Tech-invite   World Map
3GPPspecs     Glossaries     T+       IETF     RFCs     Groups     SIP     ABNFs

RFC 7970

 
 
 

The Incident Object Description Exchange Format Version 2

Part 5 of 9, p. 82 to 96
Prev Section       Next Section

 


prevText      Top      ToC       Page 82 
3.21.  EmailData Class

   The EmailData class describes headers from an email message and
   cryptographic hashes and signatures applied to it.

   +-------------------------+
   | EmailData               |
   +-------------------------+
   | ID observable-id        |<>--{0..*}--[ EmailTo          ]
   |                         |<>--{0..1}--[ EmailFrom        ]
   |                         |<>--{0..1}--[ EmailSubject     ]
   |                         |<>--{0..1}--[ EmailX-Mailer    ]
   |                         |<>--{0..*}--[ EmailHeaderField ]
   |                         |<>--{0..1}--[ EmailHeaders     ]
   |                         |<>--{0..1}--[ EmailBody        ]
   |                         |<>--{0..1}--[ EmailMessage     ]
   |                         |<>--{0..*}--[ HashData         ]
   |                         |<>--{0..*}--[ SignatureData    ]
   +-------------------------+

                        Figure 44: EmailData Class

   The aggregate classes of the EmailData class are:

   EmailTo
      Zero or more.  EMAIL.  The value of the "To:" header field
      (Section 3.6.3 of [RFC5322]) in an email.

   EmailFrom
      Zero or one.  EMAIL.  The value of the "From:" header field
      (Section 3.6.2 of [RFC5322]) in an email.

   EmailSubject
      Zero or one.  STRING.  The value of the "Subject:" header field in
      an email.  See Section 3.6.5 of [RFC5322].

   EmailX-Mailer
      Zero or one.  STRING.  The value of the "X-Mailer:" header field
      in an email.

   EmailHeaderField
      Zero or more.  EXTENSION.  The header name and value of an
      arbitrary header field of the email message.  The name attribute
      MUST be set to the header name.  The header value MUST be set in
      the element body.  The dtype attribute MUST be set to "string".

   EmailHeaders
      Zero or one.  STRING.  The headers of an email message.

Top      Up      ToC       Page 83 
   EmailBody
      Zero or one.  STRING.  The body of an email message.

   EmailMessage
      Zero or one.  STRING.  The headers and body of an email message.

   HashData
      Zero or more.  Hash(es) associated with this email message.  See
      Section 3.26.

   SignatureData
      Zero or more.  Signature(s) associated with this email message.
      See Section 3.27.

   The attribute of the EmailData class is:

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.22.  Record Class

   The Record class is a container class for log and audit data that
   provides supportive information about the events in an incident.  The
   source of this data will often be the output of monitoring tools.
   These logs substantiate the activity described in the document.

   +------------------------+
   | Record                 |
   +------------------------+
   | ENUM restriction       |<>--{1..*}--[ RecordData ]
   | STRING ext-restriction |
   +------------------------+

                        Figure 45: The Record Class

   The aggregate classes of the Record class are:

   RecordData
      One or more.  Log or audit data generated by a particular tool.
      Separate instances of the RecordData class SHOULD be used for each
      type of log.  See Section 3.22.1.

   The attributes of the Record class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

Top      Up      ToC       Page 84 
   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.22.1.  RecordData Class

   The RecordData class describes or references log or audit data from a
   given type of tool and provides a means to annotate the output.

   +------------------------+
   | RecordData             |
   +------------------------+
   | ENUM restriction       |<>--{0..1}--[ DateTime               ]
   | STRING ext-restriction |<>--{0..*}--[ Description            ]
   | ID observable-id       |<>--{0..1}--[ Application            ]
   |                        |<>--{0..*}--[ RecordPattern          ]
   |                        |<>--{0..*}--[ RecordItem             ]
   |                        |<>--{0..*}--[ URL                    ]
   |                        |<>--{0..*}--[ FileData               ]
   |                        |<>--{0..*}--
   |                        |       [ WindowsRegistryKeysModified ]
   |                        |<>--{0..*}--[ CertificateData        ]
   |                        |<>--{0..*}--[ AdditionalData         ]
   +------------------------+

                      Figure 46: The RecordData Class

   The aggregate classes of the RecordData class are:

   DateTime
      Zero or one.  DATETIME.  A timestamp of the data found in the
      RecordItem or URL classes.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      data provided in the RecordItem or URL classes.

   Application
      Zero or one.  SOFTWARE.  Identifies the tool used to generate the
      data in the RecordItem or URL classes.

   RecordPattern
      Zero or more.  A search string to precisely find the relevant data
      in the RecordItem or URL classes.  See Section 3.22.2.

