RFC 7970
The Incident Object Description Exchange Format Version 2
3.21. EmailData Class
The EmailData class describes headers from an email message and cryptographic hashes and signatures applied to it. +-------------------------+ | EmailData | +-------------------------+ | ID observable-id |<>--{0..*}--[ EmailTo ] | |<>--{0..1}--[ EmailFrom ] | |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..1}--[ EmailHeaders ] | |<>--{0..1}--[ EmailBody ] | |<>--{0..1}--[ EmailMessage ] | |<>--{0..*}--[ HashData ] | |<>--{0..*}--[ SignatureData ] +-------------------------+ Figure 44: EmailData Class The aggregate classes of the EmailData class are: EmailTo Zero or more. EMAIL. The value of the "To:" header field (Section 3.6.3 of [RFC5322]) in an email. EmailFrom Zero or one. EMAIL. The value of the "From:" header field (Section 3.6.2 of [RFC5322]) in an email. EmailSubject Zero or one. STRING. The value of the "Subject:" header field in an email. See Section 3.6.5 of [RFC5322]. EmailX-Mailer Zero or one. STRING. The value of the "X-Mailer:" header field in an email. EmailHeaderField Zero or more. EXTENSION. The header name and value of an arbitrary header field of the email message. The name attribute MUST be set to the header name. The header value MUST be set in the element body. The dtype attribute MUST be set to "string". EmailHeaders Zero or one. STRING. The headers of an email message.
EmailBody
Zero or one. STRING. The body of an email message.
EmailMessage
Zero or one. STRING. The headers and body of an email message.
HashData
Zero or more. Hash(es) associated with this email message. See
Section 3.26.
SignatureData
Zero or more. Signature(s) associated with this email message.
See Section 3.27.
The attribute of the EmailData class is:
observable-id
Optional. ID. See Section 3.3.2.
3.22. Record Class
The Record class is a container class for log and audit data that
provides supportive information about the events in an incident. The
source of this data will often be the output of monitoring tools.
These logs substantiate the activity described in the document.
+------------------------+
| Record |
+------------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ]
| STRING ext-restriction |
+------------------------+
Figure 45: The Record Class
The aggregate classes of the Record class are:
RecordData
One or more. Log or audit data generated by a particular tool.
Separate instances of the RecordData class SHOULD be used for each
type of log. See Section 3.22.1.
The attributes of the Record class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.22.1. RecordData Class
The RecordData class describes or references log or audit data from a
given type of tool and provides a means to annotate the output.
+------------------------+
| RecordData |
+------------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ FileData ]
| |<>--{0..*}--
| | [ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ CertificateData ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 46: The RecordData Class
The aggregate classes of the RecordData class are:
DateTime
Zero or one. DATETIME. A timestamp of the data found in the
RecordItem or URL classes.
Description
Zero or more. ML_STRING. A free-form text description of the
data provided in the RecordItem or URL classes.
Application
Zero or one. SOFTWARE. Identifies the tool used to generate the
data in the RecordItem or URL classes.
RecordPattern
Zero or more. A search string to precisely find the relevant data
in the RecordItem or URL classes. See Section 3.22.2.
RecordItem
Zero or more. EXTENSION. Log, audit, or forensic data to support
the conclusions made during the course of analyzing the incident.
URL
Zero or more. URL. A URL reference to a log or audit data.
FileData
Zero or one. The files involved in the incident. See
Section 3.25.
WindowsRegistryKeysModified
Zero or more. The registry keys that were involved in the
incident. See Section 3.23.
CertificateData
Zero or more. The certificates that were involved in the
incident. See Section 3.24.
AdditionalData
Zero or more. EXTENSION. An extension mechanism for data not
explicitly represented in the data model.
At least one of the following classes MUST be present: RecordItem,
URL, FileData, WindowsRegistryKeysModified, CertificateData, or
AdditionalData.
The attributes of the RecordData class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.22.2. RecordPattern Class
The RecordPattern class describes where in the log data provided or
referenced in the RecordData class relevant information can be found.
It provides a way to reference subsets of information, identified by
a pattern, in a large log file, audit trail, or forensic data.
+-----------------------+ | RecordPattern | +-----------------------+ | STRING | | | | ENUM type | | STRING ext-type | | INTEGER offset | | ENUM offsetunit | | STRING ext-offsetunit | | INTEGER instance | +-----------------------+ Figure 47: The RecordPattern Class The content of the class is of type STRING and specifies a search pattern. The attributes of the RecordPattern class are: type Required. ENUM. Describes the type of pattern being specified in the element content. The default is "regex". These values are maintained in the "RecordPattern-type" IANA registry per Section 10.2. 1. regex. Regular expression as defined by POSIX Extended Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX]. 2. binary. Binhex-encoded binary pattern, per the HEXBIN data type. 3. xpath. XML Path (XPath) [W3C.XPATH]. 4. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1. offset Optional. INTEGER. Amount of units (determined by the offsetunit attribute) to seek into the RecordItem data before matching the pattern.
offsetunit
Optional. ENUM. Describes the units of the offset attribute.
