the denominator of the rate (where the unit
3346 attribute specified the nominator). The possible values of this
3347 attribute are defined in the duration attribute of Section 3.12.3
3349 ext-duration
3350 Optional. STRING. A means by which to extend the duration
3351 attribute. See Section 5.1.1.
3353 3.19. DomainData Class
3355 The DomainData class describes a domain name and meta-data associated
3356 with this domain.
3358 +--------------------------+
3359 | DomainData |
3360 +--------------------------+
3361 | ENUM system-status |<>----------[ Name ]
3362 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
3363 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
3364 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
3365 | ID observable-id |<>--{0..*}--[ RelatedDNS ]
3366 | |<>--{0..*}--[ Nameservers ]
3367 | |<>--{0..1}--[ DomainContacts ]
3368 +--------------------------+
3370 Figure 38: The DomainData Class
3372 The aggregate classes of the DomainData class are:
3374 Name
3375 One. STRING. The domain name of a system.
3377 DateDomainWasChecked
3378 Zero or one. DATETIME. A timestamp of when the domain listed in
3379 the Name class was resolved.
3381 RegistrationDate
3382 Zero or one. DATETIME. A timestamp of when domain listed in Name
3383 class was registered.
3385 ExpirationDate
3386 Zero or one. DATETIME. A timestamp of when the domain listed in
3387 Name class is set to expire.
3389 RelatedDNS
3390 Zero or more. EXTENSION. Additional DNS records associated with
3391 this domain.
3393 Nameservers
3394 Zero or more. The name servers identified for the domain listed
3395 in Name class. See Section 3.19.1.
3397 DomainContacts
3398 Zero or one. Contact information for the domain listed in Name
3399 class supplied by the registrar or through a whois query.
3401 The attributes of the DomainData class are:
3403 system-status
3404 Required. ENUM. Assesses the domain's involvement in the event.
3405 These values are maintained in the "DomainData-system-status" IANA
3406 registry per Section 10.2.
3408 1. spoofed. This domain was spoofed.
3410 2. fraudulent. This domain was operated with fraudulent
3411 intentions.
3413 3. innocent-hacked. This domain was compromised by a third
3414 party.
3416 4. innocent-hijacked. This domain was deliberately hijacked.
3418 5. unknown. No categorization for this domain known.
3420 6. ext-value. A value used to indicate that this attribute is
3421 extended and the actual value is provided using the
3422 corresponding ext-* attribute. See Section 5.1.1.
3424 ext-system-status
3425 Optional. STRING. A means by which to extend the system-status
3426 attribute. See Section 5.1.1.
3428 domain-status
3429 Required. ENUM. Categorizes the registry status of the domain at
3430 the time the document was generated. These values and their
3431 associated descriptions are derived from Section 3.2.2 of
3432 [RFC3982]. These values are maintained in the "DomainData-domain-
3433 status" IANA registry per Section 10.2.
3435 1. reservedDelegation. The domain is permanently inactive.
3437 2. assignedAndActive. The domain is in a normal state.
3439 3. assignedAndInactive. The domain has an assigned registration
3440 but the delegation is inactive.
3442 4. assignedAndOnHold. The domain is in dispute.
3444 5. revoked. The domain is in the process of being purged from
3445 the database.
3447 6. transferPending. The domain is pending a change in
3448 authority.
3450 7. registryLock. The domain is on hold by the registry.
3452 8. registrarLock. Same as "registryLock".
3454 9. other. The domain has a known status but it is not one of
3455 the redefined enumerated values.
3457 10. unknown. The domain has an unknown status.
3459 11. ext-value. A value used to indicate that this attribute is
3460 extended and the actual value is provided using the
3461 corresponding ext-* attribute. See Section 5.1.1.
3463 ext-domain-status
3464 Optional. STRING. A means by which to extend the domain-status
3465 attribute. See Section 5.1.1.
3467 observable-id
3468 Optional. ID. See Section 3.3.2.
3470 3.19.1. Nameservers Class
3472 The Nameservers class describes the name servers associated with a
3473 given domain.
3475 +--------------------+
3476 | Nameservers |
3477 +--------------------+
3478 | |<>----------[ Server ]
3479 | |<>--{1..*}--[ Address ]
3480 +--------------------+
3482 Figure 39: The Nameservers Class
3484 The aggregate classes of the Nameservers class are:
3486 Server
3487 One. STRING. The domain name of the name server.
3489 Address
3490 One or more. The address of the name server. The value of the
3491 category attribute MUST be either "ipv4-addr" or "ipv6-addr". See
3492 Section 3.18.1.
3494 The Nameservers class has no attributes.
3496 3.19.2. DomainContacts Class
3498 The DomainContacts class describes the contact information for a
3499 given domain provided either by the registrar or through a whois
3500 query.
3502 This contact information can be explicitly described through a
3503 Contact class or a reference can be provided to a domain with
3504 identical contact information. Either a single SameDomainContact
3505 MUST be present or one or more Contact classes.
3507 +--------------------+
3508 | DomainContacts |
3509 +--------------------+
3510 | |<>--{0..1}--[ SameDomainContact ]
3511 | |<>--{1..*}--[ Contact ]
3512 +--------------------+
3514 Figure 40: The DomainContacts Class
3516 The aggregate classes of the DomainContacts class are:
3518 SameDomainContact
3519 Zero or one. STRING. A domain name already cited in this
3520 document or through previous exchange that contains the identical
3521 contact information as the domain name in question. The domain
3522 contact information associated with this domain should be used
3523 instead of an explicit definition with the Contact class.
3525 Contact
3526 One or more. Contact information for the domain. See
3527 Section 3.9.
3529 The DomainContacts class has no attributes.
3531 3.20. Service Class
3533 The Service class describes a network service. The service is
3534 described by protocol, port, protocol header field and application
3535 providing or using the service.
3537 +-------------------------+
3538 | Service |
3539 +-------------------------+
3540 | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
3541 | ID observable-id |<>--{0..1}--[ Port ]
3542 | |<>--{0..1}--[ Portlist ]
3543 | |<>--{0..1}--[ ProtoCode ]
3544 | |<>--{0..1}--[ ProtoType ]
3545 | |<>--{0..1}--[ ProtoField ]
3546 | |<>--{0..1}--[ ApplicationHeader ]
3547 | |<>--{0..1}--[ EmailData ]
3548 | |<>--{0..1}--[ Application ]
3549 +-------------------------+
3551 Figure 41: The Service Class
3553 The aggregate classes of the Service class are:
3555 ServiceName
3556 Zero or one. A protocol name.
3558 Port
3559 Zero or one. INTEGER. A port number.
3561 Portlist
3562 Zero or one. PORTLIST. A list of port numbers.
3564 ProtoCode
3565 Zero or one. INTEGER. A transport layer (layer 4) protocol-
3566 specific code field (e.g., ICMP code field).
3568 ProtoType
3569 Zero or one. INTEGER. A transport layer (layer 4) protocol
3570 specific type field (e.g., ICMP type field).
3572 ProtoField
3573 Zero or one. INTEGER. A transport layer (layer 4) protocol
3574 specific flag field (e.g., TCP flag field).
3576 ApplicationHeader
3577 Zero or one. A protocol header. See Section 3.20.2.
3579 EmailData
3580 Zero or one. Headers associated with an email message. See
3581 Section 3.21.
3583 Application
3584 Zero or one. SOFTWARE. The application acting as either the
3585 client or server for the service.
3587 At least one of these classes MUST be present.
3589 When a given System classes with category="source" and another with
3590 category="target" are aggregated into a single Flow class, and each
3591 of these System classes has a Service and Portlist class, an implicit
3592 relationship between these Portlists exists. If N ports are listed
3593 for a System@category="source", and M ports are listed for
3594 System@category="target", the number of ports in N must be equal to
3595 M. Likewise, the ports MUST be listed in an identical sequence such
3596 that the n-th port in the source corresponds to the n-th port of the
3597 target. If N is greater than 1, a given instance of a Flow class
3598 MUST only have a single instance of a System@category="source" and
3599 System@category="target".
3601 The attributes of the Service class are:
3603 ip-protocol
3604 Optional. INTEGER. The IANA assigned IP protocol number per
3605 [IANA.Protocols] The attribute MUST be set if a Port, Portlist,
3606 ProtoCode, ProtoType, ProtoField class is present.
3608 observable-id
3609 Optional. ID. See Section 3.3.2.
3611 3.20.1. ServiceName Class
3613 The ServiceName class identifies an application protocol. It can be
3614 described by referencing an IANA registered protocol, a URL or with
3615 free-form text.
3617 +--------------------+
3618 | ServiceName |
3619 +--------------------+
3620 | |<>--{0..1}--[ IANAService ]
3621 | |<>--{0..*}--[ URL ]
3622 | |<>--{0..*}--[ Description ]
3623 +--------------------+
3625 Figure 42: The ServiceName Class
3627 The aggregate classes of the ServiceName class are:
3629 IANAService
3630 Zero or one. STRING. The name of the service per the "Service
3631 Name" field of the [IANA.Ports] registry.
3633 URL
3634 Zero or more. URL. A URL to a resource describing the service.
3636 Description
3637 Zero or more. ML_STRING. A free-form text description of the
3638 service.
3640 At least one of these classes MUST be present.
3642 The ServiceName class has no attributes.
3644 3.20.2. ApplicationHeader Class
3646 The ApplicationHeader class describes arbitrary fields from a
3647 protocol header and its corresponding value.
3649 +--------------------------+
3650 | ApplicationHeader |
3651 +--------------------------+
3652 | |<>--{1..*}--[ ApplicationHeaderField ]
3653 +--------------------------+
3655 Figure 43: The ApplicationHeader Class
3657 The aggregate class of the ApplicationHeader class is:
3659 ApplicationHeaderField
3660 One or more. EXTENSION. A field name and value in a protocol
3661 header. The 'name' attribute MUST be set to the field name. The
3662 field value MUST be set in the element content.
3664 The ApplicationHeader class has no attributes.
3666 3.21. EmailData Class
3668 The EmailData class describes headers from an email message and
3669 cryptographic hash and signatures applied to it.
3671 +-------------------------+
3672 | EmailData |
3673 +-------------------------+
3674 | ID observable-id |<>--{0..*}--[ EmailTo ]
3675 | |<>--{0..1}--[ EmailFrom ]
3676 | |<>--{0..1}--[ EmailSubject ]
3677 | |<>--{0..1}--[ EmailX-Mailer ]
3678 | |<>--{0..*}--[ EmailHeaderField ]
3679 | |<>--{0..1}--[ EmailHeaders ]
3680 | |<>--{0..1}--[ EmailBody ]
3681 | |<>--{0..1}--[ EmailMessage ]
3682 | |<>--{0..*}--[ HashData ]
3683 | |<>--{0..*}--[ SignatureData ]
3684 +-------------------------+
3686 Figure 44: EmailData Class
3688 The aggregate classes of the EmailData class are:
3690 EmailTo
3691 Zero or more. EMAIL. The value of the "To:" header field
3692 (Section 3.6.3 of [RFC5322]) in an email.
3694 EmailFrom
3695 Zero or one. EMAIL. The value of the "From:" header field
3696 (Section 3.6.2 of [RFC5322]) in an email.
3698 EmailSubject
3699 Zero or one. STRING. The value of the "Subject:" header field in
3700 an email. See Section 3.6.4 of [RFC5322].
3702 EmailX-Mailer
3703 Zero or one. STRING. The value of the "X-Mailer:" header field
3704 in an email.
3706 EmailHeaderField
3707 Zero or more. EXTENSION. The header name and value of an
3708 arbitrary header field of the email message. The 'name' attribute
3709 MUST be set to header name. The header value MUST be set in the
3710 element body. The dtype attribute MUST be set to "string".
