RFC 7970
The Incident Object Description Exchange Format Version 2
3. The IODEF Information Model
The specifics of the IODEF information model are discussed in this section. Each class and its relationships with the other classes is described. When necessary, clarifications are made about translating this information model to the schema in Section 8.3.1. IODEF-Document Class
The IODEF-Document class is the top level class in the IODEF data model. All IODEF documents are an instance of this class. +--------------------------+ | IODEF-Document | +--------------------------+ | STRING version |<>--{1..*}--[ Incident ] | ENUM xml:lang |<>--{0..*}--[ AdditionalData ] | STRING format-id | | STRING private-enum-name | | STRING private-enum-id | +--------------------------+ Figure 5: The IODEF-Document Class The aggregate classes of the IODEF-Document class are: Incident One or more. The information related to a single incident. See Section 3.2. AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model.
The attributes of the IODEF-Document class are:
version
Required. STRING. The IODEF specification version number to
which this IODEF document conforms. The value of this attribute
MUST be "2.00".
xml:lang
Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6.
format-id
Optional. STRING. A free-form string to convey processing
instructions to the recipient of the document. Its semantics must
be negotiated out of band.
private-enum-name
Optional. STRING. A globally unique identifier for the CSIRT
generating the document to deconflict private extensions used in
the document. The fully qualified domain name (FQDN) associated
with the CSIRT MUST be used as the identifier. See Section 5.3.
private-enum-id
Optional. STRING. An organizationally unique identifier for an
extension used in the document. If this attribute is set, the
private-enum-name MUST also be set. See Section 5.3.
3.2. Incident Class
The Incident class describes commonly exchanged information when reporting or sharing derived analysis from security incidents. +-------------------------+ | Incident | +-------------------------+ | ENUM purpose |<>----------[ IncidentID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | ENUM status |<>--{0..*}--[ RelatedActivity ] | STRING ext-status |<>--{0..1}--[ DetectTime ] | ENUM xml:lang |<>--{0..1}--[ StartTime ] | ENUM restriction |<>--{0..1}--[ EndTime ] | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ] | ID observable-id |<>--{0..1}--[ ReportTime ] | |<>----------[ GenerationTime ] | |<>--{0..*}--[ Description ] | |<>--{0..*} [ Discovery ] | |<>--{0..*}--[ Assessment ] | |<>--{0..*}--[ Method ] | |<>--{1..*}--[ Contact ] | |<>--{0..*}--[ EventData ] | |<>--{0..1}--[ IndicatorData ] | |<>--{0..1}--[ History ] | |<>--{0..*}--[ AdditionalData ] +-------------------------+ Figure 6: The Incident Class The aggregate classes of the Incident class are: IncidentID One. An incident tracking number assigned to this incident by the CSIRT that generated the IODEF document. See Section 3.4. AlternativeID Zero or one. The incident tracking numbers used by other CSIRTs to refer to the incident described in the document. See Section 3.5. RelatedActivity Zero or more. Related activity and attribution of this activity. See Section 3.6. DetectTime Zero or one. DATETIME. The time the incident was first detected.
StartTime
Zero or one. DATETIME. The time the incident started.
EndTime
Zero or one. DATETIME. The time the incident ended.
RecoveryTime
Zero or one. DATETIME. The time the site recovered from the
incident.
ReportTime
Zero or one. DATETIME. The time the incident was reported.
GenerationTime
One. DATETIME. The time the content in this Incident class was
generated.
Description
Zero or more. ML_STRING. A free-form text description of the
incident.
Discovery
Zero or more. The means by which this incident was detected. See
Section 3.10.
Assessment
Zero or more. A characterization of the impact of the incident.
See Section 3.12.
Method
Zero or more. The techniques used by the threat actor in the
incident. See Section 3.11.
Contact
One or more. Contact information for the parties involved in the
incident. See Section 3.9.
EventData
Zero or more. Description of the events comprising the incident.
See Section 3.14.
IndicatorData
Zero or one. Indicators from the analysis of an incident. See
Section 3.28.
History
Zero or one. A log of significant events or actions that occurred
during the course of handling the incident. See Section 3.13.
AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data
model.
The attributes of the Incident class are:
purpose
Required. ENUM. The purpose attribute describes the rationale
for documenting the information in this class. It is closely
related to the Expectation class (Section 3.15). These values are
maintained in the "Incident-purpose" IANA registry per
Section 10.2. This attribute is defined as an enumerated list:
1. traceback. The incident was sent for trace-back purposes.
2. mitigation. The incident was sent to request aid in
mitigating the described activity.
3. reporting. The incident was sent to comply with reporting
requirements.
4. watch. The incident was sent to convey indicators that should
be monitored.
5. other. The incident was sent for purposes specified in the
Expectation class.