The default is "line". These values are maintained in the
"RecordPattern-offsetunit" IANA registry per Section 10.2.
1. line. Offset is a count of lines.
2. byte. Offset is a count of bytes.
3. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-offsetunit
Optional. STRING. A means by which to extend the offsetunit
attribute. See Section 5.1.1.
instance
Optional. INTEGER. Number of times to apply the specified
pattern.
3.23. WindowsRegistryKeysModified Class
The WindowsRegistryKeysModified class describes Windows operating
system registry keys and the operations that were performed on them.
This class was derived from [RFC5901].
+-----------------------------+
| WindowsRegistryKeysModified |
+-----------------------------+
| ID observable-id |<>--{1..*}--[ Key ]
+-----------------------------+
Figure 48: The WindowsRegistryKeysModified Class
The aggregate classes of the WindowsRegistryKeysModified class are:
Key
One or more. The Windows registry key. See Section 3.23.1.
The attribute of the WindowsRegistryKeysModified class is:
observable-id
Optional. ID. See Section 3.3.2.
3.23.1. Key Class
The Key class describes a Windows operating system registry key name and value pair, as well as the operation performed on it. +---------------------------+ | Key | +---------------------------+ | ENUM registryaction |<>----------[ KeyName ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | ID observable-id | +---------------------------+ Figure 49: The Key Class The aggregate classes of the Key class are: KeyName One. STRING. The name of a Windows operating system registry key (e.g., [HKEY_LOCAL_MACHINE\Software\Test\KeyName]). KeyValue Zero or one. STRING. The value of the registry key identified in the KeyName class encoded per the .reg file format [KB310516]. The attributes of the Key class are: registryaction Optional. ENUM. The type of action taken on the registry key. These values are maintained in the "Key-registryaction" IANA registry per Section 10.2. 1. add-key. Registry key added. 2. add-value. Value added to a registry key. 3. delete-key. Registry key deleted. 4. delete-value. Value deleted from a registry key. 5. modify-key. Registry key modified. 6. modify-value. Value modified in a registry key. 7. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
ext-registryaction
Optional. STRING. A means by which to extend the registryaction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.24. CertificateData Class
The CertificateData class describes X.509 certificates.
+------------------------+
| CertificateData |
+------------------------+
| ENUM restriction |<>--{1..*}--[ Certificate ]
| STRING ext-restriction |
| ID observable-id |
+------------------------+
Figure 50: The CertificateData Class
The aggregate classes of the CertificateData class are:
Certificate
One or more. A description of an X.509 certificate or certificate
chain. See Section 3.24.1.
The attributes of the CertificateData class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.24.1. Certificate Class
The Certificate class describes a given X.509 certificate or certificate chain. +--------------------------+ | Certificate | +--------------------------+ | ID observable-id |<>----------[ ds:X509Data ] | |<>--{0..*}--[ Description ] +--------------------------+ Figure 51: The Certificate Class The aggregate classes of the Certificate class are: ds:X509Data One. A given X.509 certificate or chain. See Section 4.4.4 of [W3C.XMLSIG]. Description Zero or more. ML_STRING. A free-form text description explaining the context of this certificate. The attributes of the Certificate class are: observable-id Optional. ID. See Section 3.3.2.3.25. FileData Class
The FileData class describes a file or set of files. +------------------------+ | FileData | +------------------------+ | ENUM restriction |<>--{1..*}--[ File ] | STRING ext-restriction | | ID observable-id | +------------------------+ Figure 52: The FileData Class The aggregate classes of the FileData class are: File One or more. A description of a file. See Section 3.25.1.
The attributes of the FileData class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.25.1. File Class
The File class describes a file; its associated metadata; and
cryptographic hashes and signatures applied to it.
+-----------------------+
| File |
+-----------------------+
| ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ]
| |<>--{0..1}--[ FileType ]
| |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ]
| |<>--{0..1}--[ AssociatedSoftware ]
| |<>--{0..*}--[ FileProperties ]
+-----------------------+
Figure 53: The File Class
The aggregate classes of the File class are:
FileName
Zero or one. STRING. The name of the file.
FileSize
Zero or one. INTEGER. The size of the file in bytes.
FileType
Zero or one. STRING. The type of file per the IANA "Media Types"
registry [IANA.Media]. Valid values correspond to the text in the
"Template" column (e.g., "application/pdf").
URL
Zero or more. URL. A URL reference to the file.
HashData
Zero or one. Hash(es) associated with this file. See
Section 3.26.
SignatureData
Zero or one. Signature(s) associated with this file. See
Section 3.27.
AssociatedSoftware
Zero or one. SOFTWARE. The software application or operating
system to which this file belongs or by which it can be processed.
FileProperties
Zero or more. EXTENSION. Mechanism by which to extend the data
model to describe properties of the file.