3712 EmailHeaders
3713 Zero or one. STRING. The headers of an email message.
3715 EmailBody
3716 Zero or one. STRING. The body of an email message.
3718 EmailMessage
3719 Zero or one. STRING. The headers and body of an email message.
3721 HashData
3722 Zero or more. Hash(es) associated with this email message. See
3723 Section 3.26.
3725 SignatureData
3726 Zero or more. Signature(s) associated with this email message.
3727 See Section 3.27.
3729 The attribute of the EmailData class is:
3731 observable-id
3732 Optional. ID. See Section 3.3.2.
3734 3.22. Record Class
3736 The Record class is a container class for log and audit data that
3737 provides supportive information about the events in an incident. The
3738 source of this data will often be the output of monitoring tools.
3739 These logs substantiate the activity described in the document.
3741 +------------------------+
3742 | Record |
3743 +------------------------+
3744 | ENUM restriction |<>--{1..*}--[ RecordData ]
3745 | STRING ext-restriction |
3746 +------------------------+
3748 Figure 45: Record Class
3750 The aggregate classes of the Record class are:
3752 RecordData
3753 One or more. Log or audit data generated by a particular tool.
3754 Separate instances of the RecordData class SHOULD be used for each
3755 type of log. See Section 3.22.1.
3757 The attributes of the Record class are:
3759 restriction
3760 Optional. ENUM. See Section 3.3.1.
3762 ext-restriction
3763 Optional. STRING. A means by which to extend the restriction
3764 attribute. See Section 5.1.1.
3766 3.22.1. RecordData Class
3768 The RecordData class describes or references log or audit data from a
3769 given type of tool and provides a means to annotate the output.
3771 +------------------------+
3772 | RecordData |
3773 +------------------------+
3774 | ENUM restriction |<>--{0..1}--[ DateTime ]
3775 | STRING ext-restriction |<>--{0..*}--[ Description ]
3776 | ID observable-id |<>--{0..1}--[ Application ]
3777 | |<>--{0..*}--[ RecordPattern ]
3778 | |<>--{0..*}--[ RecordItem ]
3779 | |<>--{0..*}--[ URL ]
3780 | |<>--{0..*}--[ FileData ]
3781 | |<>--{0..*}--
3782 | | [ WindowsRegistryKeysModified ]
3783 | |<>--{0..*}--[ CertificateData ]
3784 | |<>--{0..*}--[ AdditionalData ]
3785 +------------------------+
3787 Figure 46: The RecordData Class
3789 The aggregate classes of the RecordData class are:
3791 DateTime
3792 Zero or one. DATETIME. A timestamp of the data found in the
3793 RecordItem or URL classes.
3795 Description
3796 Zero or more. ML_STRING. A free-form text description of the
3797 data provided in the RecordItem or URL classes.
3799 Application
3800 Zero or one. SOFTWARE. Identifies the tool used to generate the
3801 data in the RecordItem or URL classes.
3803 RecordPattern
3804 Zero or more. A search string to precisely find the relevant data
3805 in the RecordItem or URL classes. See Section 3.22.2.
3807 RecordItem
3808 Zero or more. EXTENSION. Log, audit, or forensic data to support
3809 the conclusions made during the course of analyzing the incident.
3811 URL
3812 Zero or more. URL. A URL reference to a log or audit data.
3814 FileData
3815 Zero or one. The files involved in the incident. See
3816 Section 3.25.
3818 WindowsRegistryKeysModified
3819 Zero or more. The registry keys that were involved in the
3820 incident. See Section 3.23.
3822 CertificateData
3823 Zero or more. The certificates that were involved in the
3824 incident. See Section 3.24.
3826 AdditionalData
3827 Zero or more. EXTENSION. An extension mechanism for data not
3828 explicitly represented in the data model.
3830 At least one of the following classes MUST be present: RecordItem,
3831 URL, FileData, WindowsRegistryKeysModified, CertificateData or
3832 AdditionalData.
3834 The attributes of the RecordData class are:
3836 restriction
3837 Optional. ENUM. See Section 3.3.1.
3839 ext-restriction
3840 Optional. STRING. A means by which to extend the restriction
3841 attribute. See Section 5.1.1.
3843 observable-id
3844 Optional. ID. See Section 3.3.2.
3846 3.22.2. RecordPattern Class
3848 The RecordPattern class describes where in the log data provided or
3849 referenced in RecordData class relevant information can be found. It
3850 provides a way to reference subsets of information, identified by a
3851 pattern, in a large log file, audit trail, or forensic data.
3853 +-----------------------+
3854 | RecordPattern |
3855 +-----------------------+
3856 | STRING |
3857 | |
3858 | ENUM type |
3859 | STRING ext-type |
3860 | INTEGER offset |
3861 | ENUM offsetunit |
3862 | STRING ext-offsetunit |
3863 | INTEGER instance |
3864 +-----------------------+
3866 Figure 47: The RecordPattern Class
3868 The content of the class is of type STRING and specifies a search
3869 pattern.
3871 The attributes of the RecordPattern class are:
3873 type
3874 Required. ENUM. Describes the type of pattern being specified in
3875 the element content. The default is "regex". These values are
3876 maintained in the "RecordPattern-type" IANA registry per
3877 Section 10.2.
3879 1. regex. regular expression as defined by POSIX Extended
3880 Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].
3882 2. binary. Binhex encoded binary pattern, per the HEXBIN data
3883 type.
3885 3. xpath. XML Path (XPath) [W3C.XPATH]
3887 4. ext-value. A value used to indicate that this attribute is
3888 extended and the actual value is provided using the
3889 corresponding ext-* attribute. See Section 5.1.1.
3891 ext-type
3892 Optional. STRING. A means by which to extend the type attribute.
3893 See Section 5.1.1.
3895 offset
3896 Optional. INTEGER. Amount of units (determined by the offsetunit
3897 attribute) to seek into the RecordItem data before matching the
3898 pattern.
3900 offsetunit
3901 Optional. ENUM. Describes the units of the offset attribute.
3902 The default is "line". These values are maintained in the
3903 "RecordPattern-offsetunit" IANA registry per Section 10.2.
3905 1. line. Offset is a count of lines.
3907 2. byte. Offset is a count of bytes.
3909 3. ext-value. A value used to indicate that this attribute is
3910 extended and the actual value is provided using the
3911 corresponding ext-* attribute. See Section 5.1.1.
3913 ext-offsetunit
3914 Optional. STRING. A means by which to extend the offsetunit
3915 attribute. See Section 5.1.1.
3917 instance
3918 Optional. INTEGER. Number of times to apply the specified
3919 pattern.
3921 3.23. WindowsRegistryKeysModified Class
3923 The WindowsRegistryKeysModified class describes Windows operating
3924 system registry keys and the operations that were performed on them.
3925 This class was derived from [RFC5901].
3927 +-----------------------------+
3928 | WindowsRegistryKeysModified |
3929 +-----------------------------+
3930 | ID observable-id |<>--{1..*}--[ Key ]
3931 +-----------------------------+
3933 Figure 48: The WindowsRegistryKeysModified Class
3935 The aggregate classes of the WindowsRegistryKeysModified class are:
3937 Key
3938 One or more. The Window registry key. See Section 3.23.1.
3940 The attribute of the WindowsRegistryKeysModified class is:
3942 observable-id
3943 Optional. ID. See Section 3.3.2.
3945 3.23.1. Key Class
3947 The Key class describes a Windows operating system registry key name
3948 and value pair, and the operation performed on it.
3950 +---------------------------+
3951 | Key |
3952 +---------------------------+
3953 | ENUM registryaction |<>----------[ KeyName ]
3954 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
3955 | ID observable-id |
3956 +---------------------------+
3958 Figure 49: The Key Class
3960 The aggregate classes of the Key class are:
3962 KeyName
3963 One. STRING. The name of a Windows operating system registry key
3964 (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
3966 KeyValue
3967 Zero or one. STRING. The value of the registry key identified in
3968 the KeyName class encoded per the .reg file format [KB310516].
3970 The attributes of the Key class are:
3972 registryaction
3973 Optional. ENUM. The type of action taken on the registry key.
3974 These values are maintained in the "Key-registryaction" IANA
3975 registry per Section 10.2.
3977 1. add-key. Registry key added.
3979 2. add-value. Value added to a registry key.
3981 3. delete-key. Registry key deleted.
3983 4. delete-value. Value deleted from a registry key.
3985 5. modify-key. Registry key modified.
3987 6. modify-value. Value modified in a registry key.
3989 7. ext-value. A value used to indicate that this attribute is
3990 extended and the actual value is provided using the
3991 corresponding ext-* attribute. See Section 5.1.1.
3993 ext-registryaction
3994 Optional. STRING. A means by which to extend the registryaction
3995 attribute. See Section 5.1.1.
3997 observable-id
3998 Optional. ID. See Section 3.3.2.
4000 3.24. CertificateData Class
4002 The CertificateData class describes X.509 certificates.
4004 +------------------------+
4005 | CertificateData |
4006 +------------------------+
4007 | ENUM restriction |<>--{1..*}--[ Certificate ]
4008 | STRING ext-restriction |
4009 | ID observable-id |
4010 +------------------------+
4012 Figure 50: The CertificateData Class
4014 The aggregate classes of the CertificateData class are:
4016 Certificate
4017 One or more. A description of an X.509 certificate or certificate
4018 chain. See Section 3.24.1.
4020 The attributes of the CertificateData class are:
4022 restriction
4023 Optional. ENUM. See Section 3.3.1.
4025 ext-restriction
4026 Optional. STRING. A means by which to extend the restriction
4027 attribute. See Section 5.1.1.
4029 observable-id
4030 Optional. ID. See Section 3.3.2.
4032 3.24.1. Certificate Class
4034 The Certificate class describes a given X.509 certificate or
4035 certificate chain.
4037 +--------------------------+
4038 | Certificate |
4039 +--------------------------+
4040 | ID observable-id |<>----------[ ds:X509Data ]
4041 | |<>--{0..*}--[ Description ]
4042 +--------------------------+
4044 Figure 51: The Certificate Class
4046 The aggregate classes of the Certificate class are:
4048 ds:X509Data
4049 One. A given X.509 certificate or chain. See Section 4.4.4 of
4050 [W3C.XMLSIG].
4052 Description
4053 Zero or more. ML_STRING. A free-form text description explaining
4054 the context of this certificate.
4056 The attributes of the Certificate class are:
4058 observable-id
4059 Optional. ID. See Section 3.3.2.
4061 3.25. FileData Class
4063 The FileData class describes a file or set of files.
4065 +------------------------+
4066 | FileData |
4067 +------------------------+
4068 | ENUM restriction |<>--{1..*}--[ File ]
4069 | STRING ext-restriction |
4070 | ID observable-id |
4071 +------------------------+
4073 Figure 52: The FileData Class
4075 The aggregate classes of the FileData class are:
4077 File
4078 One or more. A description of a file. See Section 3.25.1.
4080 The attributes of the FileData class are:
4082 restriction
4083 Optional. ENUM. See Section 3.3.1.
4085 ext-restriction
4086 Optional. STRING. A means by which to extend the restriction
4087 attribute. See Section 5.1.1.
4089 observable-id
4090 Optional. ID. See Section 3.3.2.
4092 3.25.1. File Class
4094 The File class describes a file; its associated meta data; and
4095 cryptographic hashes and signatures applied to it.
