Tech-invite3GPPspecsGlossariesIETFRFCsGroupsSIPABNFs   Ti+   SearchTech-invite World Map Symbol

RFC 7970

 
 
 

The Incident Object Description Exchange Format Version 2

Part 2 of 9, p. 18 to 43
Prev Section       Next Section

 


prevText      Top      ToC       Page 18 
3.  The IODEF Information Model

   The specifics of the IODEF information model are discussed in this
   section.  Each class and its relationships with the other classes is
   described.  When necessary, clarifications are made about translating
   this information model to the schema in Section 8.

3.1.  IODEF-Document Class

   The IODEF-Document class is the top level class in the IODEF data
   model.  All IODEF documents are an instance of this class.

   +--------------------------+
   | IODEF-Document           |
   +--------------------------+
   | STRING version           |<>--{1..*}--[ Incident       ]
   | ENUM xml:lang            |<>--{0..*}--[ AdditionalData ]
   | STRING format-id         |
   | STRING private-enum-name |
   | STRING private-enum-id   |
   +--------------------------+

                    Figure 5: The IODEF-Document Class

   The aggregate classes of the IODEF-Document class are:

   Incident
      One or more.  The information related to a single incident.  See
      Section 3.2.

   AdditionalData
      Zero or more.  EXTENSION.  Mechanism by which to extend the data
      model.

Top      Up      ToC       Page 19 
   The attributes of the IODEF-Document class are:

   version
      Required.  STRING.  The IODEF specification version number to
      which this IODEF document conforms.  The value of this attribute
      MUST be "2.00".

   xml:lang
      Optional.  ENUM.  A language identifier per Section 2.12 of
      [W3C.XML] whose values and form are described in [RFC5646].  The
      interpretation of this code is described in Section 6.

   format-id
      Optional.  STRING.  A free-form string to convey processing
      instructions to the recipient of the document.  Its semantics must
      be negotiated out of band.

   private-enum-name
      Optional.  STRING.  A globally unique identifier for the CSIRT
      generating the document to deconflict private extensions used in
      the document.  The fully qualified domain name (FQDN) associated
      with the CSIRT MUST be used as the identifier.  See Section 5.3.

   private-enum-id
      Optional.  STRING.  An organizationally unique identifier for an
      extension used in the document.  If this attribute is set, the
      private-enum-name MUST also be set.  See Section 5.3.

Top      Up      ToC       Page 20 
3.2.  Incident Class

   The Incident class describes commonly exchanged information when
   reporting or sharing derived analysis from security incidents.

   +-------------------------+
   | Incident                |
   +-------------------------+
   | ENUM purpose            |<>----------[ IncidentID      ]
   | STRING ext-purpose      |<>--{0..1}--[ AlternativeID   ]
   | ENUM status             |<>--{0..*}--[ RelatedActivity ]
   | STRING ext-status       |<>--{0..1}--[ DetectTime      ]
   | ENUM xml:lang           |<>--{0..1}--[ StartTime       ]
   | ENUM restriction        |<>--{0..1}--[ EndTime         ]
   | STRING ext-restriction  |<>--{0..1}--{ RecoveryTime    ]
   | ID observable-id        |<>--{0..1}--[ ReportTime      ]
   |                         |<>----------[ GenerationTime  ]
   |                         |<>--{0..*}--[ Description     ]
   |                         |<>--{0..*}  [ Discovery       ]
   |                         |<>--{0..*}--[ Assessment      ]
   |                         |<>--{0..*}--[ Method          ]
   |                         |<>--{1..*}--[ Contact         ]
   |                         |<>--{0..*}--[ EventData       ]
   |                         |<>--{0..1}--[ IndicatorData   ]
   |                         |<>--{0..1}--[ History         ]
   |                         |<>--{0..*}--[ AdditionalData  ]
   +-------------------------+

                       Figure 6: The Incident Class

   The aggregate classes of the Incident class are:

   IncidentID
      One.  An incident tracking number assigned to this incident by the
      CSIRT that generated the IODEF document.  See Section 3.4.

   AlternativeID
      Zero or one.  The incident tracking numbers used by other CSIRTs
      to refer to the incident described in the document.  See
      Section 3.5.

   RelatedActivity
      Zero or more.  Related activity and attribution of this activity.
      See Section 3.6.

