Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7970

The Incident Object Description Exchange Format Version 2

Pages: 172
Proposed Standard
Errata
Obsoletes:  50706685
Part 2 of 9 – Pages 18 to 43
First   Prev   Next

Top   ToC   RFC7970 - Page 18   prevText

3. The IODEF Information Model

The specifics of the IODEF information model are discussed in this section. Each class and its relationships with the other classes is described. When necessary, clarifications are made about translating this information model to the schema in Section 8.

3.1. IODEF-Document Class

The IODEF-Document class is the top level class in the IODEF data model. All IODEF documents are an instance of this class. +--------------------------+ | IODEF-Document | +--------------------------+ | STRING version |<>--{1..*}--[ Incident ] | ENUM xml:lang |<>--{0..*}--[ AdditionalData ] | STRING format-id | | STRING private-enum-name | | STRING private-enum-id | +--------------------------+ Figure 5: The IODEF-Document Class The aggregate classes of the IODEF-Document class are: Incident One or more. The information related to a single incident. See Section 3.2. AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model.
Top   ToC   RFC7970 - Page 19
   The attributes of the IODEF-Document class are:

   version
      Required.  STRING.  The IODEF specification version number to
      which this IODEF document conforms.  The value of this attribute
      MUST be "2.00".

   xml:lang
      Optional.  ENUM.  A language identifier per Section 2.12 of
      [W3C.XML] whose values and form are described in [RFC5646].  The
      interpretation of this code is described in Section 6.

   format-id
      Optional.  STRING.  A free-form string to convey processing
      instructions to the recipient of the document.  Its semantics must
      be negotiated out of band.

   private-enum-name
      Optional.  STRING.  A globally unique identifier for the CSIRT
      generating the document to deconflict private extensions used in
      the document.  The fully qualified domain name (FQDN) associated
      with the CSIRT MUST be used as the identifier.  See Section 5.3.

   private-enum-id
      Optional.  STRING.  An organizationally unique identifier for an
      extension used in the document.  If this attribute is set, the
      private-enum-name MUST also be set.  See Section 5.3.
Top   ToC   RFC7970 - Page 20

3.2. Incident Class

The Incident class describes commonly exchanged information when reporting or sharing derived analysis from security incidents. +-------------------------+ | Incident | +-------------------------+ | ENUM purpose |<>----------[ IncidentID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | ENUM status |<>--{0..*}--[ RelatedActivity ] | STRING ext-status |<>--{0..1}--[ DetectTime ] | ENUM xml:lang |<>--{0..1}--[ StartTime ] | ENUM restriction |<>--{0..1}--[ EndTime ] | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ] | ID observable-id |<>--{0..1}--[ ReportTime ] | |<>----------[ GenerationTime ] | |<>--{0..*}--[ Description ] | |<>--{0..*} [ Discovery ] | |<>--{0..*}--[ Assessment ] | |<>--{0..*}--[ Method ] | |<>--{1..*}--[ Contact ] | |<>--{0..*}--[ EventData ] | |<>--{0..1}--[ IndicatorData ] | |<>--{0..1}--[ History ] | |<>--{0..*}--[ AdditionalData ] +-------------------------+ Figure 6: The Incident Class The aggregate classes of the Incident class are: IncidentID One. An incident tracking number assigned to this incident by the CSIRT that generated the IODEF document. See Section 3.4. AlternativeID Zero or one. The incident tracking numbers used by other CSIRTs to refer to the incident described in the document. See Section 3.5. RelatedActivity Zero or more. Related activity and attribution of this activity. See Section 3.6. DetectTime Zero or one. DATETIME. The time the incident was first detected.
Top   ToC   RFC7970 - Page 21
   StartTime
      Zero or one.  DATETIME.  The time the incident started.

   EndTime
      Zero or one.  DATETIME.  The time the incident ended.

   RecoveryTime
      Zero or one.  DATETIME.  The time the site recovered from the
      incident.