4097 +-----------------------+
4098 | File |
4099 +-----------------------+
4100 | ID observable-id |<>--{0..1}--[ FileName ]
4101 | |<>--{0..1}--[ FileSize ]
4102 | |<>--{0..1}--[ FileType ]
4103 | |<>--{0..*}--[ URL ]
4104 | |<>--{0..1}--[ HashData ]
4105 | |<>--{0..1}--[ SignatureData ]
4106 | |<>--{0..1}--[ AssociatedSoftware ]
4107 | |<>--{0..*}--[ FileProperties ]
4108 +-----------------------+
4110 Figure 53: The File Class
4112 The aggregate classes of the File class are:
4114 FileName
4115 Zero or One. STRING. The name of the file.
4117 FileSize
4118 Zero or One. INTEGER. The size of the file in bytes.
4120 FileType
4121 Zero or One. STRING. The type of file per the IANA Media Types
4122 Registry [IANA.Media]. Valid values correspond to the text in the
4123 "Template" column (e.g., "application/pdf").
4125 URL
4126 Zero or more. URL. A URL reference to the file.
4128 HashData
4129 Zero or One. Hash(es) associated with this file. See
4130 Section 3.26.
4132 SignatureData
4133 Zero or One. Signature(s) associated with this file. See
4134 Section 3.27.
4136 AssociatedSoftware
4137 Zero or One. SOFTWARE. The software application or operating
4138 system to which this file belongs or by which it can be processed.
4140 FileProperties
4141 Zero or more. EXTENSION. Mechanism by which to extend the data
4142 model to describe properties of the file.
4144 The attributes of the File class are:
4146 observable-id
4147 Optional. ID. See Section 3.3.2.
4149 3.26. HashData Class
4151 The HashData class describes different types of hashes on an given
4152 object (e.g., file, part of a file, email).
4154 +--------------------------+
4155 | HashData |
4156 +--------------------------+
4157 | ENUM scope |<>--{0..1}--[ HashTargetID ]
4158 | |<>--{0..*}--[ Hash ]
4159 | |<>--{0..*}--[ FuzzyHash ]
4160 +--------------------------+
4162 Figure 54: The HashData Class
4164 The aggregate classes of the HashData class are:
4166 HashTargetID
4167 Zero or One. STRING. An identifier that references a subset of
4168 the object being hashed. The semantics of this identifier are
4169 specified by the scope attribute.
4171 Hash
4172 Zero or more. The hash of an object. See Section 3.26.1.
4174 FuzzyHash
4175 Zero or more. The fuzzy hash of an object. See Section 3.26.2.
4177 At least one instance of either Hash or FuzzyHash MUST be present.
4179 The attribute of the HashData class is:
4181 scope
4182 Required. ENUM. Describes on which part of the object the hash
4183 should be applied. These values are maintained in the "HashData-
4184 scope" IANA registry per Section 10.2.
4186 1. file-contents. A hash computed over the entire contents of a
4187 file.
4189 2. file-pe-section. A hash computed on a given section of a
4190 Windows Portable Executable (PE) file. If set to this value,
4191 the HashTargetID class MUST identify the section being hashed.
4192 A section is identified by an ordinal number (starting at 1)
4193 corresponding to the the order in which the given section
4194 header was defined in the Section Table of the PE file header.
4196 3. file-pe-iat. A hash computed on the Import Address
4197 Table (IAT) of a PE file. As IAT hashes are often tool
4198 dependent, if this value is set, the Application class of
4199 either the Hash or FuzzyHash classes MUST specify the tool
4200 used to generate the hash.
4202 4. file-pe-resource. A hash computed on a given resource in a PE
4203 file. If set to this value, the HashTargetID class MUST
4204 identify the resource being hashed. A resource is identified
4205 by an ordinal number (starting at 1) corresponding to the
4206 order in which the given resource is declared in the Resource
4207 Directory of the Data Dictionary in the PE file header.
4209 5. file-pdf-object. A hash computed on a given object in a
4210 Portable Document Format (PDF) file. If set to this value,
4211 the HashTargetID class MUST identify the object being hashed.
4212 This object is identified by its offset in the PDF file.
4214 6. email-hash. A hash computed over the headers and body of an
4215 email message.
4217 7. email-headers-hash. A hash computed over all of the headers
4218 of an email message.
4220 8. email-body-hash. A hash computed over the body of an email
4221 message.
4223 9. ext-value. A value used to indicate that this attribute is
4224 extended and the actual value is provided using the
4225 corresponding ext-* attribute. See Section 5.1.1.
4227 ext-scope
4228 Optional. STRING. A means by which to extend the scope
4229 attribute. See Section 5.1.1.
4231 3.26.1. Hash Class
4233 The Hash class describes a cryptographic hash value; the algorithm
4234 and application used to generate it; and the canonicalization method
4235 applied to the object being hashed.
4237 +----------------+
4238 | Hash |
4239 +----------------+
4240 | |<>----------[ ds:DigestMethod ]
4241 | |<>----------[ ds:DigestValue ]
4242 | |<>--{0..1}--[ ds:CanonicalizationMethod ]
4243 | |<>--{0..1}--[ Application ]
4244 +----------------+
4246 Figure 55: The Hash Class
4248 The aggregate classes of the Hash class are:
4250 ds:DigestMethod
4251 One. The hash algorithm used to generate the hash. See
4252 Section 4.3.3.5 of [W3C.XMLSIG]
4254 ds:DigestValue
4255 One. The computed hash value. See Section 4.3.3.6 of
4256 [W3C.XMLSIG].
4258 ds:CanonicalizationMethod
4259 Zero or one. The canonicalization method used on the object being
4260 hashed. See Section 4.3.1 of [W3C.XMLSIG].
4262 Application
4263 Zero or One. SOFTWARE. The application used to calculate the
4264 hash.
4266 The HashData class has no attributes.
4268 3.26.2. FuzzyHash Class
4270 The FuzzyHash class describes a fuzzy hash and the application used
4271 to generate it.
4273 +--------------------------+
4274 | FuzzyHash |
4275 +--------------------------+
4276 | |<>--{1..*}--[ FuzzyHashValue ]
4277 | |<>--{0..1}--[ Application ]
4278 | |<>--{0..*}--[ AdditionalData ]
4279 +--------------------------+
4281 Figure 56: The FuzzyHash Class
4283 The aggregate classes of the FuzzyHash class are:
4285 FuzzyHashValue
4286 One or more. EXTENSION. The computed fuzzy hash value.
4288 Application
4289 Zero or one. SOFTWARE. The application used to calculate the
4290 hash.
4292 AdditionalData
4293 Zero or more. EXTENSION. Mechanism by which to extend the data
4294 model.
4296 The FuzzyData class has no attributes.
4298 3.27. SignatureData Class
4300 The SignatureData class describes different types of digital
4301 signatures on an object.
4303 +--------------------------+
4304 | SignatureData |
4305 +--------------------------+
4306 | |<>--{1..*}--[ ds:Signature ]
4307 +--------------------------+
4309 Figure 57: The SignatureData Class
4311 The aggregate class of the SignatureData class is:
4313 Signature
4314 One or more. An given signature. See Section 4.2 of [W3C.XMLSIG]
4316 The SignatureData class has no attributes.
4318 3.28. IndicatorData Class
4320 The IndicatorData class describes indicators and meta-data associated
4321 with them.
4323 +--------------------------+
4324 | IndicatorData |
4325 +--------------------------+
4326 | |<>--{1..*}--[ Indicator ]
4327 +--------------------------+
4329 Figure 58: The IndicatorData Class
4331 The aggregate class of the IndicatorData class is:
4333 Indicator
4334 One or more. A description of an indicator. See Section 3.29.
4336 The IndicatorData class has no attributes.
4338 3.29. Indicator Class
4340 The Indicator class describes an indicator. An indicator consists of
4341 observable features and phenomenon that aid in the forensic or
4342 proactive detection of malicious activity; and associated meta-data.
4343 An indicator can be described outright; by referencing or composing
4344 previously defined indicators; or by referencing observables
4345 described in the incident report found in this document.
4347 +------------------------+
4348 | Indicator |
4349 +------------------------+
4350 | ENUM restriction |<>----------[ IndicatorID ]
4351 | STRING ext-restriction |<>--{0..*}--[ AlternativeIndicatorID ]
4352 | |<>--{0..*}--[ Description ]
4353 | |<>--{0..1}--[ StartTime ]
4354 | |<>--{0..1}--[ EndTime ]
4355 | |<>--{0..1}--[ Confidence ]
4356 | |<>--{0..*}--[ Contact ]
4357 | |<>--{0..1}--[ Observable ]
4358 | |<>--{0..1}--[ ObservableReference ]
4359 | |<>--{0..1}--[ IndicatorExpression ]
4360 | |<>--{0..1}--[ IndicatorReference ]
4361 | |<>--{0..*}--[ NodeRole ]
4362 | |<>--{0..*}--[ AttackPhase ]
4363 | |<>--{0..*}--[ Reference ]
4364 | |<>--{0..*}--[ AdditionalData ]
4365 +------------------------+
4367 Figure 59: The Indicator Class
4369 The aggregate classes of the Indicator class are:
4371 IndicatorID
4372 One. An identifier for this indicator. See Section 3.29.1
4374 AlternativeIndicatorID
4375 Zero or more. An alternative identifier for this indicator. See
4376 Section 3.29.2
4378 Description
4379 Zero or more. ML_STRING. A free-form text description of the
4380 indicator.
4382 StartTime
4383 Zero or one. DATETIME. A timestamp of the start of the time
4384 period during which this indicator is valid.
4386 EndTime
4387 Zero or one. DATETIME. A timestamp of the end of the time period
4388 during which this indicator is valid.
4390 Confidence
4391 Zero or one. An estimate of the confidence in the quality of the
4392 indicator. See Section 3.12.5.
4394 Contact
4395 Zero or more. Contact information for this indicator. See
4396 Section 3.9.
4398 Observable
4399 Zero or one. An observable feature or phenomenon of this
4400 indicator. See Section 3.29.3.
4402 ObservableReference
4403 Zero or one. A reference to an observable feature or phenomenon
4404 defined elsewhere in the document. See Section 3.29.6.
4406 IndicatorExpression
4407 Zero or one. A composition of observables. See Section 3.29.4.
4409 IndicatorReference
4410 Zero or one. A reference to an indicator. See Section 3.29.7.
4412 NodeRole
4413 Zero or more. The role of the system in the attack should this
4414 indicator be matched to it. See Section 3.18.2.
4416 AttackPhase
4417 Zero or more. The phase in an attack lifecycle during which this
4418 indicator might be seen. See Section 3.29.8.
4420 Reference
4421 Zero or more. A reference to additional information relevant to
4422 this indicator. See Section 3.11.1.
4424 AdditionalData
4425 Zero or more. EXTENSION. Mechanism by which to extend the data
4426 model.
4428 The Indicator class MUST have exactly one instance of an Observable,
4429 IndicatorExpression, ObservableReference, or IndicatorReference
4430 class.
4432 The StartTime and EndTime classes can be used to define an interval
4433 during which the indicator is valid. If both classes are present,
4434 the indicator is consider valid only during the described interval.
4435 If neither class is provided, the indicator is considered valid
4436 during any time interval. If only a StartTime is provided, the
4437 indicator is valid anytime after this timestamp. If only an EndTime
4438 is provided, the indicator is valid anytime prior to this timestamp.
4440 The attributes of the Indicator class are:
4442 restriction
4443 Optional. ENUM. See Section 3.3.1.
4445 ext-restriction
4446 Optional. STRING. A means by which to extend the restriction
4447 attribute. See Section 5.1.1.
4449 3.29.1. IndicatorID Class
4451 The IndicatorID class identifies an indicator with a globally unique
4452 identifier. The combination of the name and version attributes, and
4453 the element content form this identifier. Indicators generated by
4454 given CSIRT MUST NOT reuse the same value unless they are referencing
4455 the same indicator.