   DetectTime
      Zero or one.  DATETIME.  The time the incident was first detected.

Top      Up      ToC       Page 21 
   StartTime
      Zero or one.  DATETIME.  The time the incident started.

   EndTime
      Zero or one.  DATETIME.  The time the incident ended.

   RecoveryTime
      Zero or one.  DATETIME.  The time the site recovered from the
      incident.

   ReportTime
      Zero or one.  DATETIME.  The time the incident was reported.

   GenerationTime
      One.  DATETIME.  The time the content in this Incident class was
      generated.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      incident.

   Discovery
      Zero or more.  The means by which this incident was detected.  See
      Section 3.10.

   Assessment
      Zero or more.  A characterization of the impact of the incident.
      See Section 3.12.

   Method
      Zero or more.  The techniques used by the threat actor in the
      incident.  See Section 3.11.

   Contact
      One or more.  Contact information for the parties involved in the
      incident.  See Section 3.9.

   EventData
      Zero or more.  Description of the events comprising the incident.
      See Section 3.14.

   IndicatorData
      Zero or one.  Indicators from the analysis of an incident.  See
      Section 3.28.

   History
      Zero or one.  A log of significant events or actions that occurred
      during the course of handling the incident.  See Section 3.13.

Top      Up      ToC       Page 22 
   AdditionalData
      Zero or more.  EXTENSION.  Mechanism by which to extend the data
      model.

   The attributes of the Incident class are:

   purpose
      Required.  ENUM.  The purpose attribute describes the rationale
      for documenting the information in this class.  It is closely
      related to the Expectation class (Section 3.15).  These values are
      maintained in the "Incident-purpose" IANA registry per
      Section 10.2.  This attribute is defined as an enumerated list:

      1.  traceback.  The incident was sent for trace-back purposes.

      2.  mitigation.  The incident was sent to request aid in
          mitigating the described activity.

      3.  reporting.  The incident was sent to comply with reporting
          requirements.

      4.  watch.  The incident was sent to convey indicators that should
          be monitored.

      5.  other.  The incident was sent for purposes specified in the
          Expectation class.

      6.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-purpose
      Optional.  STRING.  A means by which to extend the purpose
      attribute.  See Section 5.1.1.

   status
      Optional.  ENUM.  The status attribute conveys the state in a
      workflow where the incident is currently found.  These values are
      maintained in the "Incident-status" IANA registry per
      Section 10.2.  This attribute is defined as an enumerated list:

      1.  new.  The incident is newly reported, and no action has been
          taken.

      2.  in-progress.  The incident is under investigation.

      3.  forwarded.  The incident has been forwarded to another party
          for handling.

Top      Up      ToC       Page 23 
      4.  resolved.  The investigation into the activity in this
          incident has concluded.

      5.  future.  The described activity has not yet been detected.

      6.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-status
      Optional.  STRING.  A means by which to extend the status
      attribute.  See Section 5.1.1.

   xml:lang
      Optional.  ENUM.  A language identifier per Section 2.12 of
      [W3C.XML] whose values and form are described in [RFC5646].  The
      interpretation of this code is described in Section 6.

   restriction
      Optional.  ENUM.  See Section 3.3.1.  The default value is
      "private".

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.3.  Common Attributes

   There are a number of recurring attributes used in the information
   model.  They are documented in this section.

3.3.1.  restriction Attribute

   The restriction attribute indicates the disclosure guidelines to
   which the sender expects the recipient to adhere for the information
   represented in this class and its children.  This guideline provides
   no security since there are no technical means to ensure that the
   recipient of the document handles the information as the sender
   requested.

   The value of this attribute is logically inherited by the children of
   this class.  That is to say, the disclosure rules applied to this
   class also apply to its children.

Top      Up      ToC       Page 24 
   It is possible to set a granular disclosure policy, since all of the
   high-level classes (i.e., children of the Incident class) have a
   restriction attribute.  Therefore, a child can override the
   guidelines of a parent class, be it to restrict or relax the
   disclosure rules (e.g., a child has a weaker policy than an ancestor;
   or an ancestor has a weak policy, and the children selectively apply
   more rigid controls).  The implicit value of the restriction
   attribute for a class that did not specify one can be found in the
   closest ancestor that did specify a value.

   This attribute is defined as an enumerated value with a default value
   of "private".  Note that the default value of the restriction
   attribute is only defined in the context of the Incident class.  In
   other classes where this attribute is used, no default is specified.