   ReportTime
      Zero or one.  DATETIME.  The time the incident was reported.

   GenerationTime
      One.  DATETIME.  The time the content in this Incident class was
      generated.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      incident.

   Discovery
      Zero or more.  The means by which this incident was detected.  See
      Section 3.10.

   Assessment
      Zero or more.  A characterization of the impact of the incident.
      See Section 3.12.

   Method
      Zero or more.  The techniques used by the threat actor in the
      incident.  See Section 3.11.

   Contact
      One or more.  Contact information for the parties involved in the
      incident.  See Section 3.9.

   EventData
      Zero or more.  Description of the events comprising the incident.
      See Section 3.14.

   IndicatorData
      Zero or one.  Indicators from the analysis of an incident.  See
      Section 3.28.

   History
      Zero or one.  A log of significant events or actions that occurred
      during the course of handling the incident.  See Section 3.13.
Top   ToC   RFC7970 - Page 22
   AdditionalData
      Zero or more.  EXTENSION.  Mechanism by which to extend the data
      model.

   The attributes of the Incident class are:

   purpose
      Required.  ENUM.  The purpose attribute describes the rationale
      for documenting the information in this class.  It is closely
      related to the Expectation class (Section 3.15).  These values are
      maintained in the "Incident-purpose" IANA registry per
      Section 10.2.  This attribute is defined as an enumerated list:

      1.  traceback.  The incident was sent for trace-back purposes.

      2.  mitigation.  The incident was sent to request aid in
          mitigating the described activity.

      3.  reporting.  The incident was sent to comply with reporting
          requirements.

      4.  watch.  The incident was sent to convey indicators that should
          be monitored.

      5.  other.  The incident was sent for purposes specified in the
          Expectation class.

      6.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-purpose
      Optional.  STRING.  A means by which to extend the purpose
      attribute.  See Section 5.1.1.

   status
      Optional.  ENUM.  The status attribute conveys the state in a
      workflow where the incident is currently found.  These values are
      maintained in the "Incident-status" IANA registry per
      Section 10.2.  This attribute is defined as an enumerated list:

      1.  new.  The incident is newly reported, and no action has been
          taken.

      2.  in-progress.  The incident is under investigation.

      3.  forwarded.  The incident has been forwarded to another party
          for handling.
Top   ToC   RFC7970 - Page 23
      4.  resolved.  The investigation into the activity in this
          incident has concluded.

      5.  future.  The described activity has not yet been detected.

      6.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-status
      Optional.  STRING.  A means by which to extend the status
      attribute.  See Section 5.1.1.

   xml:lang
      Optional.  ENUM.  A language identifier per Section 2.12 of
      [W3C.XML] whose values and form are described in [RFC5646].  The
      interpretation of this code is described in Section 6.

   restriction
      Optional.  ENUM.  See Section 3.3.1.  The default value is
      "private".

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.3. Common Attributes

There are a number of recurring attributes used in the information model. They are documented in this section.

3.3.1. restriction Attribute

The restriction attribute indicates the disclosure guidelines to which the sender expects the recipient to adhere for the information represented in this class and its children. This guideline provides no security since there are no technical means to ensure that the recipient of the document handles the information as the sender requested. The value of this attribute is logically inherited by the children of this class. That is to say, the disclosure rules applied to this class also apply to its children.
Top   ToC   RFC7970 - Page 24
   It is possible to set a granular disclosure policy, since all of the
   high-level classes (i.e., children of the Incident class) have a
   restriction attribute.  Therefore, a child can override the
   guidelines of a parent class, be it to restrict or relax the
   disclosure rules (e.g., a child has a weaker policy than an ancestor;
   or an ancestor has a weak policy, and the children selectively apply
   more rigid controls).  The implicit value of the restriction
   attribute for a class that did not specify one can be found in the
   closest ancestor that did specify a value.

   This attribute is defined as an enumerated value with a default value
   of "private".  Note that the default value of the restriction
   attribute is only defined in the context of the Incident class.  In
   other classes where this attribute is used, no default is specified.