4457 +------------------+
4458 | IndicatorID |
4459 +------------------+
4460 | ID |
4461 | |
4462 | STRING name |
4463 | STRING version |
4464 +------------------+
4466 Figure 60: The IndicatorID Class
4468 The content of the class is of type ID and specifies an identifier
4469 for an indicator.
4471 The attributes of the IndicatorID class are:
4473 name
4474 Required. STRING. An identifier describing the CSIRT that
4475 created the indicator. In order to have a globally unique CSIRT
4476 name, the fully qualified domain name associated with the CSIRT
4477 MUST be used. This format is identical to the IncidentID@name
4478 attribute in Section 3.4.
4480 version
4481 Required. STRING. A version number of an indicator.
4483 3.29.2. AlternativeIndicatorID Class
4485 The AlternativeIndicatorID class lists alternative identifiers for an
4486 indicator.
4488 +-------------------------+
4489 | AlternativeIndicatorID |
4490 +-------------------------+
4491 | ENUM restriction |<>--{1..*}--[ IndicatorReference ]
4492 | STRING ext-restriction |
4493 +-------------------------+
4495 Figure 61: The AlternativeIndicatorID Class
4497 The aggregate class of the AlternativeIndicatorID class is:
4499 IndicatorReference
4500 One or more. A reference to an indicator. See Section 3.29.7
4502 The attributes of the AlternativeIndicatorID class are:
4504 restriction
4505 Optional. ENUM. See Section 3.3.1.
4507 ext-restriction
4508 Optional. STRING. A means by which to extend the restriction
4509 attribute. See Section 5.1.1.
4511 3.29.3. Observable Class
4513 The Observable class describes a feature and phenomenon that can be
4514 observed or measured for the purposes of detecting malicious
4515 behavior.
4517 +------------------------+
4518 | Observable |
4519 +------------------------+
4520 | ENUM restriction |<>--{0..1}--[ System ]
4521 | STRING ext-restriction |<>--{0..1}--[ Address ]
4522 | |<>--{0..1}--[ DomainData ]
4523 | |<>--{0..1}--[ Service ]
4524 | |<>--{0..1}--[ EmailData ]
4525 | |<>--{0..1}--[ WindowsRegistryKeysModified ]
4526 | |<>--{0..1}--[ FileData ]
4527 | |<>--{0..1}--[ CertificateData ]
4528 | |<>--{0..1]--[ RegistryHandle ]
4529 | |<>--{0..1}--[ RecordData ]
4530 | |<>--{0..1}--[ EventData ]
4531 | |<>--{0..1}--[ Incident ]
4532 | |<>--{0..1}--[ Expectation ]
4533 | |<>--{0..1}--[ Reference ]
4534 | |<>--{0..1}--[ Assessment ]
4535 | |<>--{0..1}--[ DetectionPattern ]
4536 | |<>--{0..1}--[ HistoryItem ]
4537 | |<>--{0..1}--[ BulkObservable ]
4538 | |<>--{0..*}--[ AdditionalData ]
4539 +------------------------+
4541 Figure 62: The Observable Class
4543 The aggregate classes of the Observable class are:
4545 System
4546 Zero or one. An System observable. See Section 3.17.
4548 Address
4549 Zero or one. An Address observable. See Section 3.18.1.
4551 DomainData
4552 Zero or one. A DomainData observable. See Section 3.19.
4554 Service
4555 Zero or one. A Service observable. See Section 3.20.
4557 EmailData
4558 Zero or one. A EmailData observable. See Section 3.21.
4560 WindowsRegistryKeysModified
4561 Zero or one. A WindowsRegistryKeysModified observable. See
4562 Section 3.23.
4564 FileData
4565 Zero or one. A FileData observable. See Section 3.25.
4567 CertificateData
4568 Zero or one. A CertificateData observable. See Section 3.24.
4570 RegistryHandle
4571 Zero or one. A RegistryHandle observable. See Section 3.9.1.
4573 RecordData
4574 Zero or one. A RecordData observable. See Section 3.22.1.
4576 EventData
4577 Zero or one. An EventData observable. See Section 3.14.
4579 Incident
4580 Zero or one. An Incident observable. See Section 3.2.
4582 Expectation
4583 Zero or one. An Expectation observable. See Section 3.15.
4585 Reference
4586 Zero or one. A Reference observable. See Section 3.11.1.
4588 Assessment
4589 Zero or one. An Assessment observable. See Section 3.12.
4591 DetectionPattern
4592 Zero or one. A DetectionPattern observable. See Section 3.12.
4594 HistoryItem
4595 Zero or one. A HistoryItem observable. See Section 3.13.1.
4597 BulkObservable
4598 Zero or one. A bulk list of observables. See Section 3.29.3.1.
4600 AdditionalData
4601 Zero or more. EXTENSION. Mechanism by which to extend the data
4602 model.
4604 The Observable class MUST have exactly one of the possible child
4605 classes.
4607 The attributes of the Observable class are:
4609 restriction
4610 Optional. ENUM. See Section 3.3.1.
4612 ext-restriction
4613 Optional. STRING. A means by which to extend the restriction
4614 attribute. See Section 5.1.1.
4616 3.29.3.1. BulkObservable Class
4618 The BulkObservable class allows the enumeration of a single type of
4619 observables without requiring each one to be encoded individually in
4620 multiple instances of the same class.
4622 The type attribute describes the type of observable listed in the
4623 child BulkObservableList class. The BulkObservableFormat class
4624 optionally provides additional meta-data.
4626 +---------------------------+
4627 | BulkObservable |
4628 +---------------------------+
4629 | ENUM type |<>--{0..1}--[ BulkObservableFormat ]
4630 | STRING ext-type |<>----------[ BulkObservableList ]
4631 | |<>--{0..*}--[ AdditionalData ]
4632 +---------------------------+
4634 Figure 63: The BulkObservable Class
4636 The aggregate classes of the BulkObservable class are:
4638 BulkObservableFormat
4639 Zero or one. Provides additional meta-data about the observables
4640 enumerated in the BulkObservableList class. See
4641 Section 3.29.3.1.1.
4643 BulkObservableList
4644 One. STRING. A list of observables, one per line. Each line is
4645 separated with either a LF character or CR-and-LF characters. The
4646 type attribute specifies which observables will be listed.
4648 AdditionalData
4649 Zero or more. EXTENSION. Mechanism by which to extend the data
4650 model.
4652 The attributes of the BulkObservable class are:
4654 type
4655 Optional. ENUM. The type of the observable listed in the child
4656 ObservableList class. These values are maintained in the
4657 "BulkObservable-type" IANA registry per Section 10.2.
4659 1. asn. Autonomous System Number (per the Address@category
4660 attribute).
4662 2. atm. Asynchronous Transfer Mode (ATM) address (per the
4663 Address@category attribute).
4665 3. e-mail. Email address (per the Address@category attribute).
4667 4. ipv4-addr. IPv4 host address in dotted-decimal notation
4668 (e.g., 192.0.2.1) (per the Address@category attribute).
4670 5. ipv4-net. IPv4 network address in dotted-decimal notation,
4671 slash, significant bits (e.g., 192.0.2.0/24) (per the
4672 Address@category attribute).
4674 6. ipv4-net-mask. IPv4 network address in dotted-decimal
4675 notation, slash, network mask in dotted-decimal notation
4676 (i.e., 192.0.2.0/255.255.255.0) (per the Address@category
4677 attribute).
4679 7. ipv6-addr. IPv6 host address (e.g., 2001:DB8::3) (per the
4680 Address@category attribute).
4682 8. ipv6-net. IPv6 network address, slash, significant bits
4683 (e.g., 2001:DB8::/32) (per the Address@category attribute).
4685 9. ipv6-net-mask. IPv6 network address, slash, network mask
4686 (per the Address@category attribute).
4688 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f)
4689 (per the Address@category attribute).
4691 11. site-uri. A URL or URI for a resource (per the
4692 Address@category attribute).
4694 12. domain-name. A fully qualified domain name or part of a
4695 name. (e.g., fqdn.example.com, example.com).
4697 13. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as
4698 a comma separated list (e.g., "fqdn.example.com, 192.0.2.1").
4700 14. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as
4701 a comma separated list (e.g., "fqdn.example.com,
4702 2001:DB8::3").
4704 15. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a
4705 timestamp (in the DATETIME format) of the resolution (e.g.,
4706 "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00").
4708 16. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a
4709 timestamp (in the DATETIME format) of the resolution (e.g.,
4710 "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00").
4712 17. ipv4-port. An IPv4 address, port and protocol tuple (e.g.,
4713 192.0.2.1, 80, tcp). The protocol name corresponds to the
4714 "Keyword" column in the [IANA.Protocols] registry.
4716 18. ipv6-port. An IPv6 address, port and protocol tuple (e.g.,
4717 2001:DB8::3, 80, tcp). The protocol name corresponds to the
4718 "Keyword" column in the [IANA.Protocols] registry.
4720 19. windows-reg-key. A Microsoft Windows Registry key.
4722 20. file-hash. A file hash. The format of this hash is
4723 described in the Hash class that MUST be present in a sibling
4724 BulkObservableFormat class.
4726 21. email-x-mailer. An X-Mailer field from an email.
4728 22. email-subject. An email subject line.
4730 23. http-user-agent. A User Agent field from an HTTP request
4731 header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0)
4732 Gecko/20100101 Firefox/38.0").
4734 24. http-request-uri. The Request URI from an HTTP request
4735 header.
4737 25. mutex. The name of a system mutex.
4739 26. file-path. A file path (e.g., "/tmp/local/file",
4740 "c:\windows\system32\file.sys")
4742 27. user-name. A username.
4744 28. ext-value. A value used to indicate that this attribute is
4745 extended and the actual value is provided using the
4746 corresponding ext-* attribute. See Section 5.1.1.
4748 ext-type
4749 Optional. STRING. A means by which to extend the type attribute.
4750 See Section 5.1.1.
4752 3.29.3.1.1. BulkObservableFormat Class
4754 The ObservableFormat class specifies meta-data about the format of an
4755 observable enumerated in a sibling BulkObservableList class.
4757 +---------------------------+
4758 | BulkObservableFormat |
4759 +---------------------------+
4760 | |<>--{0..1}--[ Hash ]
4761 | |<>--{0..*}--[ AdditionalData ]
4762 +---------------------------+
4764 Figure 64: The BulkObservableFormat Class
4766 The aggregate classes of the BulkObservableFormat class are:
4768 Hash
4769 Zero or one. Describes the format of a hash. See Section 3.26.1.
4771 AdditionalData
4772 Zero or more. EXTENSION. Mechanism by which to extend the data
4773 model.
4775 The BulkObservableFormat class has no attributes.
4777 Either Hash or AdditionalData MUST be present.
4779 3.29.4. IndicatorExpression Class
4781 The IndicatorExpression describes an expression composed of observed
4782 phenomenon or features, or indicators. Elements of the expression
4783 can be described directly, reference relevant data from other parts
4784 of a given IODEF document, or reference previously defined
4785 indicators.
4787 All child classes of a given instance of IndicatorExpression form a
4788 boolean algebraic expression where the operator between them is
4789 determined by the operator attribute.
4791 +--------------------------+
4792 | IndicatorExpression |
4793 +--------------------------+
4794 | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
4795 | STRING ext-operator |<>--{0..*}--[ Observable ]
4796 | |<>--{0..*}--[ ObservableReference ]
4797 | |<>--{0..*}--[ IndicatorReference ]
4798 | |<>--{0..1}--[ Confidence ]
4799 | |<>--{0..*}--[ AdditionalData ]
4800 +--------------------------+
4802 Figure 65: The IndicatorExpression Class
4804 The aggregate classes of the IndicatorExpression class are:
4806 IndicatorExpression
4807 Zero or more. An expression composed of other observables or
4808 indicators. See Section 3.29.4.