   These values are maintained in the "Restriction" IANA registry per
   Section 10.2.

   1.   public.  The information can be freely distributed without
        restriction.

   2.   partner.  The information may be shared within a closed
        community of peers, partners, or affected parties, but cannot be
        openly published.

   3.   need-to-know.  The information may be shared only within the
        organization with individuals that have a need to know.

   4.   private.  The information may not be shared.

   5.   default.  The information can be shared according to an
        information disclosure policy pre-arranged by the communicating
        parties.

   6.   white.  Same as 'public'.

   7.   green.  Same as 'partner'.

   8.   amber.  Same as 'need-to-know'.

   9.   red.  Same as 'private'.

   10.  ext-value.  A value used to indicate that this attribute is
        extended and the actual value is provided using the
        corresponding ext-* attribute.  See Section 5.1.1.

Top      Up      ToC       Page 25 
3.3.2.  observable-id Attribute

   The observable-id attribute tags information in the document as an
   observable so that it can be referenced later in the description of
   an indicator.  The value of this attribute is a unique identifier in
   the scope of the document.  It is used by the ObservableReference
   class to enumerate observables when defining an indicator with the
   IndicatorData class.

3.4.  IncidentID Class

   The IncidentID class represents a tracking number that is unique in
   the context of the CSIRT.  It serves as an identifier for an incident
   or a document identifier when sharing indicators.  This identifier
   would serve as an index into a CSIRT's incident handling or knowledge
   management system.

   The combination of the name attribute and the string in the element
   content MUST be a globally unique identifier describing the activity.
   Documents generated by a given CSIRT MUST NOT reuse the same value
   unless they are referencing the same incident.

   +------------------------+
   | IncidentID             |
   +------------------------+
   | STRING                 |
   |                        |
   | STRING name            |
   | STRING instance        |
   | ENUM restriction       |
   | STRING ext-restriction |
   +------------------------+

                      Figure 7: The IncidentID Class

   The content of the class is an incident identifier of type STRING.

   The attributes of the IncidentID class are:

   name
      Required.  STRING.  An identifier describing the CSIRT that
      created the document.  In order to have a globally unique CSIRT
      name, the fully qualified domain name associated with the CSIRT
      MUST be used.

Top      Up      ToC       Page 26 
   instance
      Optional.  STRING.  An identifier referencing a subset of the
      named incident.

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.5.  AlternativeID Class

   The AlternativeID class lists the tracking numbers used by CSIRTs,
   other than the one generating the document, to refer to the identical
   activity described in the IODEF document.  A tracking number listed
   as an AlternativeID references the same incident detected by another
   CSIRT.  The tracking numbers of the CSIRT that generated the IODEF
   document must never be considered an AlternativeID.

   +------------------------+
   | AlternativeID          |
   +------------------------+
   | ENUM restriction       |<>--{1..*}--[ IncidentID ]
   | STRING ext-restriction |
   +------------------------+

                     Figure 8: The AlternativeID Class

   The aggregate class of the AlternativeID class is:

   IncidentID
      One or more.  The tracking number of another CSIRT.  See
      Section 3.4.

   The attributes of the AlternativeID class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

Top      Up      ToC       Page 27 
3.6.  RelatedActivity Class

   The RelatedActivity class relates the information described in the
   rest of the document to previously observed incidents or activity and
   allows attribution to a specific actor or campaign.

   +------------------------+
   | RelatedActivity        |
   +------------------------+
   | ENUM restriction       |<>--{0..*}--[ IncidentID     ]
   | STRING ext-restriction |<>--{0..*}--[ URL            ]
   |                        |<>--{0..*}--[ ThreatActor    ]
   |                        |<>--{0..*}--[ Campaign       ]
   |                        |<>--{0..*}--[ IndicatorID    ]
   |                        |<>--{0..1}--[ Confidence     ]
   |                        |<>--{0..*}--[ Description    ]
   |                        |<>--{0..*}--[ AdditionalData ]
   +------------------------+

                    Figure 9: The RelatedActivity Class

   The aggregate classes of the RelatedActivity class are:

   IncidentID
      Zero or more.  The tracking number of a related incident.  See
      Section 3.4.

   URL
      Zero or more.  URL.  A URL to activity related to this incident.