   RecordItem
      Zero or more.  EXTENSION.  Log, audit, or forensic data to support
      the conclusions made during the course of analyzing the incident.

Top      Up      ToC       Page 85 
   URL
      Zero or more.  URL.  A URL reference to a log or audit data.

   FileData
      Zero or one.  The files involved in the incident.  See
      Section 3.25.

   WindowsRegistryKeysModified
      Zero or more.  The registry keys that were involved in the
      incident.  See Section 3.23.

   CertificateData
      Zero or more.  The certificates that were involved in the
      incident.  See Section 3.24.

   AdditionalData
      Zero or more.  EXTENSION.  An extension mechanism for data not
      explicitly represented in the data model.

   At least one of the following classes MUST be present: RecordItem,
   URL, FileData, WindowsRegistryKeysModified, CertificateData, or
   AdditionalData.

   The attributes of the RecordData class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.22.2.  RecordPattern Class

   The RecordPattern class describes where in the log data provided or
   referenced in the RecordData class relevant information can be found.
   It provides a way to reference subsets of information, identified by
   a pattern, in a large log file, audit trail, or forensic data.

Top      Up      ToC       Page 86 
   +-----------------------+
   | RecordPattern         |
   +-----------------------+
   | STRING                |
   |                       |
   | ENUM type             |
   | STRING ext-type       |
   | INTEGER offset        |
   | ENUM offsetunit       |
   | STRING ext-offsetunit |
   | INTEGER instance      |
   +-----------------------+

                    Figure 47: The RecordPattern Class

   The content of the class is of type STRING and specifies a search
   pattern.

   The attributes of the RecordPattern class are:

   type
      Required.  ENUM.  Describes the type of pattern being specified in
      the element content.  The default is "regex".  These values are
      maintained in the "RecordPattern-type" IANA registry per
      Section 10.2.

      1.  regex.  Regular expression as defined by POSIX Extended
          Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].

      2.  binary.  Binhex-encoded binary pattern, per the HEXBIN data
          type.

      3.  xpath.  XML Path (XPath) [W3C.XPATH].

      4.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

   offset
      Optional.  INTEGER.  Amount of units (determined by the offsetunit
      attribute) to seek into the RecordItem data before matching the
      pattern.

Top      Up      ToC       Page 87 
   offsetunit
      Optional.  ENUM.  Describes the units of the offset attribute.
      The default is "line".  These values are maintained in the
      "RecordPattern-offsetunit" IANA registry per Section 10.2.

      1.  line.  Offset is a count of lines.

      2.  byte.  Offset is a count of bytes.

      3.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-offsetunit
      Optional.  STRING.  A means by which to extend the offsetunit
      attribute.  See Section 5.1.1.

   instance
      Optional.  INTEGER.  Number of times to apply the specified
      pattern.

3.23.  WindowsRegistryKeysModified Class

   The WindowsRegistryKeysModified class describes Windows operating
   system registry keys and the operations that were performed on them.
   This class was derived from [RFC5901].

   +-----------------------------+
   | WindowsRegistryKeysModified |
   +-----------------------------+
   | ID observable-id            |<>--{1..*}--[ Key ]
   +-----------------------------+

             Figure 48: The WindowsRegistryKeysModified Class

   The aggregate classes of the WindowsRegistryKeysModified class are:

   Key
      One or more.  The Windows registry key.  See Section 3.23.1.

   The attribute of the WindowsRegistryKeysModified class is:

   observable-id
      Optional.  ID.  See Section 3.3.2.

Top      Up      ToC       Page 88 
3.23.1.  Key Class

   The Key class describes a Windows operating system registry key name
   and value pair, as well as the operation performed on it.

   +---------------------------+
   | Key                       |
   +---------------------------+
   | ENUM registryaction       |<>----------[ KeyName  ]
   | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
   | ID observable-id          |
   +---------------------------+

                         Figure 49: The Key Class

   The aggregate classes of the Key class are:

   KeyName
      One.  STRING.  The name of a Windows operating system registry key
      (e.g., [HKEY_LOCAL_MACHINE\Software\Test\KeyName]).

   KeyValue
      Zero or one.  STRING.  The value of the registry key identified in
      the KeyName class encoded per the .reg file format [KB310516].

   The attributes of the Key class are:

   registryaction
      Optional.  ENUM.  The type of action taken on the registry key.
      These values are maintained in the "Key-registryaction" IANA
      registry per Section 10.2.

      1.  add-key.  Registry key added.

      2.  add-value.  Value added to a registry key.

      3.  delete-key.  Registry key deleted.

      4.  delete-value.  Value deleted from a registry key.

      5.  modify-key.  Registry key modified.