4810 Observable
4811 Zero or more. A description of an observable. See
4812 Section 3.29.3.
4814 ObservableReference
4815 Zero or more. A reference to an observable. See Section 3.29.6.
4817 IndicatorReference
4818 Zero or more. A reference to an indicator. See Section 3.29.7.
4820 Confidence
4821 Zero or one. An estimate of the confidence in the quality of the
4822 terms expressed in the expression. See Section 3.12.5.
4824 AdditionalData
4825 Zero or more. EXTENSION. Mechanism by which to extend the data
4826 model.
4828 The attributes of the IndicatorExpression class are:
4830 operator
4831 Optional. ENUM. The operator to be applied between the child
4832 elements. See Section 3.29.5 for parsing guidance. The default
4833 value is "and". These values are maintained in the
4834 "IndicatorExpression-operator" IANA registry per Section 10.2.
4836 1. not. negation operator.
4838 2. and. conjunction operator.
4840 3. or. disjunction operator.
4842 4. xor. exclusive disjunction operator.
4844 ext-operator
4845 Optional. STRING. A means by which to extend the operator
4846 attribute. See Section 5.1.1.
4848 3.29.5. Expressions with IndicatorExpression
4850 Boolean algebraic expressions can be used to specify relationships
4851 between observables and indicator. These expressions are constructed
4852 through the use of the operator attribute and parent-child
4853 relationships in IndicatorExpressions. These expressions should be
4854 parsed as follows:
4856 1. The operator specified by the operator attribute is applied
4857 between each of the child elements of the immediate parent
4858 IndicatorExpression element. If no operator attribute is
4859 specified, it should be assumed to be the conjunction operator
4860 (i.e., operator="and").
4862 2. A nested IndicatorExpression element with a parent
4863 IndicatorExpression is the equivalent of a parentheses in the
4864 expression.
4866 The following four examples in Figure 66 through Figure 70 illustrate
4867 these parsing rules:
4869 1 :
4870 2 [O1]: ..
4871 3 [O2]: ..
4872 4 :
4874 Equivalent expression: (O1 AND O2)
4876 Figure 66: Nested elements in an IndicatorExpression without an
4877 operator attribute specified
4879 1 :
4880 2 [O1]: ..
4881 3 [O2]: ..
4882 4 :
4884 Equivalent expression: (O1 OR O2)
4886 Figure 67: Nested elements in an IndicatorExpression with an operator
4887 attribute specified
4889 1 :
4890 2 :
4891 3 [O1]: ..
4892 4 [O2]: ..
4893 5 :
4894 6 [O3]: ..
4895 7 :
4897 Equivalent expression: ((O1 OR O2) OR O3)
4899 Figure 68: Nested elements with a recursive IndicatorExpression with
4900 an operator attribute specified
4902 1 :
4903 2 :
4904 3 [O1]: ..
4905 4 [O2]: ..
4906 5 :
4907 6 :
4909 Equivalent expression: (NOT (O1 AND O2))
4911 Figure 69: A recursive IndicatorExpression with an operator attribute
4912 specified
4914 1 :
4915 2 :
4916 3 [O1 with low confidence] : ..
4917 4 :
4918 5 :
4919 6 :
4920 7 [O2 with high confidence]: ..
4921 8 :
4922 9 :
4923 10 :
4925 Equivalent expression: ((O1) OR (O2))
4927 Figure 70: Varying confidence on particular Observables
4929 Invalid algebraic expressions while valid XML, MUST NOT be specified.
4931 3.29.6. ObservableReference Class
4933 The ObservableReference describes a reference to an observable
4934 feature or phenomenon described elsewhere in the document.
4936 The ObservableReference class has no content.
4938 +-------------------------+
4939 | ObservableReference |
4940 +-------------------------+
4941 | IDREF uid-ref |
4942 +-------------------------+
4944 Figure 71: The ObservableReference Class
4946 The ObservableReference class has no content.
4948 The attribute of the ObservableReference class is:
4950 uid-ref
4951 Required. IDREF. An identifier that serves as a reference to a
4952 class in the IODEF document. The referenced class will have this
4953 identifier set in its observable-id attribute.
4955 3.29.7. IndicatorReference Class
4957 The IndicatorReference describes a reference to an indicator. This
4958 reference may be to an indicator described in this IODEF document or
4959 in a previously exchanged IODEF document.
4961 The IndicatorReference class has no content.
4963 +--------------------------+
4964 | IndicatorReference |
4965 +--------------------------+
4966 | IDREF uid-ref |
4967 | STRING euid-ref |
4968 | STRING version |
4969 +--------------------------+
4971 Figure 72: The IndicatorReference Class
4973 The attributes of the IndicatorReference class are:
4975 uid-ref
4976 Optional. IDREF. An identifier that references an Indicator
4977 class in the IODEF document. The referenced Indicator class will
4978 have this identifier set in its IndicatorID class.
4980 euid-ref
4981 Optional. STRING. An identifier that references an IndicatorID
4982 not in this IODEF document.
4984 version
4985 Optional. STRING. A version number of an indicator.
4987 Either the uid-ref or the euid-ref attribute MUST be set.
4989 3.29.8. AttackPhase Class
4991 The AttackPhase class describes a particular phase of an attack
4992 lifecycle.
4994 +------------------------+
4995 | AttackPhase |
4996 +------------------------+
4997 | |<>--{0..*}--[ AttackPhaseID ]
4998 | |<>--{0..*}--[ URL ]
4999 | |<>--{0..*}--[ Description ]
5000 | |<>--{0..*}--[ AdditionalData ]
5001 +------------------------+
5003 Figure 73: AttackPhase Class
5005 The aggregate classes of the AttackPhase class are:
5007 AttackPhaseID
5008 Zero or more. STRING. An identifier for the phase of the attack.
5010 URL
5011 Zero or more. URL. A URL to a resource describing this phase of
5012 the attack.
5014 Description
5015 Zero or more. ML_STRING. A free-form text description of this
5016 phase of the attack.
5018 AdditionalData
5019 Zero or more. EXTENSION. A mechanism by which to extend the data
5020 model.
5022 AttackPhase MUST have at least one instance of a child class.
5024 The AttackPhase class has no attributes.
5026 4. Processing Considerations
5028 This section provides additional requirements and guidance on
5029 creating and processing IODEF documents.
5031 4.1. Encoding
5033 Every IODEF document MUST begin with an XML declaration and MUST
5034 specify the XML version used. The character encoding MUST also be
5035 explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16
5036 [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD
5037 NOT be used. The IODEF conforms to all XML data encoding conventions
5038 and constraints.
5040 The XML declaration with UTF-8 character encoding will read as
5041 follows:
5043
5045 Certain characters have special meaning in XML and MUST not appear in
5046 literal form. Per Section 2.4 of [W3C.XML], these characters MUST be
5047 escaped with a numeric character or entity reference.
5049 4.2. IODEF Namespace
5051 The IODEF schema declares a namespace of
5052 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS].
5053 Each IODEF document MUST include a valid reference to the IODEF
5054 schema using the "xsi:schemaLocation" attribute. An example of such
5055 a declaration would look as follows:
5057
5062 4.3. Validation
5064 IODEF documents MUST be well-formed XML. It is RECOMMENDED that
5065 recipients validate the document against the schema described in
5066 Section 8. However, mere conformance to this schema is not
5067 sufficient for a semantically valid IODEF document. The text of
5068 Section 3 describes further formatting and constraints; some that
5069 cannot be conveniently encoded in the schema. These MUST also be
5070 considered by an IODEF implementation. Furthermore, the enumerated
5071 values present in this document are a static list that will be
5072 incomplete over time as select attributes can be extended by a
5073 corresponding IANA registry per Section 10.2. Therefore, IODEF
5074 implementations SHOULD periodically update their schema and MAY need
5075 to update their parsing algorithms to incorporate newly registered
5076 values.
5078 4.4. Incompatibilities with v1
5080 The IODEF data model in this document makes a number of changes to
5081 [RFC5070]. These changes were largely additive -- classes and
5082 enumerated values were added. However, some incompatibilities
5083 between [RFC5070] and this new specification were introduced. These
5084 incompatibilities are as follows:
5086 o The IODEF-Document@version attribute is set to "2.0".
5088 o Attributes with enumerated values can now also be extended with
5089 IANA registries.
5091 o All iodef:MLStringType classes use xml:lang. IODEF-Document also
5092 uses xml:lang.
5094 o The Service@ip_protocol attribute was renamed to @ip-protocol.
5096 o The Node/NodeName class was removed in favor of representing
5097 domain names with Node/DomainData/Name class. The Node/DataTime
5098 class was also removed so that the Node/DomainData/
5099 DateDomainWasChecked class can represent the time at which the
5100 name to address resolution occurred.
5102 o The Node/NodeRole class was moved to System/NodeRole.
5104 o The Reference class is now defined by [RFC7495].
5106 o The data previously represented in the Impact class is now in the
5107 SystemImpact and IncidentCategory classes. The Impact class has
5108 been removed.
5110 o The semantics of Counter@type are now represented in Counter@unit.
5112 o The IODEF-Document@formatid attribute has been renamed to @format-
5113 id.
5115 o Incident/ReportTime is no longer mandatory. However,
5116 GenerationTime is.
5118 o The Fax class was removed and is now represented by a generic
5119 Telephone class.
5121 o The Telephone, Email and PostalAddress classes were redefined from
5122 improved internationalization.
5124 o The "ipv6-net-mask" value was remove from category attribute of
5125 Address.
5127 5. Extending the IODEF
5129 In order to support the dynamic nature of security operations, the
5130 IODEF data model will need to continue to evolve. This section
5131 discusses how new data elements can be incorporated into the IODEF.
5132 There is support to add additional enumerated values and new classes.
5133 Adding additional attributes to existing classes is not supported.
5135 These extension mechanisms are designed so that adding new data
5136 elements is possible without requiring a modifications to this
5137 document. Extensions can be implemented publicly or privately. With
5138 proven value, well documented extensions can be incorporated into
5139 future versions of the specification.
5141 5.1. Extending the Enumerated Values of Attributes
5143 Additional enumerated values can be added to select attributes either
5144 through the use of specially marked attributes with the "ext-" prefix
5145 or through a set of corresponding IANA registries. The former
5146 approach allows for the extension to remain private. The latter
5147 approach is public.
5149 5.1.1. Private Extension of Enumerated Values
5151 The data model supports adding new enumerated values to an attribute
5152 without public registration. For each attribute that supports this
5153 extension technique, there is a corresponding attribute in the same
5154 element whose name is identical but with a prefix of "ext-". This
5155 special attribute is referred to as the extension attribute. The
5156 attribute being extended is referred to as an extensible attribute.
5157 For example, an extensible attribute named "foo" will have a
5158 corresponding extension attribute named "ext-foo". An element may
5159 have many extensible attributes.
5161 In addition to a corresponding extension attribute, each extensible
5162 attribute has "ext-value" as one its possible enumerated values.
5163 Selection of this particular value in an extensible attribute signals
5164 that the extension attribute contains data. Otherwise, this "ext-
5165 value" value has no meaning.
5167 In order to add a new enumerated value to an extensible attribute,
5168 the value of this attribute MUST be set to "ext-value", and the new
5169 desired value MUST be set in the corresponding extension attribute.
5170 For example, extending the type attribute of the SystemImpact class
5171 would look as follows:
5173
5175 A given extension attribute MUST NOT be set unless the corresponding
5176 extensible attribute has been set to "ext-value".
5178 5.1.2. Public Extension of Enumerated Values
5180 The data model also supports publicly extending select enumerated
5181 attributes. A new entry can be added by registering a new entry in
5182 the appropriate IANA registry. Section 10.2 provides a mapping
5183 between the extensible attributes and their corresponding registry.