   ThreatActor
      Zero or more.  The threat actor to whom the incident activity is
      attributed.  See Section 3.7.

   Campaign
      Zero or more.  The campaign of a given threat actor to whom the
      described activity is attributed.  See Section 3.8.

   IndicatorID
      Zero or more.  A reference to a related indicator.  See
      Section 3.4.

   Confidence
      Zero or one.  An estimate of the confidence in attributing this
      RelatedActivity to the events described in the document.  See
      Section 3.12.5.

Top      Up      ToC       Page 28 
   Description
      Zero or more.  ML_STRING.  A description of how these
      relationships were derived.

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   The RelatedActivity class MUST have at least one instance of any of
   the following child classes: IncidentID, URL, ThreatActor, Campaign,
   Description, or AdditionalData.

   The attributes of the RelatedActivity class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.7.  ThreatActor Class

   The ThreatActor class describes a threat actor.

   +------------------------+
   | ThreatActor            |
   +------------------------+
   | ENUM restriction       |<>--{0..*}--[ ThreatActorID  ]
   | STRING ext-restriction |<>--{0..*}--[ URL            ]
   |                        |<>--{0..*}--[ Description    ]
   |                        |<>--{0..*}--[ AdditionalData ]
   +------------------------+

                     Figure 10: The ThreatActor Class

   The aggregate classes of the ThreatActor class are:

   ThreatActorID
      Zero or more.  STRING.  An identifier for the threat actor.

   URL
      Zero or more.  URL.  A URL to a reference describing the threat
      actor.

   Description
      Zero or more.  ML_STRING.  A description of the threat actor.

Top      Up      ToC       Page 29 
   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   The ThreatActor class MUST have at least one instance of a child
   class.

   The attributes of the ThreatActor class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.8.  Campaign Class

   The Campaign class describes a campaign of attacks by a threat actor.

   +------------------------+
   | Campaign               |
   +------------------------+
   | ENUM restriction       |<>--{0..*}--[ CampaignID     ]
   | STRING ext-restriction |<>--{0..*}--[ URL            ]
   |                        |<>--{0..*}--[ Description    ]
   |                        |<>--{0..*}--[ AdditionalData ]
   +------------------------+

                       Figure 11: The Campaign Class

   The aggregate classes of the Campaign class are:

   CampaignID
      Zero or more.  STRING.  An identifier for the campaign.

   URL
      Zero or more.  URL.  A URL to a reference describing the campaign.

   Description
      Zero or more.  ML_STRING.  A description of the campaign.

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   The Campaign class MUST have at least one instance of a child class.

Top      Up      ToC       Page 30 
   The attributes of the Campaign class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.9.  Contact Class

   The Contact class describes contact information for organizations and
   personnel involved in the incident.  This class allows for the naming
   of the involved party, specifying contact information for them, and
   identifying their role in the incident.

   People and organizations are treated interchangeably as contacts; one
   can be associated with the other using the recursive definition of
   the class (the Contact class is aggregated into the Contact class).
   The type attribute disambiguates the type of contact information
   being provided.

   The recursive definition of Contact provides a way to relate
   information without requiring the explicit use of identifiers or
   duplication of data.  A complete point of contact is derived by a
   particular traversal from the root Contact class to the leaf Contact
   class.  Each child Contact class logically inherits contact
   information from its ancestors.

   +------------------------+
   | Contact                |
   +------------------------+
   | ENUM role              |<>--{0..*}--[ ContactName    ]
   | STRING ext-role        |<>--{0..*}--[ ContactTitle   ]
   | ENUM type              |<>--{0..*}--[ Description    ]
   | STRING ext-type        |<>--{0..*}--[ RegistryHandle ]
   | ENUM restriction       |<>--{0..*}--[ PostalAddress  ]
   | STRING ext-restriction |<>--{0..*}--[ Email          ]
   |                        |<>--{0..*}--[ Telephone      ]
   |                        |<>--{0..1}--[ Timezone       ]
   |                        |<>--{0..*}--[ Contact        ]
   |                        |<>--{0..*}--[ AdditionalData ]
   +------------------------+

                       Figure 12: The Contact Class

Top      Up      ToC       Page 31 
   The aggregate classes of the Contact class are:

   ContactName
      Zero or more.  ML_STRING.  The name of the contact.  The contact
      may either be an organization or a person.  The type attribute
      disambiguates the semantics.