6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-purpose
Optional. STRING. A means by which to extend the purpose
attribute. See Section 5.1.1.
status
Optional. ENUM. The status attribute conveys the state in a
workflow where the incident is currently found. These values are
maintained in the "Incident-status" IANA registry per
Section 10.2. This attribute is defined as an enumerated list:
1. new. The incident is newly reported, and no action has been
taken.
2. in-progress. The incident is under investigation.
3. forwarded. The incident has been forwarded to another party
for handling.
4. resolved. The investigation into the activity in this
incident has concluded.
5. future. The described activity has not yet been detected.
6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-status
Optional. STRING. A means by which to extend the status
attribute. See Section 5.1.1.
xml:lang
Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6.
restriction
Optional. ENUM. See Section 3.3.1. The default value is
"private".
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.3. Common Attributes
There are a number of recurring attributes used in the information
model. They are documented in this section.
3.3.1. restriction Attribute
The restriction attribute indicates the disclosure guidelines to
which the sender expects the recipient to adhere for the information
represented in this class and its children. This guideline provides
no security since there are no technical means to ensure that the
recipient of the document handles the information as the sender
requested.
The value of this attribute is logically inherited by the children of
this class. That is to say, the disclosure rules applied to this
class also apply to its children.
It is possible to set a granular disclosure policy, since all of the high-level classes (i.e., children of the Incident class) have a restriction attribute. Therefore, a child can override the guidelines of a parent class, be it to restrict or relax the disclosure rules (e.g., a child has a weaker policy than an ancestor; or an ancestor has a weak policy, and the children selectively apply more rigid controls). The implicit value of the restriction attribute for a class that did not specify one can be found in the closest ancestor that did specify a value. This attribute is defined as an enumerated value with a default value of "private". Note that the default value of the restriction attribute is only defined in the context of the Incident class. In other classes where this attribute is used, no default is specified. These values are maintained in the "Restriction" IANA registry per Section 10.2. 1. public. The information can be freely distributed without restriction. 2. partner. The information may be shared within a closed community of peers, partners, or affected parties, but cannot be openly published. 3. need-to-know. The information may be shared only within the organization with individuals that have a need to know. 4. private. The information may not be shared. 5. default. The information can be shared according to an information disclosure policy pre-arranged by the communicating parties. 6. white. Same as 'public'. 7. green. Same as 'partner'. 8. amber. Same as 'need-to-know'. 9. red. Same as 'private'. 10. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
3.3.2. observable-id Attribute
The observable-id attribute tags information in the document as an observable so that it can be referenced later in the description of an indicator. The value of this attribute is a unique identifier in the scope of the document. It is used by the ObservableReference class to enumerate observables when defining an indicator with the IndicatorData class.3.4. IncidentID Class
The IncidentID class represents a tracking number that is unique in the context of the CSIRT. It serves as an identifier for an incident or a document identifier when sharing indicators. This identifier would serve as an index into a CSIRT's incident handling or knowledge management system. The combination of the name attribute and the string in the element content MUST be a globally unique identifier describing the activity. Documents generated by a given CSIRT MUST NOT reuse the same value unless they are referencing the same incident. +------------------------+ | IncidentID | +------------------------+ | STRING | | | | STRING name | | STRING instance | | ENUM restriction | | STRING ext-restriction | +------------------------+ Figure 7: The IncidentID Class The content of the class is an incident identifier of type STRING. The attributes of the IncidentID class are: name Required. STRING. An identifier describing the CSIRT that created the document. In order to have a globally unique CSIRT name, the fully qualified domain name associated with the CSIRT MUST be used.
instance
Optional. STRING. An identifier referencing a subset of the
named incident.
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.5. AlternativeID Class
The AlternativeID class lists the tracking numbers used by CSIRTs,
other than the one generating the document, to refer to the identical
activity described in the IODEF document. A tracking number listed
as an AlternativeID references the same incident detected by another
CSIRT. The tracking numbers of the CSIRT that generated the IODEF
document must never be considered an AlternativeID.
+------------------------+
| AlternativeID |
+------------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ]
| STRING ext-restriction |
+------------------------+
Figure 8: The AlternativeID Class
The aggregate class of the AlternativeID class is:
IncidentID
One or more. The tracking number of another CSIRT. See
Section 3.4.