5184 Section 4.3 discusses the XML Validation implications of this type of
5185 extension. All extensible attributes that support private extensions
5186 also support public extensions.
5188 5.2. Extending Classes
5190 Classes of the EXTENSION (iodef:ExtensionType) type can extend the
5191 data model. They provide the ability to have new atomic or XML-
5192 encoded data elements in all of the top-level classes of the Incident
5193 class and a few of the complex subordinate classes. As there are
5194 multiple instances of the extensible classes in the data model, there
5195 is discretion on where to add a new data element. It is RECOMMENDED
5196 that the extension be placed in the most closely related class to the
5197 new information.
5199 Extensions using the atomic data types (i.e., all values of the dtype
5200 attributes other than "xml") MUST:
5202 1. Set the element content to the desired value, and
5204 2. Set the dtype attribute to correspond to the data type of the
5205 element content.
5207 The following guidelines exist for extensions using XML (i.e.,
5208 dtype="xml"):
5210 1. The element content of the extensible class MUST be set to the
5211 desired value and the dtype attribute MUST be set to "xml".
5213 2. The extension schema MUST declare a separate namespace. It is
5214 RECOMMENDED that these extensions have the prefix "iodef-". This
5215 recommendation makes readability of the document easier by
5216 allowing the reader to infer which namespaces relate to IODEF by
5217 inspection.
5219 3. It is RECOMMENDED that extension schemas follow the naming
5220 convention of the IODEF data model. This too improves the
5221 readability of extended IODEF documents. The names of all
5222 elements SHOULD be capitalized. For elements with composed
5223 names, a capital letter SHOULD be used for each word. Attribute
5224 names SHOULD be in lower case. Attributes with composed names
5225 SHOULD be separated by a hyphen.
5227 4. Implementations that encounter an unrecognized element, attribute
5228 or attribute value in a supported namespace SHOULD reject the
5229 document as a syntax error.
5231 5. There are security and performance implications in requiring
5232 implementations to dynamically download schemas at run time.
5233 Therefore, implementations MUST NOT download schemas at runtime
5234 unless the appropriate precautions are taken. Implementations
5235 also need to contend with the potential of significant network
5236 and processing issues.
5238 6. Some adopters of the IODEF may have private schema definitions
5239 that are not publicly available. Thus implementations may
5240 encounter IODEF documents with references to private schemas that
5241 may not be resolvable. Hence, IODEF document recipients MUST be
5242 prepared for a schema definition in an IODEF document never to
5243 resolve.
5245 The following schema and XML document excerpt provide a template for
5246 an extension schema and its use in the IODEF document.
5248 This example schema defines a namespace of "iodef-extension1" and a
5249 single element named "newdata".
5251
5255 attributeFormDefault="unqualified"
5256 elementFormDefault="qualified">
5257
5261
5262
5264 The following XML excerpt demonstrates the use of the above schema as
5265 an extension to the IODEF.
5267
5274
5275 ...
5276
5277
5278 Field that could not be represented elsewhere
5279
5280
5281
5282
5309 If an unrecognized private extension is encountered in processing,
5310 the recipient MAY reject the entire document as a syntax error.
5312 6. Internationalization Issues
5314 Internationalization and localization is of specific concern to the
5315 IODEF as it facilitates operational coordination with a diverse set
5316 of partners. The IODEF implements internationalization by relying on
5317 XML constructs and through explicit design choices in the data model.
5319 Since the IODEF is implemented as an XML Schema, it supports
5320 different character encodings, such as UTF-8 and UTF-16, possible
5321 with XML. Additionally, each IODEF document MUST specify the
5322 language in which its content is encoded. The language can be
5323 specified with the attribute "xml:lang" (per Section 2.12 of
5324 [W3C.XML]) in the top-level element (i.e., IODEF-Document) and
5325 letting all other elements inherit that definition. All IODEF
5326 classes with a free-form text definition (i.e., all those defined
5327 with type iodef:MLStringType) can also specify a language different
5328 from the rest of the document.
5330 The data model supports multiple translations of free-form text. All
5331 ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality
5332 to their parent. This allows the identical text translated into
5333 different languages to be encoded in different instances of the same
5334 class with a common parent. This design also enables the creation of
5335 a single document containing all the translations. The IODEF
5336 implementation SHOULD extract the appropriate language relevant to
5337 the recipient.
5339 Related instances of a given iodef:MLStringType class that are
5340 translations of each other are identified by a common identifier set
5341 in the translation-id attribute. The example below shows three
5342 instances of a Description class expressed in three different
5343 languages. The relationship between these three instances of the
5344 Description class is conveyed by the common value of "1" in the
5345 translation-id attribute.
5347
5349 ...
5350 English
5352 Englisch
5354 Anglais
5357 The IODEF balances internationalization support with the need for
5358 interoperability. While the IODEF supports different languages, the
5359 data model also relies heavily on standardized enumerated attributes
5360 that can crudely approximate the contents of the document. With this
5361 approach, a CSIRT should be able to make some sense of an IODEF
5362 document it receives even if the free-form text data elements are
5363 written in a language unfamiliar to the recipient.
5365 7. Examples
5367 This section provides example of IODEF documents. These examples do
5368 not represent the full capabilities of the data model or the the only
5369 way to encode particular information.
5371 7.1. Minimal Example
5373 A document containing only the mandatory elements and attributes.
5375
5376
5377
5383
5384 492382
5385 2015-07-18T09:00:00-05:00
5386
5387
5388 contact@csirt.example.com
5389
5390
5391
5392
5393
5395 7.2. Indicators from a Campaign
5397 An example of C2 domains from a given campaign.
5399
5400
5401
5407
5408 897923
5409
5410
5411
5412 TA-12-AGGRESSIVE-BUTTERFLY
5413
5414 Aggressive Butterfly
5415
5416
5417 C-2015-59405
5418 Orange Giraffe
5419
5420
5421 2015-10-02T11:18:00-05:00
5422 Summarizes the Indicators of Compromise
5423 for the Orange Giraffe campaign of the Aggressive
5424 Butterfly crime gang.
5425
5426
5427
5428
5429
5430 CSIRT for example.com
5431
5432 contact@csirt.example.com
5433
5434
5435
5436
5437
5438 G90823490
5439
5440 C2 domains
5441 2014-12-02T11:18:00-05:00
5442
5443
5444
5445 kj290023j09r34.example.com
5446 09ijk23jfj0k8.example.net
5447 klknjwfjiowjefr923.example.org
5448 oimireik79msd.example.org
5449
5450
5451
5452
5454
5455
5456
5458 8. The IODEF Data Model (XML Schema)
5460
5461
5470
5473
5476
5479
5481
5482
5483 Incident Object Description Exchange Format v2.0
5484
5485
5486
5491
5492
5493
5494
5495
5497
5498
5499
5500
5501
5503
5505
5506
5507
5512
5513
5514
5515
5516
5517
5519
5520
5521
5522
5523
5524
5525
5527
5529
5531
5533
5534
5536
5537
5538
5540
5541
5543
5545
5546
5548
5549
5552
5554
5555
5556
5557
5558
5559
5560
5561
5562
5563
5564
5565
5566
5567
5568
5569
5570
5571
5572
5573
5574
5575
5576
5577
5582
5583
5584
5585
5586
5587
5589
5591
5593
5594
5595
5596
5601
5602
5603
5604
5605
5606
5608
5610
5611
5612
5617
5618
5619
5620
5622
5624
5626
5628
5630
5631
5633
5635
5636
5638
5640
5641
5642
5643
5644
5645
5647
5648
5650
5652
5653
5655
5657
5658
5659
5660
5661
5662
5663
5665
5667
5669
5671
5672
5674
5676
5677
5678
5679
5684
5685
5686
5687
5689
5691
5693
5695
5697
5699
5701
5702
5704
5706
5707
5709
5711
5713
5715
5717
5719
5720
5721
5722
5723
5724
5725
5726
5727
5728
5729
5730
5731
5732
5733
5734
5735
5736
5737
5738
5739
5740
5741
5743
5744
5745
5746
5747
5748
5749
5750
5751
5752
5753
5754
5755
5756
5757
5759
5761
5762
5763
5764
5765
5766
5767
5768
5769
5770
5771
5772
5773
5774
5775
5776
5777
5778
5779
5780
5781
5783
5784
5786
5787
5788
5789
5790
5791
5792
5793
5794
5795
5796
5797
5798
5799
5800
5801
5803
5804
5806
5807
5808
5809
5810
5811
5812
5813
5814
5815
5816
5817
5818
5819
5820
5821
5822
5823
5825
5826
5828
5829
5830
5831
5832
5833
5834
5835
5836
5837
5838
5843
5844
5845
5846
5847
5848
5849
5850
5851
5856
5857
5858
5859
5860
5861
5863
5865
5866
5867
5868
5869
5870
5871
5872
5873
5875
5877
5879
5880
5882
5884
5886
5888
5889
5890
5891
5892
5897
5898
5899
5900
5902
5904
5905
5906
5907
5908
5910
5912
5913
5915
5917
5918
5919
5920
5925
5926
5927
5928
5930
5932
5934
5935
5938
5940
5942
5944
5945
5946
5947
5948
5949
5950
5951
5952
5953
5954
5955
5956
5957
5958
5959
5960
5961
5962
5963
5964
5965
5966
5967
5968
5969
5970
5971
5972
5973
5974
5976
5979
5980
5982
5984
5985
5986
5987
5992
5993
5994
5995
5997
5999
6001
6003
6005
6007
6008
6010
6012
6013
6014
6019
6020
6021
6022
6023
6025
6027
6028
6029
6030
6031
6036
6037
6038
6039
6041
6042
6043
6044
6045
6046
6047
6048
6050
6052
6054
6055
6057
6058
6059
6060
6061
6062
6063
6064
6065
6066
6068
6070
6071
6072
6073
6074
6075
6076
6077
6078
6079
6080
6081
6083
6084
6086
6089
6092
6093
6094
6095
6096
6097
6098
6099
6100
6101
6102
6103
6104
6105
6106
6107
6108
6109
6110
6111
6112
6113
6114
6115
6116
6117
6118
6119
6120
6121
6122
6123
6124
6125
6126
6128
6129
6130
6131
6132
6134
6135
6137
6139
6142
6143
6144
6145
6146
6147
6148
6149
6150
6151
6152
6153
6154
6155
6156
6157
6158
6159
6160
6161
6162
6163
6164
6165
6166
6167
6168
6169
6170
6171
6172
6173
6174
6175
6176
6177
6179
6181
6182
6184
6185
6186
6187
6188
6189
6190
6191
6192
6193
6194
6195
6196
6197
6198
6199
6200
6201
6202
6203
6204
6205
6206
6207
6208
6210
6212
6213
6214
6215
6216
6217
6218
6219
6220
6221
6222
6223
6224
6229
6230
6231
6232
6234
6235
6236
6237
6238
6239
6241
6243
6244
6246
6248
6250
6251
6253
6255
6256
6258
6260
6261
6262
6263
6268
6269
6270
6271
6273
6274
6275
6276
6281
6282
6283
6284
6285
6287
6289
6291
6293
6296
6298
6300
6301
6302
6304
6305
6307
6310
6312
6314
6316
6318
6319
6320
6321
6322
6323
6324
6325
6326
6327
6328
6329
6330
6331
6332
6333
6334
6335
6336
6337
6338
6339
6340
6341
6342
6343
6348
6349
6350
6351
6352
6354
6356
6357
6358
6360
6362
6363
6364
6365
6366
6367
6368
6369
6372
6374
6375
6376
6378
6379
6380
6381
6382
6383
6384
6385
6386
6387
6388
6389
6390
6391
6392
6393
6394
6395
6396
6397
6398
6399