   These values are maintained in the "Restriction" IANA registry per
   Section 10.2.

   1.   public.  The information can be freely distributed without
        restriction.

   2.   partner.  The information may be shared within a closed
        community of peers, partners, or affected parties, but cannot be
        openly published.

   3.   need-to-know.  The information may be shared only within the
        organization with individuals that have a need to know.

   4.   private.  The information may not be shared.

   5.   default.  The information can be shared according to an
        information disclosure policy pre-arranged by the communicating
        parties.

   6.   white.  Same as 'public'.

   7.   green.  Same as 'partner'.

   8.   amber.  Same as 'need-to-know'.

   9.   red.  Same as 'private'.

   10.  ext-value.  A value used to indicate that this attribute is
        extended and the actual value is provided using the
        corresponding ext-* attribute.  See Section 5.1.1.
Top   ToC   RFC7970 - Page 25

3.3.2. observable-id Attribute

The observable-id attribute tags information in the document as an observable so that it can be referenced later in the description of an indicator. The value of this attribute is a unique identifier in the scope of the document. It is used by the ObservableReference class to enumerate observables when defining an indicator with the IndicatorData class.

3.4. IncidentID Class

The IncidentID class represents a tracking number that is unique in the context of the CSIRT. It serves as an identifier for an incident or a document identifier when sharing indicators. This identifier would serve as an index into a CSIRT's incident handling or knowledge management system. The combination of the name attribute and the string in the element content MUST be a globally unique identifier describing the activity. Documents generated by a given CSIRT MUST NOT reuse the same value unless they are referencing the same incident. +------------------------+ | IncidentID | +------------------------+ | STRING | | | | STRING name | | STRING instance | | ENUM restriction | | STRING ext-restriction | +------------------------+ Figure 7: The IncidentID Class The content of the class is an incident identifier of type STRING. The attributes of the IncidentID class are: name Required. STRING. An identifier describing the CSIRT that created the document. In order to have a globally unique CSIRT name, the fully qualified domain name associated with the CSIRT MUST be used.
Top   ToC   RFC7970 - Page 26
   instance
      Optional.  STRING.  An identifier referencing a subset of the
      named incident.

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.5. AlternativeID Class

The AlternativeID class lists the tracking numbers used by CSIRTs, other than the one generating the document, to refer to the identical activity described in the IODEF document. A tracking number listed as an AlternativeID references the same incident detected by another CSIRT. The tracking numbers of the CSIRT that generated the IODEF document must never be considered an AlternativeID. +------------------------+ | AlternativeID | +------------------------+ | ENUM restriction |<>--{1..*}--[ IncidentID ] | STRING ext-restriction | +------------------------+ Figure 8: The AlternativeID Class The aggregate class of the AlternativeID class is: IncidentID One or more. The tracking number of another CSIRT. See Section 3.4. The attributes of the AlternativeID class are: restriction Optional. ENUM. See Section 3.3.1. ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
Top   ToC   RFC7970 - Page 27

3.6. RelatedActivity Class

The RelatedActivity class relates the information described in the rest of the document to previously observed incidents or activity and allows attribution to a specific actor or campaign. +------------------------+ | RelatedActivity | +------------------------+ | ENUM restriction |<>--{0..*}--[ IncidentID ] | STRING ext-restriction |<>--{0..*}--[ URL ] | |<>--{0..*}--[ ThreatActor ] | |<>--{0..*}--[ Campaign ] | |<>--{0..*}--[ IndicatorID ] | |<>--{0..1}--[ Confidence ] | |<>--{0..*}--[ Description ] | |<>--{0..*}--[ AdditionalData ] +------------------------+ Figure 9: The RelatedActivity Class The aggregate classes of the RelatedActivity class are: IncidentID Zero or more. The tracking number of a related incident. See Section 3.4. URL Zero or more. URL. A URL to activity related to this incident. ThreatActor Zero or more. The threat actor to whom the incident activity is attributed. See Section 3.7. Campaign Zero or more. The campaign of a given threat actor to whom the described activity is attributed. See Section 3.8. IndicatorID Zero or more. A reference to a related indicator. See Section 3.4. Confidence Zero or one. An estimate of the confidence in attributing this RelatedActivity to the events described in the document. See Section 3.12.5.
Top   ToC   RFC7970 - Page 28
   Description
      Zero or more.  ML_STRING.  A description of how these
      relationships were derived.