   ContactTitle
      Zero or more.  ML_STRING.  The title for the individual named in
      the ContactName.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      contact.

   RegistryHandle
      Zero or more.  A handle name into the registry of the contact.
      See Section 3.9.1.

   PostalAddress
      Zero or more.  The postal address of the contact.  See
      Section 3.9.2.

   Email
      Zero or more.  The email address of the contact.  See
      Section 3.9.3.

   Telephone
      Zero or more.  The telephone number of the contact.  See
      Section 3.9.4.

   Timezone
      Zero or one.  TIMEZONE.  The timezone in which the contact
      resides.

   Contact
      Zero or more.  A recursive definition of the Contact class.  This
      definition can be used to group common data pertaining to multiple
      points of contact and is especially useful when listing multiple
      contacts at the same organization.

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   At least one of the aggregate classes MUST be present in an instance
   of the Contact class.

Top      Up      ToC       Page 32 
   The attributes of the Contact class are:

   role
      Required.  ENUM.  Indicates the role the contact fulfills.  These
      values are maintained in the "Contact-role" IANA registry per
      Section 10.2.

      1.   creator.  The entity that generates the document.

      2.   reporter.  The entity that reported the information.

      3.   admin.  An administrative contact or business owner for an
           asset or organization.

      4.   tech.  An entity responsible for the day-to-day management of
           technical issues for an asset or organization.

      5.   provider.  An external hosting provider for an asset.

      6.   user.  An end-user of an asset or part of an organization.

      7.   billing.  An entity responsible for billing issues for an
           asset or organization.

      8.   legal.  An entity responsible for legal issues related to an
           asset or organization.

      9.   irt.  An entity responsible for handling security issues for
           an asset or organization.

      10.  abuse.  An entity responsible for handling abuse originating
           from an asset or organization.

      11.  cc.  An entity that is to be kept informed about the events
           related to an asset or organization.

      12.  cc-irt.  A CSIRT or information-sharing organization
           coordinating activity related to an asset or organization.

      13.  leo.  A law enforcement organization supporting the
           investigation of activity affecting an asset or organization.

      14.  vendor.  The vendor that produces an asset.

      15.  vendor-support.  A vendor that provides services.

      16.  victim.  A victim in the incident.

Top      Up      ToC       Page 33 
      17.  victim-notified.  A victim in the incident who has been
           notified.

      18.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-role
      Optional.  STRING.  A means by which to extend the role attribute.
      See Section 5.1.1.

   type
      Required.  ENUM.  Indicates the type of contact being described.
      This attribute is defined as an enumerated list.  These values are
      maintained in the "Contact-type" IANA registry per Section 10.2.

      1.  person.  The information for this contact references an
          individual.

      2.  organization.  The information for this contact references an
          organization.

      3.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

Top      Up      ToC       Page 34 
3.9.1.  RegistryHandle Class

   The RegistryHandle class represents a handle into an Internet
   registry or community-specific database.

   +---------------------+
   | RegistryHandle      |
   +---------------------+
   | STRING              |
   |                     |
   | ENUM registry       |
   | STRING ext-registry |
   +---------------------+

                    Figure 13: The RegistryHandle Class

   The content of the class is a handle into a registry of type STRING.

   The attributes of the RegistryHandle class are:

   registry
      Required.  ENUM.  The database to which the handle belongs.  These
      values are maintained in the "RegistryHandle-registry" IANA
      registry per Section 10.2.  The possible values are:

      1.  internic.  Internet Network Information Center

      2.  apnic.  Asia Pacific Network Information Center

      3.  arin.  American Registry for Internet Numbers

      4.  lacnic.  Latin American and Caribbean Internet Addresses
          Registry

      5.  ripe.  Reseaux IP Europeens

      6.  afrinic.  African Network Information Center

      7.  local.  A database local to the CSIRT

      8.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-registry
      Optional.  STRING.  A means by which to extend the registry
      attribute.  See Section 5.1.1.

Top      Up      ToC       Page 35 
3.9.2.  PostalAddress Class

   The PostalAddress class specifies a postal address and associated
   annotation.

   +--------------------+
   | PostalAddress      |
   +--------------------+
   | ENUM type          |<>----------[ PAddress         ]
   | STRING ext-type    |<>--{0..*}--[ Description      ]
   +--------------------+

                    Figure 14: The PostalAddress Class

   The aggregate classes of the PostalAddress class are:

   PAddress
      One.  POSTAL.  A postal address.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      address.