6400
6401
6402
6403
6405
6406
6408
6410
6411
6412
6413
6414
6415
6416
6417
6418
6419
6420
6421
6422
6423
6424
6425
6426
6427
6428
6429
6430
6431
6432
6433
6434
6435
6436
6437
6438
6439
6440
6441
6442
6443
6444
6445
6446
6447
6448
6449
6450
6451
6452
6453
6454
6455
6456
6457
6458
6459
6460
6461
6462
6463
6464
6465
6466
6467
6468
6469
6470
6475
6476
6477
6478
6479
6480
6481
6482
6483
6484
6485
6486
6487
6488
6490
6491
6492
6493
6494
6495
6496
6497
6498
6499
6500
6501
6503
6504
6505
6506
6508
6509
6510
6511
6514
6516
6518
6519
6520
6521
6522
6523
6528
6529
6530
6531
6532
6534
6536
6538
6540
6542
6543
6545
6546
6547
6548
6549
6550
6551
6552
6553
6554
6555
6556
6557
6558
6559
6560
6561
6562
6563
6564
6565
6566
6567
6568
6569
6570
6571
6572
6573
6578
6579
6580
6581
6583
6584
6585
6586
6588
6589
6590
6591
6593
6595
6596
6597
6598
6599
6600
6601
6602
6603
6604
6605
6606
6607
6612
6613
6614
6615
6616
6618
6620
6622
6624
6626
6628
6629
6631
6633
6635
6637
6638
6639
6640
6641
6642
6643
6644
6645
6646
6647
6648
6649
6650
6651
6652
6653
6654
6655
6656
6657
6658
6659
6660
6661
6662
6663
6664
6665
6666
6667
6668
6669
6670
6671
6672
6673
6674
6675
6676
6677
6678
6679
6680
6681
6682
6683
6685
6686
6687
6688
6689
6694
6695
6696
6697
6698
6699
6701
6703
6704
6705
6706
6707
6708
6709
6711
6712
6714
6716
6718
6720
6722
6724
6726
6727
6729
6731
6732
6733
6734
6735
6736
6737
6738
6741
6743
6745
6748
6750
6752
6753
6755
6756
6757
6758
6759
6760
6761
6762
6763
6764
6765
6766
6767
6768
6769
6770
6771
6772
6773
6778
6779
6780
6781
6782
6783
6784
6785
6786
6787
6788
6789
6790
6791
6792
6794
6796
6797
6798
6799
6800
6801
6802
6803
6804
6805
6806
6807
6808
6809
6810
6811
6812
6817
6818
6819
6820
6822
6823
6825
6827
6828
6829
6830
6831
6832
6833
6834
6835
6836
6838
6839
6840
6841
6843
6844
6845
6846
6847
6848
6849
6850
6851
6852
6857
6858
6859
6860
6861
6863
6865
6866
6868
6869
6870
6871
6872
6873
6874
6875
6876
6877
6878
6879
6880
6881
6882
6883
6884
6885
6886
6887
6888
6889
6890
6892
6893
6894
6895
6896
6897
6898
6899
6901
6902
6904
6905
6906
6907
6908
6913
6914
6915
6916
6917
6918
6919
6920
6925
6926
6927
6928
6929
6930
6932
6934
6935
6936
6937
6938
6939
6940
6941
6943
6944
6945
6946
6947
6952
6953
6954
6955
6957
6958
6959
6960
6961
6962
6963
6964
6966
6968
6969
6970
6971
6973
6974
6975
6976
6977
6978
6979
6981
6983
6985
6987
6988
6990
6992
6993
6994
6995
6996
6997
6998
6999
7001
7002
7003
7004
7005
7006
7007
7008
7009
7010
7012
7014
7015
7016
7017
7018
7019
7020
7021
7022
7023
7024
7026
7027
7028
7029
7030
7031
7032
7033
7034
7035
7036
7037
7038
7040
7041
7044
7046
7047
7048
7049
7050
7051
7052
7053
7055
7056
7058
7059
7060
7061
7062
7063
7064
7065
7066
7067
7068
7069
7070
7071
7072
7073
7074
7075
7076
7077
7078
7079
7080
7081
7082
7083
7084
7085
7086
7087
7088
7089
7090
7091
7092
7093
7094
7095
7096
7098
7099
7100
7101
7102
7103
7104
7105
7106
7107
7108
7109
7110
7111
7112
7114
7115
7118
7120
7121
7122
7123
7124
7125
7126
7127
7128
7129
7130
7131
7132
7133
7134
7135
7136
7137
7138
7139
7141
7142
7143
7144
7145
7146
7148
7149
7151
7153
7154
7155
7156
7157
7162
7163
7164
7165
7170
7171
7172
7173
7174
7175
7176
7177
7178
7180
7181
7182
7183
7184
7185
7186
7187
7188
7189
7190
7191
7193
7194
7195
7196
7197
7199
7201
7202
7204
7205
7206
7207
7209
7211
7212
7213
7214
7215
7216
7218
7220
7221
7222
7223
7224
7225
7227
7228
7231
7233
7236
7238
7239
7240
7241
7242
7243
7244
7245
7246
7247
7248
7249
7250
7251
7252
7253
7254
7255
7256
7257
7258
7263
7264
7265
7266
7267
7268
7269
7270
7271
7272
7273
7274
7275
7276
7277
7278
7279
7280
7281
7282
7283
7284
7285
7286
7287
7288
7289
7290
7291
7292
7293
7294
7295
7296
7297
7298
7299
7300
7301
7302
7303
7304
7305
7306
7307
7308
7309
7310
7311
7312
7313
7314
7315
7316
7317
7318
7319
7320
7321
7322
7323
7324
7325
7326
7327
7328
7329
7330
7331
7332
7333
7334
7335
7336
7337
7338
7339
7340
7341
7342
7343
7344
7345
7346
7347
7348
7349
7350
7351
7352
7353
7354
7355
7357 9. Security Considerations
7359 The IODEF data model does not directly introduce security or privacy
7360 issues. However, as the data encoded by the IODEF might be
7361 considered sensitive by the parties exchanging it or by those
7362 described by it, care needs to be taken to ensure appropriate
7363 handling during the document construction, exchange, processing,
7364 archiving, subsequent retrieval and analysis.
7366 9.1. Security
7368 The underlying messaging format and protocol used to exchange
7369 instances of the IODEF MUST provide appropriate guarantees of
7370 confidentiality, integrity, and authenticity. The use of a
7371 standardized security protocol is encouraged. The Real-time Inter-
7372 network Defense (RID) protocol [RFC6545] and its associated transport
7373 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.
7375 An IODEF implementation may act on the data in the document. These
7376 actions might be explicitly requested in the document or the result
7377 of analytical logic that triggered on data in the document. For this
7378 reason, care must be taken by IODEF implementations to properly
7379 authenticate the sender and receiver of the document. The sender
7380 needs confidence that sensitive information and timely requests for
7381 action are sent to the correct recipient. The recipient may
7382 interpret the contents of the document differently based on who sent
7383 it; or vary actions based on the sender. While the sender of the
7384 document may explicitly convey confidence in the data in a granular
7385 way using the Confidence class, the recipient is free to ignore or
7386 refine this information to make its own assessment. Ambiguous
7387 Confidence elements (where it is unclear to which of a set of other
7388 elements the Confidence element relates) in a document MUST be
7389 ignored by the recipient.
7391 Certain classes may require out-of-band coordination to agree upon
7392 their semantics (e.g., Confidence@rating="low" or DefinedCOA). This
7393 coordination MUST occur prior to operational data exchange to prevent
7394 the incorrect interpretation of these select data elements. When
7395 parsing these data elements, implementations should validate, when
7396 possible, that they conform to the agreed upon semantics. These
7397 semantics may need to be periodically reevaluated.
7399 Executable content of various forms could be embedded into the IODEF
7400 document directly or through an extension. Implementation MUST
7401 handle this content with care to prevent unintentional automated
7402 execution. The following classes are explicitly intended to
7403 represent content that might be executable:
7405 o All classes of type iodef:ExtensionType and the RecordPattern
7406 class can represent arbitrary binary strings such as legitimate
7407 software programs or malware.
7409 o The EmailMessage and EmailBody classes can represent email
7410 attachments that can contain arbitrary content.
7412 o The DetectionPattern class could specify a machine-readable
7413 configuration that directs the execution of the corresponding
7414 tool.
7416 Per Section 4.3, IODEF implementations will need to periodically
7417 consult the IANA registries specified in Section 10.2 to discover
7418 newly registered enumerated attribute values. These implementations
7419 MUST communicate with IANA in a way that ensures the integrity of the
7420 values and the authenticity of the source. HTTPS over TLS
7421 [RFC2818][RFC5246] provides such security.
7423 9.2. Privacy
7425 The IODEF contains numerous fields that are identifiers which could
7426 be linked to an individual or organization. IODEF documents may
7427 contain sensitive information about these identified parties; and
7428 repeated document exchanges about the same and related parties may
7429 enable the correlation of data about them. Likewise, a party may
7430 report on another to a third party without their knowledge.
7432 When creating an IODEF document, careful consideration must be given
7433 to what information is shared. Personal identifiers and attributable
7434 sensitive information should only be shared when necessary.
7436 When exchanging documents, transport security MUST provide document-
7437 level confidentiality. XML element-level confidentiality can also be
7438 provided by using [W3C.XMLENC].
7440 In order to suggest data processing and handling guidelines of the
7441 encoded information, the IODEF allows a document sender to convey a
7442 privacy policy using the restriction attribute. The various
7443 instances of this attribute allow different data elements of the
7444 document to be covered by dissimilar policies. While flexible, it
7445 must be stressed that this approach only serves as a guideline from
7446 the sender, as the recipient is free to ignore it.
7448 Although outside of the scope of an IODEF implementation, the
7449 contents of IODEF documents and any derived analysis should be
7450 archived with at appropriate confidentiality controls. Likewise,
7451 access to retrieve and analyze this data should be restricted to
7452 authorized users.
7454 10. IANA Considerations
7456 This document registers a namespace, an XML schema, and a number of
7457 registries that map to enumerated values defined in the data model.
7458 It also defines an expert review process for IODEF-related XML
7459 registry entries.
7461 10.1. Namespace and Schema
7463 This document uses URNs to describe an XML namespace and schema
7464 conforming to a registry mechanism described in [RFC3688]
7466 Registration for the IODEF namespace:
7468 o URI: urn:ietf:params:xml:ns:iodef-2.0
7470 o Registrant Contact: See the first author of the "Author's Address"
7471 section of this document.
7473 o XML: None. Namespace URIs do not represent an XML specification.
7475 Registration for the IODEF XML schema:
7477 o URI: urn:ietf:params:xml:schema:iodef-2.0
7479 o Registrant Contact: See the first author of the "Author's Address"
7480 section of this document.
7482 o XML: See Section 8 of this document.
7484 10.2. Enumerated Value Registries
7486 This document creates 34 identically structured registries to be
7487 managed by IANA:
7489 o Name of the parent registry: "Incident Object Description Exchange
7490 Format v2 (IODEF)"
7492 o URL of the registry: http://www.iana.org/assignments/iodef2
7494 o Namespace format: A registry entry consists of:
7496 * Value. A value for a given IODEF attribute. It MUST conform
7497 to the formatting specified by the IODEF ENUM data type which
7498 is implemented as an "xs:NMTOKEN" type per Section 3.3.4 of
7499 [W3C.SCHEMA.DTYPES]. The value SHOULD conform to the
7500 convention specified in Section 5.2.
7502 * Description. A short description of the enumerated value.
7504 * Reference. An optional list of URIs to further describe the
7505 value.