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   The RelatedActivity class MUST have at least one instance of any of
   the following child classes: IncidentID, URL, ThreatActor, Campaign,
   Description, or AdditionalData.

   The attributes of the RelatedActivity class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.7. ThreatActor Class

The ThreatActor class describes a threat actor. +------------------------+ | ThreatActor | +------------------------+ | ENUM restriction |<>--{0..*}--[ ThreatActorID ] | STRING ext-restriction |<>--{0..*}--[ URL ] | |<>--{0..*}--[ Description ] | |<>--{0..*}--[ AdditionalData ] +------------------------+ Figure 10: The ThreatActor Class The aggregate classes of the ThreatActor class are: ThreatActorID Zero or more. STRING. An identifier for the threat actor. URL Zero or more. URL. A URL to a reference describing the threat actor. Description Zero or more. ML_STRING. A description of the threat actor.
Top   ToC   RFC7970 - Page 29
   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   The ThreatActor class MUST have at least one instance of a child
   class.

   The attributes of the ThreatActor class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.8. Campaign Class

The Campaign class describes a campaign of attacks by a threat actor. +------------------------+ | Campaign | +------------------------+ | ENUM restriction |<>--{0..*}--[ CampaignID ] | STRING ext-restriction |<>--{0..*}--[ URL ] | |<>--{0..*}--[ Description ] | |<>--{0..*}--[ AdditionalData ] +------------------------+ Figure 11: The Campaign Class The aggregate classes of the Campaign class are: CampaignID Zero or more. STRING. An identifier for the campaign. URL Zero or more. URL. A URL to a reference describing the campaign. Description Zero or more. ML_STRING. A description of the campaign. AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model. The Campaign class MUST have at least one instance of a child class.
Top   ToC   RFC7970 - Page 30
   The attributes of the Campaign class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.9. Contact Class

The Contact class describes contact information for organizations and personnel involved in the incident. This class allows for the naming of the involved party, specifying contact information for them, and identifying their role in the incident. People and organizations are treated interchangeably as contacts; one can be associated with the other using the recursive definition of the class (the Contact class is aggregated into the Contact class). The type attribute disambiguates the type of contact information being provided. The recursive definition of Contact provides a way to relate information without requiring the explicit use of identifiers or duplication of data. A complete point of contact is derived by a particular traversal from the root Contact class to the leaf Contact class. Each child Contact class logically inherits contact information from its ancestors. +------------------------+ | Contact | +------------------------+ | ENUM role |<>--{0..*}--[ ContactName ] | STRING ext-role |<>--{0..*}--[ ContactTitle ] | ENUM type |<>--{0..*}--[ Description ] | STRING ext-type |<>--{0..*}--[ RegistryHandle ] | ENUM restriction |<>--{0..*}--[ PostalAddress ] | STRING ext-restriction |<>--{0..*}--[ Email ] | |<>--{0..*}--[ Telephone ] | |<>--{0..1}--[ Timezone ] | |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ AdditionalData ] +------------------------+ Figure 12: The Contact Class
Top   ToC   RFC7970 - Page 31
   The aggregate classes of the Contact class are:

   ContactName
      Zero or more.  ML_STRING.  The name of the contact.  The contact
      may either be an organization or a person.  The type attribute
      disambiguates the semantics.

   ContactTitle
      Zero or more.  ML_STRING.  The title for the individual named in
      the ContactName.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      contact.

   RegistryHandle
      Zero or more.  A handle name into the registry of the contact.
      See Section 3.9.1.