   The attributes of the PostalAddress class are:

   type
      Optional.  ENUM.  Categorizes the type of address described in the
      PAddress class.  These values are maintained in the
      "PostalAddress-type" IANA registry per Section 10.2.

      1.  street.  An address describing a physical location.

      2.  mailing.  An address to which correspondence should be sent.

      3.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

Top      Up      ToC       Page 36 
3.9.3.  Email Class

   The Email class specifies an email address and associated annotation.

   +--------------------+
   | Email              |
   +--------------------+
   | ENUM type          |<>----------[ EmailTo          ]
   | STRING ext-type    |<>--{0..*}--[ Description      ]
   +--------------------+

                        Figure 15: The Email Class

   The aggregate classes of the Email class are:

   EmailTo
      One.  EMAIL.  An email address.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      email address.

   The attributes of the Email class are:

   type
      Optional.  ENUM.  Categorizes the type of email address described
      in the EmailTo class.  These values are maintained in the "Email-
      type" IANA registry per Section 10.2.

      1.  direct.  An email address of an individual.

      2.  hotline.  An email address regularly monitored for operational
          purposes.

      3.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

Top      Up      ToC       Page 37 
3.9.4.  Telephone Class

   The Telephone class describes a telephone number and associated
   annotation.

   +--------------------+
   | Telephone          |
   +--------------------+
   | ENUM type          |<>----------[ TelephoneNumber  ]
   | STRING ext-type    |<>--{0..*}--[ Description      ]
   +--------------------+

                      Figure 16: The Telephone Class

   The aggregate classes of the Telephone class are:

   TelephoneNumber
      One.  PHONE.  A telephone number.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      phone number.

   The attributes of the Telephone class are:

   type
      Optional.  ENUM.  Categorizes the type of telephone number
      described in the TelephoneNumber class.  These values are
      maintained in the "Telephone-type" IANA registry per Section 10.2.

      1.  wired.  A number of a wire-line (land-line) phone.

      2.  mobile.  A number of a mobile phone.

      3.  fax.  A number to a fax machine.

      4.  hotline.  A number to a regularly monitored operational
          hotline.

      5.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

Top      Up      ToC       Page 38 
3.10.  Discovery Class

   The Discovery class describes how an incident was detected.

   +------------------------+
   | Discovery              |
   +------------------------+
   | ENUM source            |<>--{0..*}--[ Description      ]
   | STRING ext-source      |<>--{0..*}--[ Contact          ]
   | ENUM restriction       |<>--{0..*}--[ DetectionPattern ]
   | STRING ext-restriction |
   +------------------------+

                      Figure 17: The Discovery Class

   The aggregate classes of the Discovery class are:

   Description
      Zero or more.  ML_STRING.  A free-form text description of how
      this incident was detected.

   Contact
      Zero or more.  Contact information for the party that discovered
      the incident.  See Section 3.9.

   DetectionPattern
      Zero or more.  Describes an application-specific configuration
      that detected the incident.  See Section 3.10.1.

   The attributes of the Discovery class are:

   source
      Optional.  ENUM.  Categorizes the techniques used to discover the
      incident.  These values are partially derived from Table 3-1 of
      [NIST800.61rev2].  These values are maintained in the "Discovery-
      source" IANA registry per Section 10.2.

      1.   nidps.  Network Intrusion Detection or Prevention System.

      2.   hips.  Host-based Intrusion Prevention System.

      3.   siem.  Security Information and Event Management System.

      4.   av.  Antivirus or antispam software.

      5.   third-party-monitoring.  Contracted third-party monitoring
           service.

Top      Up      ToC       Page 39 
      6.   incident.  The activity was discovered while investigating an
           unrelated incident.

      7.   os-log.  Operating system logs.

      8.   application-log.  Application logs.

      9.   device-log.  Network device logs.

      10.  network-flow.  Network flow analysis.

      11.  passive-dns.  Passive DNS analysis.

      12.  investigation.  Manual investigation initiated based on
           notification of a new vulnerability or exploit.

      13.  audit.  Security audit.

      14.  internal-notification.  A party within the organization
           reported the activity.

      15.  external-notification.  A party outside of the organization
           reported the activity.