7507 o Allocation policy: Expert Review per [RFC5226]. This reviewer
7508 will ensure that the requested registry entry conforms to the
7509 prescribed formatting. The reviewer will also ensure that the
7510 entry is an appropriate value for the attribute per the
7511 information model (Section 3).
7513 The registries to be created are named in the "Registry Name" column
7514 of Table 1. Each registry is initially populated with values and
7515 descriptions that come from an attribute specified in the IODEF
7516 schema (Section 8) whose description is found in a sub-section of the
7517 information model (Section 3). The initial values for the Value and
7518 Description fields of a given registry are listed in the "IV (Value)"
7519 and "IV (Description)" columns respectively. The "IV (Value)" points
7520 to a given schema type per Section 8. Each enumerated value in the
7521 schema gets a corresponding entry in a given registry. The "IV
7522 (Description)" points to a section in the text of this document that
7523 describes each enumerated value. The initial value of the Reference
7524 field of every registry entry described below should be this
7525 document.
7527 +-----------------------+---------------------------+---------------+
7528 | Registry Name | IV (Value) | IV |
7529 | | | (Description) |
7530 +-----------------------+---------------------------+---------------+
7531 | Restriction | iodef-restriction-type | Section 3.3.1 |
7532 | | | |
7533 | Incident-purpose | incident-purpose-type | Section 3.2 |
7534 | | | |
7535 | Incident-status | incident-status-type | Section 3.2 |
7536 | | | |
7537 | Contact-role | contact-role-type | Section 3.9 |
7538 | | | |
7539 | Contact-type | contact-type-type | Section 3.9 |
7540 | | | |
7541 | RegistryHandle- | registryhandle-registry- | Section 3.9.1 |
7542 | registry | type | |
7543 | | | |
7544 | PostalAddress-type | postaladdress-type-type | Section 3.9.2 |
7545 | | | |
7546 | Telephone-type | telephone-type-type | Section 3.9.4 |
7547 | | | |
7548 | Email-type | email-type-type | Section 3.9.3 |
7549 | | | |
7550 | Expectation-action | action-type | Section 3.15 |
7551 | | | |
7552 | Discovery-source | discovery-source-type | Section 3.10 |
7553 | | | |
7554 | SystemImpact-type | systemimpact-type-type | Section |
7555 | | | 3.12.1 |
7556 | | | |
7557 | BusinessImpact- | businessimpact-severity- | Section |
7558 | severity | type | 3.12.2 |
7559 | | | |
7560 | BusinessImpact-type | businessimpact-type-type | Section |
7561 | | | 3.12.2 |
7562 | | | |
7563 | TimeImpact-metric | timeimpact-metric-type | Section |
7564 | | | 3.12.3 |
7565 | | | |
7566 | TimeImpact-duration | duration-type | Section |
7567 | | | 3.12.3 |
7568 | | | |
7569 | Confidence-rating | confidence-rating-type | Section |
7570 | | | 3.12.5 |
7571 | | | |
7572 | NodeRole-category | noderole-category-type | Section |
7573 | | | 3.18.2 |
7574 | | | |
7575 | System-category | system-category-type | Section 3.17 |
7576 | | | |
7577 | System-ownership | system-ownership-type | Section 3.17 |
7578 | | | |
7579 | Address-category | address-category-type | Section |
7580 | | | 3.18.1 |
7581 | | | |
7582 | Counter-type | counter-type-type | Section |
7583 | | | 3.18.3 |
7584 | | | |
7585 | Counter-unit | counter-unit-type | Section |
7586 | | | 3.18.3 |
7587 | | | |
7588 | DomainData-system- | domaindata-system-status- | Section 3.19 |
7589 | status | type | |
7590 | | | |
7591 | DomainData-domain- | domaindata-domain-status- | Section 3.19 |
7592 | status | type | |
7593 | | | |
7594 | RecordPattern-type | recordpattern-type-type | Section |
7595 | | | 3.22.2 |
7596 | | | |
7597 | RecordPattern- | recordpattern-offsetunit- | Section |
7598 | offsetunit | type | 3.22.2 |
7599 | | | |
7600 | Key-registryaction | key-registryaction-type | Section |
7601 | | | 3.23.1 |
7602 | | | |
7603 | HashData-scope | hashdata-scope-type | Section 3.26 |
7604 | | | |
7605 | BulkObservable-type | bulkobservable-type-type | Section |
7606 | | | 3.29.3.1 |
7607 | | | |
7608 | IndicatorExpression- | indicatorexpression- | Section |
7609 | operator | operator-type | 3.29.4 |
7610 | | | |
7611 | ExtensionType-dtype | dtype-type | Section 2.16 |
7612 | | | |
7613 | SoftwareReference- | softwarereference-spec- | Section |
7614 | spec-id | id-type | 2.15.1 |
7615 | | | |
7616 | SoftwareReference- | softwarereference-dtype- | Section |
7617 | dtype | type | 2.15.1 |
7618 +-----------------------+---------------------------+---------------+
7619 Table 1: IANA Enumerated Value Registries
7621 10.3. Expert Review of IODEF-Related XML Registry Entries
7623 IODEF class extensions, per Section 5.2, could register their
7624 namespaces and schemas with the IANA XML Namespace ("ns",
7625 http://www.iana.org/assignments/xml-registry/xml-registry.xhtml#ns)
7626 and Schema registries ("schema", http://www.iana.org/assignments/xml-
7627 registry/xml-registry.xhtml#schema) described in [RFC3688]. In
7628 addition to any reviews required by IANA, changes to the XML Schema
7629 registry for schema names beginning with
7630 "urn:ietf:params:xml:schema:iodef" are subject to an additional IODEF
7631 Expert Review [RFC5226] to ensure compatibility with IODEF and other
7632 existing IODEF extensions.
7634 The IODEF expert(s) for these reviews will be designated by the IETF
7635 Security Area Directors.
7637 This document obsoletes [RFC6685].
7639 11. Acknowledgments
7641 Thanks to Paul Stockler for his editorial leadership in the
7642 transition of RFC5070bis to this document.
7644 Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi
7645 Takahashi, David Waltermire and Sean Turner as the MILE working group
7646 chairs, secretary or area directors for providing feedback and
7647 coordination of this document.
7649 Thanks to the following individuals (listed alphabetically) who
7650 provided feedback during the meetings, on the mailing list or through
7651 implementation experience: Jerome Athias, David Black, Eric Burger,
7652 Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris
7653 Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam
7654 Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio
7655 Suzuki and Nik Teague.
7657 12. References
7659 12.1. Normative References
7661 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language
7662 (XML) 1.0 (Fifth Edition)", W3C Recommendation , November
7663 2008, .
7665 [W3C.SCHEMA]
7666 World Wide Web Consortium, "XML XML Schema Part 1:
7667 Structures Second Edition", W3C Recommendation , October
7668 2004, .
7670 [W3C.SCHEMA.DTYPES]
7671 World Wide Web Consortium, "XML Schema Part 2: Datatypes
7672 Second Edition", W3C Recommendation , October 2004,
7673 .
7675 [W3C.XMLNS]
7676 World Wide Web Consortium, "Namespaces in XML 1.0 (Third
7677 Edition)", W3C Recommendation , December 2009,
7678 .
7680 [W3C.XPATH]
7681 World Wide Web Consortium, "XML Path Language (XPath)
7682 3.1", W3C Candidate Recommendation , December 2015,
7683 .
7685 [W3C.XMLSIG]
7686 World Wide Web Consortium, "XML Signature Syntax and
7687 Processing 2.0", W3C Recommendation , June 2008,
7688 .
7690 [IEEE.POSIX]
7691 Institute of Electrical and Electronics Engineers,
7692 "Information Technology - Portable Operating System
7693 Interface (POSIX) - Part 1: Base Definitions",
7694 IEEE 1003.1, June 2001.
7696 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
7697 Requirement Levels", RFC 2119, March 1997.
7699 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of
7700 Languages", RFC 5646, September 2009.
7702 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
7703 Resource Identifiers (URI): Generic Syntax", RFC 3986,
7704 January 2005`.
7706 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519,
7707 June 2006.
7709 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October
7710 2008.
7712 [RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized
7713 Email", RFC 6531, February 2012.
7715 [RFC7495] Montville, A. and D. Black, "IODEF Enumeration Reference
7716 Format", RFC 7495, January 2015.
7718 [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
7719 Incident Object Description Exchange Format (IODEF)
7720 Extension for Structured Cybersecurity Information",
7721 RFC 7203, April 2014.
7723 [ISO4217] International Organization for Standardization,
7724 "International Standard: Codes for the representation of
7725 currencies and funds, ISO 4217:2001", ISO 4217:2001,
7726 August 2001.
7728 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January
7729 2004.
7731 [IANA.Ports]
7732 Internet Assigned Numbers Authority, "Service Name and
7733 Transport Protocol Port Number Registry", January 2014,
7734 .
7737 [IANA.Protocols]
7738 Internet Assigned Numbers Authority, "Assigned Internet
7739 Protocol Numbers", January 2014,
7740 .
7743 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
7744 10646", RFC 3629, November 2003.
7746 [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
7747 10646", RFC 2781, February 2000.
7749 [IANA.Media]
7750 Internet Assigned Numbers Authority, "Media Types", March
7751 2015, .
7754 [NIST.CPE]
7755 The National Institute of Standards and Technology,
7756 "Common Platform Enumeration", 2014,
7757 .
7759 [ISO19770]
7760 International Organization for Standardization,
7761 "Information technology -- Software asset management --
7762 Part 2: Software identification tag, ISO/IEC
7763 19770-2:2015", ISO 19770-2:2015, October 2015.
7765 [E.164] ITU Telecommunication Standardization Sector, "The
7766 International Public Telecommunication Numbering Plan",
7767 ITU-T Recommendation E.164 (02/05), February 2005.
7769 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
7770 Address Text Representation", RFC 5952, August 2010.
7772 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
7773 Architecture", RFC 4291, February 2006.
7775 12.2. Informative References
7777 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
7778 Object Description Exchange Format", RFC 5070, December
7779 2007.
7781 [RFC6685] Trammell, B., "Expert Review for Incident Object
7782 Description Exchange Format (IODEF) Extensions in IANA XML
7783 Registry", RFC 6685, July 2012.
7785 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
7786 RFC 6545, April 2012.
7788 [RFC6546] Trammell, B., "Transport of Real-time Inter-network
7789 Defense (RID) Messages over HTTP/TLS", RFC 6546, April
7790 2012.
7792 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
7793 Class for Reporting Phishing", RFC 5901, July 2010.
7795 [NIST800.61rev2]
7796 Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
7797 "NIST Special Publication 800-61 Revision 2: Computer
7798 Security Incident Handling Guide", January 2012,
7799 .
7802 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
7803 Type for the Internet Registry Information Service
7804 (IRIS)", RFC 3982, January 2005.
7806 [KB310516]
7807 Microsoft Corporation, "How to add, modify, or delete
7808 registry subkeys and values by using a registration
7809 entries (.reg) file", December 2007.
7811 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-
7812 Separated Values (CSV) File", RFC 4180, October 2005.
7814 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
7815 IANA Considerations Section in RFCs", RFC 5226, May 2008.
7817 [W3C.XMLENC]
7818 World Wide Web Consortium, "XML Encryption Syntax and
7819 Processing Version 1.1", W3C Recommendation , April 2013,
7820 .
7822 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
7824 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
7825 (TLS) Protocol Version 1.2", RFC 5246, August 2008.
7827 Author's Address
7829 Roman Danyliw
7830 CERT - Carnegie Mellon University
7831 4500 Fifth Avenue
7832 Pittsburgh, PA
7833 USA
7835 EMail: rdd@cert.org