   PostalAddress
      Zero or more.  The postal address of the contact.  See
      Section 3.9.2.

   Email
      Zero or more.  The email address of the contact.  See
      Section 3.9.3.

   Telephone
      Zero or more.  The telephone number of the contact.  See
      Section 3.9.4.

   Timezone
      Zero or one.  TIMEZONE.  The timezone in which the contact
      resides.

   Contact
      Zero or more.  A recursive definition of the Contact class.  This
      definition can be used to group common data pertaining to multiple
      points of contact and is especially useful when listing multiple
      contacts at the same organization.

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   At least one of the aggregate classes MUST be present in an instance
   of the Contact class.
Top   ToC   RFC7970 - Page 32
   The attributes of the Contact class are:

   role
      Required.  ENUM.  Indicates the role the contact fulfills.  These
      values are maintained in the "Contact-role" IANA registry per
      Section 10.2.

      1.   creator.  The entity that generates the document.

      2.   reporter.  The entity that reported the information.

      3.   admin.  An administrative contact or business owner for an
           asset or organization.

      4.   tech.  An entity responsible for the day-to-day management of
           technical issues for an asset or organization.

      5.   provider.  An external hosting provider for an asset.

      6.   user.  An end-user of an asset or part of an organization.

      7.   billing.  An entity responsible for billing issues for an
           asset or organization.

      8.   legal.  An entity responsible for legal issues related to an
           asset or organization.

      9.   irt.  An entity responsible for handling security issues for
           an asset or organization.

      10.  abuse.  An entity responsible for handling abuse originating
           from an asset or organization.

      11.  cc.  An entity that is to be kept informed about the events
           related to an asset or organization.

      12.  cc-irt.  A CSIRT or information-sharing organization
           coordinating activity related to an asset or organization.

      13.  leo.  A law enforcement organization supporting the
           investigation of activity affecting an asset or organization.

      14.  vendor.  The vendor that produces an asset.

      15.  vendor-support.  A vendor that provides services.

      16.  victim.  A victim in the incident.
Top   ToC   RFC7970 - Page 33
      17.  victim-notified.  A victim in the incident who has been
           notified.

      18.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-role
      Optional.  STRING.  A means by which to extend the role attribute.
      See Section 5.1.1.

   type
      Required.  ENUM.  Indicates the type of contact being described.
      This attribute is defined as an enumerated list.  These values are
      maintained in the "Contact-type" IANA registry per Section 10.2.

      1.  person.  The information for this contact references an
          individual.

      2.  organization.  The information for this contact references an
          organization.

      3.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.
Top   ToC   RFC7970 - Page 34

3.9.1. RegistryHandle Class

The RegistryHandle class represents a handle into an Internet registry or community-specific database. +---------------------+ | RegistryHandle | +---------------------+ | STRING | | | | ENUM registry | | STRING ext-registry | +---------------------+ Figure 13: The RegistryHandle Class The content of the class is a handle into a registry of type STRING. The attributes of the RegistryHandle class are: registry Required. ENUM. The database to which the handle belongs. These values are maintained in the "RegistryHandle-registry" IANA registry per Section 10.2. The possible values are: 1. internic. Internet Network Information Center 2. apnic. Asia Pacific Network Information Center 3. arin. American Registry for Internet Numbers 4. lacnic. Latin American and Caribbean Internet Addresses Registry 5. ripe. Reseaux IP Europeens 6. afrinic. African Network Information Center 7. local. A database local to the CSIRT 8. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-registry Optional. STRING. A means by which to extend the registry attribute. See Section 5.1.1.
Top   ToC   RFC7970 - Page 35