      6.  modify-value.  Value modified in a registry key.

      7.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

Top      Up      ToC       Page 89 
   ext-registryaction
      Optional.  STRING.  A means by which to extend the registryaction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.24.  CertificateData Class

   The CertificateData class describes X.509 certificates.

   +------------------------+
   | CertificateData        |
   +------------------------+
   | ENUM restriction       |<>--{1..*}--[ Certificate    ]
   | STRING ext-restriction |
   | ID observable-id       |
   +------------------------+

                   Figure 50: The CertificateData Class

   The aggregate classes of the CertificateData class are:

   Certificate
      One or more.  A description of an X.509 certificate or certificate
      chain.  See Section 3.24.1.

   The attributes of the CertificateData class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

Top      Up      ToC       Page 90 
3.24.1.  Certificate Class

   The Certificate class describes a given X.509 certificate or
   certificate chain.

   +--------------------------+
   | Certificate              |
   +--------------------------+
   | ID observable-id         |<>----------[ ds:X509Data    ]
   |                          |<>--{0..*}--[ Description    ]
   +--------------------------+

                     Figure 51: The Certificate Class

   The aggregate classes of the Certificate class are:

   ds:X509Data
      One.  A given X.509 certificate or chain.  See Section 4.4.4 of
      [W3C.XMLSIG].

   Description
      Zero or more.  ML_STRING.  A free-form text description explaining
      the context of this certificate.

   The attributes of the Certificate class are:

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.25.  FileData Class

   The FileData class describes a file or set of files.

   +------------------------+
   | FileData               |
   +------------------------+
   | ENUM restriction       |<>--{1..*}--[ File      ]
   | STRING ext-restriction |
   | ID observable-id       |
   +------------------------+

                       Figure 52: The FileData Class

   The aggregate classes of the FileData class are:

   File
      One or more.  A description of a file.  See Section 3.25.1.

Top      Up      ToC       Page 91 
   The attributes of the FileData class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.25.1.  File Class

   The File class describes a file; its associated metadata; and
   cryptographic hashes and signatures applied to it.

   +-----------------------+
   | File                  |
   +-----------------------+
   | ID observable-id      |<>--{0..1}--[ FileName           ]
   |                       |<>--{0..1}--[ FileSize           ]
   |                       |<>--{0..1}--[ FileType           ]
   |                       |<>--{0..*}--[ URL                ]
   |                       |<>--{0..1}--[ HashData           ]
   |                       |<>--{0..1}--[ SignatureData      ]
   |                       |<>--{0..1}--[ AssociatedSoftware ]
   |                       |<>--{0..*}--[ FileProperties     ]
   +-----------------------+

                         Figure 53: The File Class

   The aggregate classes of the File class are:

   FileName
      Zero or one.  STRING.  The name of the file.

   FileSize
      Zero or one.  INTEGER.  The size of the file in bytes.

   FileType
      Zero or one.  STRING.  The type of file per the IANA "Media Types"
      registry [IANA.Media].  Valid values correspond to the text in the
      "Template" column (e.g., "application/pdf").

   URL
      Zero or more.  URL.  A URL reference to the file.

Top      Up      ToC       Page 92 
   HashData
      Zero or one.  Hash(es) associated with this file.  See
      Section 3.26.

   SignatureData
      Zero or one.  Signature(s) associated with this file.  See
      Section 3.27.

   AssociatedSoftware
      Zero or one.  SOFTWARE.  The software application or operating
      system to which this file belongs or by which it can be processed.

   FileProperties
      Zero or more.  EXTENSION.  Mechanism by which to extend the data
      model to describe properties of the file.

   The attributes of the File class are:

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.26.  HashData Class

   The HashData class describes different types of hashes on a given
   object (e.g., file, part of a file, email).

   +--------------------------+
   | HashData                 |
   +--------------------------+
   | ENUM scope               |<>--{0..1}--[ HashTargetID ]
   |                          |<>--{0..*}--[ Hash         ]
   |                          |<>--{0..*}--[ FuzzyHash    ]
   +--------------------------+

                       Figure 54: The HashData Class

   The aggregate classes of the HashData class are:

   HashTargetID
      Zero or one.  STRING.  An identifier that references a subset of
      the object being hashed.  The semantics of this identifier are
      specified by the scope attribute.

   Hash
      Zero or more.  The hash of an object.  See Section 3.26.1.

   FuzzyHash
      Zero or more.  The fuzzy hash of an object.  See Section 3.26.2.

Top      Up      ToC       Page 93 
   At least one instance of either Hash or FuzzyHash MUST be present.

   The attribute of the HashData class is:

   scope
      Required.  ENUM.  Describes on which part of the object the hash
      should be applied.  These values are maintained in the "HashData-
      scope" IANA registry per Section 10.2.