The attributes of the File class are:
observable-id
Optional. ID. See Section 3.3.2.
3.26. HashData Class
The HashData class describes different types of hashes on a given
object (e.g., file, part of a file, email).
+--------------------------+
| HashData |
+--------------------------+
| ENUM scope |<>--{0..1}--[ HashTargetID ]
| |<>--{0..*}--[ Hash ]
| |<>--{0..*}--[ FuzzyHash ]
+--------------------------+
Figure 54: The HashData Class
The aggregate classes of the HashData class are:
HashTargetID
Zero or one. STRING. An identifier that references a subset of
the object being hashed. The semantics of this identifier are
specified by the scope attribute.
Hash
Zero or more. The hash of an object. See Section 3.26.1.
FuzzyHash
Zero or more. The fuzzy hash of an object. See Section 3.26.2.
At least one instance of either Hash or FuzzyHash MUST be present.
The attribute of the HashData class is:
scope
Required. ENUM. Describes on which part of the object the hash
should be applied. These values are maintained in the "HashData-
scope" IANA registry per Section 10.2.
1. file-contents. A hash computed over the entire contents of a
file.
2. file-pe-section. A hash computed on a given section of a
Windows Portable Executable (PE) file. If set to this value,
the HashTargetID class MUST identify the section being hashed.
A section is identified by an ordinal number (starting at 1)
corresponding to the order in which the given section header
was defined in the Section Table of the PE file header.
3. file-pe-iat. A hash computed on the Import Address
Table (IAT) of a PE file. As IAT hashes are often tool
dependent, if this value is set, the Application class of
either the Hash or FuzzyHash classes MUST specify the tool
used to generate the hash.
4. file-pe-resource. A hash computed on a given resource in a PE
file. If set to this value, the HashTargetID class MUST
identify the resource being hashed. A resource is identified
by an ordinal number (starting at 1) corresponding to the
order in which the given resource is declared in the Resource
Directory of the Data Dictionary in the PE file header.
5. file-pdf-object. A hash computed on a given object in a
Portable Document Format (PDF) file. If set to this value,
the HashTargetID class MUST identify the object being hashed.
This object is identified by its offset in the PDF file.
6. email-hash. A hash computed over the headers and body of an
email message.
7. email-headers-hash. A hash computed over all of the headers
of an email message.
8. email-body-hash. A hash computed over the body of an email
message.
9. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-scope
Optional. STRING. A means by which to extend the scope
attribute. See Section 5.1.1.
3.26.1. Hash Class
The Hash class describes a cryptographic hash value; the algorithm
and application used to generate it; and the canonicalization method
applied to the object being hashed.
+----------------+
| Hash |
+----------------+
| |<>----------[ ds:DigestMethod ]
| |<>----------[ ds:DigestValue ]
| |<>--{0..1}--[ ds:CanonicalizationMethod ]
| |<>--{0..1}--[ Application ]
+----------------+
Figure 55: The Hash Class
The aggregate classes of the Hash class are:
ds:DigestMethod
One. The hash algorithm used to generate the hash. See
Section 4.3.3.5 of [W3C.XMLSIG].
ds:DigestValue
One. The computed hash value. See Section 4.3.3.6 of
[W3C.XMLSIG].
ds:CanonicalizationMethod
Zero or one. The canonicalization method used on the object being
hashed. See Section 4.3.1 of [W3C.XMLSIG].
Application
Zero or one. SOFTWARE. The application used to calculate the
hash.
The HashData class has no attributes.
3.26.2. FuzzyHash Class
The FuzzyHash class describes a fuzzy hash and the application used to generate it. +--------------------------+ | FuzzyHash | +--------------------------+ | |<>--{1..*}--[ FuzzyHashValue ] | |<>--{0..1}--[ Application ] | |<>--{0..*}--[ AdditionalData ] +--------------------------+ Figure 56: The FuzzyHash Class The aggregate classes of the FuzzyHash class are: FuzzyHashValue One or more. EXTENSION. The computed fuzzy hash value. Application Zero or one. SOFTWARE. The application used to calculate the hash. AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model. The FuzzyData class has no attributes.3.27. SignatureData Class
The SignatureData class describes different types of digital signatures on an object. +--------------------------+ | SignatureData | +--------------------------+ | |<>--{1..*}--[ ds:Signature ] +--------------------------+ Figure 57: The SignatureData Class
The aggregate class of the SignatureData class is:
Signature
One or more. A given signature. See Section 4.2 of [W3C.XMLSIG].
The SignatureData class has no attributes.
3.28. IndicatorData Class
The IndicatorData class describes indicators and metadata associated
with them.
+--------------------------+
| IndicatorData |
+--------------------------+
| |<>--{1..*}--[ Indicator ]
+--------------------------+
Figure 58: The IndicatorData Class
The aggregate class of the IndicatorData class is:
Indicator
One or more. A description of an indicator. See Section 3.29.
The IndicatorData class has no attributes.
(page 96 continued on part 6)