3.9.2. PostalAddress Class

The PostalAddress class specifies a postal address and associated annotation. +--------------------+ | PostalAddress | +--------------------+ | ENUM type |<>----------[ PAddress ] | STRING ext-type |<>--{0..*}--[ Description ] +--------------------+ Figure 14: The PostalAddress Class The aggregate classes of the PostalAddress class are: PAddress One. POSTAL. A postal address. Description Zero or more. ML_STRING. A free-form text description of the address. The attributes of the PostalAddress class are: type Optional. ENUM. Categorizes the type of address described in the PAddress class. These values are maintained in the "PostalAddress-type" IANA registry per Section 10.2. 1. street. An address describing a physical location. 2. mailing. An address to which correspondence should be sent. 3. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
Top   ToC   RFC7970 - Page 36

3.9.3. Email Class

The Email class specifies an email address and associated annotation. +--------------------+ | Email | +--------------------+ | ENUM type |<>----------[ EmailTo ] | STRING ext-type |<>--{0..*}--[ Description ] +--------------------+ Figure 15: The Email Class The aggregate classes of the Email class are: EmailTo One. EMAIL. An email address. Description Zero or more. ML_STRING. A free-form text description of the email address. The attributes of the Email class are: type Optional. ENUM. Categorizes the type of email address described in the EmailTo class. These values are maintained in the "Email- type" IANA registry per Section 10.2. 1. direct. An email address of an individual. 2. hotline. An email address regularly monitored for operational purposes. 3. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
Top   ToC   RFC7970 - Page 37

3.9.4. Telephone Class

The Telephone class describes a telephone number and associated annotation. +--------------------+ | Telephone | +--------------------+ | ENUM type |<>----------[ TelephoneNumber ] | STRING ext-type |<>--{0..*}--[ Description ] +--------------------+ Figure 16: The Telephone Class The aggregate classes of the Telephone class are: TelephoneNumber One. PHONE. A telephone number. Description Zero or more. ML_STRING. A free-form text description of the phone number. The attributes of the Telephone class are: type Optional. ENUM. Categorizes the type of telephone number described in the TelephoneNumber class. These values are maintained in the "Telephone-type" IANA registry per Section 10.2. 1. wired. A number of a wire-line (land-line) phone. 2. mobile. A number of a mobile phone. 3. fax. A number to a fax machine. 4. hotline. A number to a regularly monitored operational hotline. 5. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
Top   ToC   RFC7970 - Page 38

3.10. Discovery Class

The Discovery class describes how an incident was detected. +------------------------+ | Discovery | +------------------------+ | ENUM source |<>--{0..*}--[ Description ] | STRING ext-source |<>--{0..*}--[ Contact ] | ENUM restriction |<>--{0..*}--[ DetectionPattern ] | STRING ext-restriction | +------------------------+ Figure 17: The Discovery Class The aggregate classes of the Discovery class are: Description Zero or more. ML_STRING. A free-form text description of how this incident was detected. Contact Zero or more. Contact information for the party that discovered the incident. See Section 3.9. DetectionPattern Zero or more. Describes an application-specific configuration that detected the incident. See Section 3.10.1. The attributes of the Discovery class are: source Optional. ENUM. Categorizes the techniques used to discover the incident. These values are partially derived from Table 3-1 of [NIST800.61rev2]. These values are maintained in the "Discovery- source" IANA registry per Section 10.2. 1. nidps. Network Intrusion Detection or Prevention System. 2. hips. Host-based Intrusion Prevention System. 3. siem. Security Information and Event Management System. 4. av. Antivirus or antispam software. 5. third-party-monitoring. Contracted third-party monitoring service.
Top   ToC   RFC7970 - Page 39
      6.   incident.  The activity was discovered while investigating an
           unrelated incident.

      7.   os-log.  Operating system logs.

      8.   application-log.  Application logs.

      9.   device-log.  Network device logs.

      10.  network-flow.  Network flow analysis.

      11.  passive-dns.  Passive DNS analysis.

      12.  investigation.  Manual investigation initiated based on
           notification of a new vulnerability or exploit.

      13.  audit.  Security audit.

      14.  internal-notification.  A party within the organization
           reported the activity.

      15.  external-notification.  A party outside of the organization
           reported the activity.

      16.  leo.  A law enforcement organization notified the victim
           organization.