      1.  file-contents.  A hash computed over the entire contents of a
          file.

      2.  file-pe-section.  A hash computed on a given section of a
          Windows Portable Executable (PE) file.  If set to this value,
          the HashTargetID class MUST identify the section being hashed.
          A section is identified by an ordinal number (starting at 1)
          corresponding to the order in which the given section header
          was defined in the Section Table of the PE file header.

      3.  file-pe-iat.  A hash computed on the Import Address
          Table (IAT) of a PE file.  As IAT hashes are often tool
          dependent, if this value is set, the Application class of
          either the Hash or FuzzyHash classes MUST specify the tool
          used to generate the hash.

      4.  file-pe-resource.  A hash computed on a given resource in a PE
          file.  If set to this value, the HashTargetID class MUST
          identify the resource being hashed.  A resource is identified
          by an ordinal number (starting at 1) corresponding to the
          order in which the given resource is declared in the Resource
          Directory of the Data Dictionary in the PE file header.

      5.  file-pdf-object.  A hash computed on a given object in a
          Portable Document Format (PDF) file.  If set to this value,
          the HashTargetID class MUST identify the object being hashed.
          This object is identified by its offset in the PDF file.

      6.  email-hash.  A hash computed over the headers and body of an
          email message.

      7.  email-headers-hash.  A hash computed over all of the headers
          of an email message.

      8.  email-body-hash.  A hash computed over the body of an email
          message.

Top      Up      ToC       Page 94 
      9.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-scope
      Optional.  STRING.  A means by which to extend the scope
      attribute.  See Section 5.1.1.

3.26.1.  Hash Class

   The Hash class describes a cryptographic hash value; the algorithm
   and application used to generate it; and the canonicalization method
   applied to the object being hashed.

   +----------------+
   | Hash           |
   +----------------+
   |                |<>----------[ ds:DigestMethod            ]
   |                |<>----------[ ds:DigestValue             ]
   |                |<>--{0..1}--[ ds:CanonicalizationMethod  ]
   |                |<>--{0..1}--[ Application                ]
   +----------------+

                         Figure 55: The Hash Class

   The aggregate classes of the Hash class are:

   ds:DigestMethod
      One.  The hash algorithm used to generate the hash.  See
      Section 4.3.3.5 of [W3C.XMLSIG].

   ds:DigestValue
      One.  The computed hash value.  See Section 4.3.3.6 of
      [W3C.XMLSIG].

   ds:CanonicalizationMethod
      Zero or one.  The canonicalization method used on the object being
      hashed.  See Section 4.3.1 of [W3C.XMLSIG].

   Application
      Zero or one.  SOFTWARE.  The application used to calculate the
      hash.

   The HashData class has no attributes.

Top      Up      ToC       Page 95 
3.26.2.  FuzzyHash Class

   The FuzzyHash class describes a fuzzy hash and the application used
   to generate it.

   +--------------------------+
   | FuzzyHash                |
   +--------------------------+
   |                          |<>--{1..*}--[ FuzzyHashValue ]
   |                          |<>--{0..1}--[ Application    ]
   |                          |<>--{0..*}--[ AdditionalData ]
   +--------------------------+

                      Figure 56: The FuzzyHash Class

   The aggregate classes of the FuzzyHash class are:

   FuzzyHashValue
      One or more.  EXTENSION.  The computed fuzzy hash value.

   Application
      Zero or one.  SOFTWARE.  The application used to calculate the
      hash.

   AdditionalData
      Zero or more.  EXTENSION.  Mechanism by which to extend the data
      model.

   The FuzzyData class has no attributes.

3.27.  SignatureData Class

   The SignatureData class describes different types of digital
   signatures on an object.

   +--------------------------+
   | SignatureData            |
   +--------------------------+
   |                          |<>--{1..*}--[ ds:Signature ]
   +--------------------------+

                    Figure 57: The SignatureData Class

Top      Up      ToC       Page 96 
   The aggregate class of the SignatureData class is:

   Signature
      One or more.  A given signature.  See Section 4.2 of [W3C.XMLSIG].

   The SignatureData class has no attributes.

3.28.  IndicatorData Class

   The IndicatorData class describes indicators and metadata associated
   with them.

   +--------------------------+
   | IndicatorData            |
   +--------------------------+
   |                          |<>--{1..*}--[ Indicator      ]
   +--------------------------+

                    Figure 58: The IndicatorData Class

   The aggregate class of the IndicatorData class is:

   Indicator
      One or more.  A description of an indicator.  See Section 3.29.

   The IndicatorData class has no attributes.



(page 96 continued on part 6)

Next Section