      16.  leo.  A law enforcement organization notified the victim
           organization.

      17.  partner.  A customer or business partner reported the
           activity to the victim organization.

      18.  actor.  The threat actor directly or indirectly reported this
           activity to the victim organization.

      19.  unknown.  Unknown detection approach.

      20.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-source
      Optional.  STRING.  A means by which to extend the source
      attribute.  See Section 5.1.1.

   restriction
      Optional.  ENUM.  See Section 3.3.1.

Top      Up      ToC       Page 40 
   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.10.1.  DetectionPattern Class

   The DetectionPattern class describes a configuration or signature
   that can be used by an Intrusion Detection System (IDS) / Intrusion
   Prevention System (IPS), SIEM, antivirus, endpoint protection,
   network analysis, malware analysis, or host forensics tool to
   identify a particular phenomenon.  This class requires the
   identification of the target application and allows the configuration
   to be described in either free form or machine-readable form.

   +------------------------+
   | DetectionPattern       |
   +------------------------+
   | ENUM restriction       |<>----------[ Application            ]
   | STRING ext-restriction |<>--{0..*}--[ Description            ]
   | ID observable-id       |<>--{0..*}--[ DetectionConfiguration ]
   +------------------------+

                   Figure 18: The DetectionPattern Class

   The aggregate classes of the DetectionPattern class are:

   Application
      One.  SOFTWARE.  The application for which the
      DetectionConfiguration or Description is being provided.

   Description
      Zero or more.  ML_STRING.  A free-form text description of how to
      use the information provided in the Application or
      DetectionConfiguration classes.

   DetectionConfiguration
      Zero or more.  STRING.  A machine-consumable configuration to find
      a pattern of activity.

   An instance of either the Description or DetectionConfiguration class
   MUST be present.

   The attributes of the DetectionPattern class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

Top      Up      ToC       Page 41 
   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.11.  Method Class

   The Method class describes the tactics, techniques, procedures, or
   weakness used by the threat actor in an incident.  This class
   consists of both a list of references describing the attack methods
   and weaknesses and a free-form text description.

   +------------------------+
   | Method                 |
   +------------------------+
   | ENUM restriction       |<>--{0..*}--[ Reference         ]
   | STRING ext-restriction |<>--{0..*}--[ Description       ]
   |                        |<>--{0..*}--[ sci:AttackPattern ]
   |                        |<>--{0..*}--[ sci:Vulnerability ]
   |                        |<>--{0..*}--[ sci:Weakness      ]
   |                        |<>--{0..*}--[ AdditionalData    ]
   +------------------------+

                        Figure 19: The Method Class

   The aggregate classes of the Method class are:

   Reference
      Zero or more.  A reference to a vulnerability, malware sample,
      advisory, or analysis of an attack technique.  See Section 3.11.1.

   Description
      Zero or more.  ML_STRING.  A free-form text description of
      techniques, tactics, or procedures used by the threat actor.

   sci:AttackPattern
      Zero or more.  A reference to a pattern of attack or exploitation
      per [RFC7203].

   sci:Vulnerability
      Zero or more.  A reference to a vulnerability per [RFC7203].

   sci:Weakness
      Zero or more.  A reference to the exploited weakness per
      [RFC7203].

Top      Up      ToC       Page 42 
   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   An instance of one of these children MUST be present.

   The attributes of the Method class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.11.1.  Reference Class

   The Reference class is an external reference to relevant information
   such as a vulnerability, IDS alert, malware sample, advisory, or
   attack technique.

   +-------------------------+
   | Reference               |
   +-------------------------+
   | ID observable-id        |<>--{0..1}--[ enum:ReferenceName ]
   |                         |<>--{0..*}--[ URL                ]
   |                         |<>--{0..*}--[ Description        ]
   +-------------------------+

                      Figure 20: The Reference Class

   The aggregate classes of the Reference class are:

   enum:ReferenceName
      Zero or one.  Reference identifier per [RFC7495].

   URL
      Zero or more.  URL.  A URL to a reference.

   Description
      Zero or more.  ML_STRING.  A free-form text description of this
      reference.

   At least one of these classes MUST be present.

Top      Up      ToC       Page 43 
   The attribute of the Reference class is:

   observable-id
      Optional.  ID.  See Section 3.3.2.



(page 43 continued on part 3)

Next Section