      17.  partner.  A customer or business partner reported the
           activity to the victim organization.

      18.  actor.  The threat actor directly or indirectly reported this
           activity to the victim organization.

      19.  unknown.  Unknown detection approach.

      20.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-source
      Optional.  STRING.  A means by which to extend the source
      attribute.  See Section 5.1.1.

   restriction
      Optional.  ENUM.  See Section 3.3.1.
Top   ToC   RFC7970 - Page 40
   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.10.1. DetectionPattern Class

The DetectionPattern class describes a configuration or signature that can be used by an Intrusion Detection System (IDS) / Intrusion Prevention System (IPS), SIEM, antivirus, endpoint protection, network analysis, malware analysis, or host forensics tool to identify a particular phenomenon. This class requires the identification of the target application and allows the configuration to be described in either free form or machine-readable form. +------------------------+ | DetectionPattern | +------------------------+ | ENUM restriction |<>----------[ Application ] | STRING ext-restriction |<>--{0..*}--[ Description ] | ID observable-id |<>--{0..*}--[ DetectionConfiguration ] +------------------------+ Figure 18: The DetectionPattern Class The aggregate classes of the DetectionPattern class are: Application One. SOFTWARE. The application for which the DetectionConfiguration or Description is being provided. Description Zero or more. ML_STRING. A free-form text description of how to use the information provided in the Application or DetectionConfiguration classes. DetectionConfiguration Zero or more. STRING. A machine-consumable configuration to find a pattern of activity. An instance of either the Description or DetectionConfiguration class MUST be present. The attributes of the DetectionPattern class are: restriction Optional. ENUM. See Section 3.3.1.
Top   ToC   RFC7970 - Page 41
   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.11. Method Class

The Method class describes the tactics, techniques, procedures, or weakness used by the threat actor in an incident. This class consists of both a list of references describing the attack methods and weaknesses and a free-form text description. +------------------------+ | Method | +------------------------+ | ENUM restriction |<>--{0..*}--[ Reference ] | STRING ext-restriction |<>--{0..*}--[ Description ] | |<>--{0..*}--[ sci:AttackPattern ] | |<>--{0..*}--[ sci:Vulnerability ] | |<>--{0..*}--[ sci:Weakness ] | |<>--{0..*}--[ AdditionalData ] +------------------------+ Figure 19: The Method Class The aggregate classes of the Method class are: Reference Zero or more. A reference to a vulnerability, malware sample, advisory, or analysis of an attack technique. See Section 3.11.1. Description Zero or more. ML_STRING. A free-form text description of techniques, tactics, or procedures used by the threat actor. sci:AttackPattern Zero or more. A reference to a pattern of attack or exploitation per [RFC7203]. sci:Vulnerability Zero or more. A reference to a vulnerability per [RFC7203]. sci:Weakness Zero or more. A reference to the exploited weakness per [RFC7203].
Top   ToC   RFC7970 - Page 42
   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   An instance of one of these children MUST be present.

   The attributes of the Method class are:

   restriction
      Optional.  ENUM.  See Section 3.3.1.

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.11.1. Reference Class

The Reference class is an external reference to relevant information such as a vulnerability, IDS alert, malware sample, advisory, or attack technique. +-------------------------+ | Reference | +-------------------------+ | ID observable-id |<>--{0..1}--[ enum:ReferenceName ] | |<>--{0..*}--[ URL ] | |<>--{0..*}--[ Description ] +-------------------------+ Figure 20: The Reference Class The aggregate classes of the Reference class are: enum:ReferenceName Zero or one. Reference identifier per [RFC7495]. URL Zero or more. URL. A URL to a reference. Description Zero or more. ML_STRING. A free-form text description of this reference. At least one of these classes MUST be present.
Top   ToC   RFC7970 - Page 43
   The attribute of the Reference class is:

   observable-id
      Optional.  ID.  See Section 3.3.2.



(page 43 continued on part 3)

Next Section