The attributes of the AlternativeID class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.6. RelatedActivity Class
The RelatedActivity class relates the information described in the rest of the document to previously observed incidents or activity and allows attribution to a specific actor or campaign. +------------------------+ | RelatedActivity | +------------------------+ | ENUM restriction |<>--{0..*}--[ IncidentID ] | STRING ext-restriction |<>--{0..*}--[ URL ] | |<>--{0..*}--[ ThreatActor ] | |<>--{0..*}--[ Campaign ] | |<>--{0..*}--[ IndicatorID ] | |<>--{0..1}--[ Confidence ] | |<>--{0..*}--[ Description ] | |<>--{0..*}--[ AdditionalData ] +------------------------+ Figure 9: The RelatedActivity Class The aggregate classes of the RelatedActivity class are: IncidentID Zero or more. The tracking number of a related incident. See Section 3.4. URL Zero or more. URL. A URL to activity related to this incident. ThreatActor Zero or more. The threat actor to whom the incident activity is attributed. See Section 3.7. Campaign Zero or more. The campaign of a given threat actor to whom the described activity is attributed. See Section 3.8. IndicatorID Zero or more. A reference to a related indicator. See Section 3.4. Confidence Zero or one. An estimate of the confidence in attributing this RelatedActivity to the events described in the document. See Section 3.12.5.
Description
Zero or more. ML_STRING. A description of how these
relationships were derived.
AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data
model.
The RelatedActivity class MUST have at least one instance of any of
the following child classes: IncidentID, URL, ThreatActor, Campaign,
Description, or AdditionalData.
The attributes of the RelatedActivity class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.7. ThreatActor Class
The ThreatActor class describes a threat actor.
+------------------------+
| ThreatActor |
+------------------------+
| ENUM restriction |<>--{0..*}--[ ThreatActorID ]
| STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 10: The ThreatActor Class
The aggregate classes of the ThreatActor class are:
ThreatActorID
Zero or more. STRING. An identifier for the threat actor.
URL
Zero or more. URL. A URL to a reference describing the threat
actor.
Description
Zero or more. ML_STRING. A description of the threat actor.
AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data
model.
The ThreatActor class MUST have at least one instance of a child
class.
The attributes of the ThreatActor class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.8. Campaign Class
The Campaign class describes a campaign of attacks by a threat actor.
+------------------------+
| Campaign |
+------------------------+
| ENUM restriction |<>--{0..*}--[ CampaignID ]
| STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 11: The Campaign Class
The aggregate classes of the Campaign class are:
CampaignID
Zero or more. STRING. An identifier for the campaign.
URL
Zero or more. URL. A URL to a reference describing the campaign.
Description
Zero or more. ML_STRING. A description of the campaign.
AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data
model.
The Campaign class MUST have at least one instance of a child class.
The attributes of the Campaign class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.9. Contact Class
The Contact class describes contact information for organizations and
personnel involved in the incident. This class allows for the naming
of the involved party, specifying contact information for them, and
identifying their role in the incident.
People and organizations are treated interchangeably as contacts; one
can be associated with the other using the recursive definition of
the class (the Contact class is aggregated into the Contact class).
The type attribute disambiguates the type of contact information
being provided.
The recursive definition of Contact provides a way to relate
information without requiring the explicit use of identifiers or
duplication of data. A complete point of contact is derived by a
particular traversal from the root Contact class to the leaf Contact
class. Each child Contact class logically inherits contact
information from its ancestors.
+------------------------+
| Contact |
+------------------------+
| ENUM role |<>--{0..*}--[ ContactName ]
| STRING ext-role |<>--{0..*}--[ ContactTitle ]
| ENUM type |<>--{0..*}--[ Description ]
| STRING ext-type |<>--{0..*}--[ RegistryHandle ]
| ENUM restriction |<>--{0..*}--[ PostalAddress ]
| STRING ext-restriction |<>--{0..*}--[ Email ]
| |<>--{0..*}--[ Telephone ]
| |<>--{0..1}--[ Timezone ]
| |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 12: The Contact Class
The aggregate classes of the Contact class are:
ContactName
Zero or more. ML_STRING. The name of the contact. The contact
may either be an organization or a person. The type attribute
disambiguates the semantics.
ContactTitle
Zero or more. ML_STRING. The title for the individual named in
the ContactName.
Description
Zero or more. ML_STRING. A free-form text description of the
contact.
RegistryHandle
Zero or more. A handle name into the registry of the contact.
See Section 3.9.1.
PostalAddress
Zero or more. The postal address of the contact. See
Section 3.9.2.
Email
Zero or more. The email address of the contact. See
Section 3.9.3.
Telephone
Zero or more. The telephone number of the contact. See
Section 3.9.4.
Timezone
Zero or one. TIMEZONE. The timezone in which the contact
resides.
Contact
Zero or more. A recursive definition of the Contact class. This
definition can be used to group common data pertaining to multiple
points of contact and is especially useful when listing multiple
contacts at the same organization.
AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data
model.
At least one of the aggregate classes MUST be present in an instance
of the Contact class.
The attributes of the Contact class are:
role
Required. ENUM. Indicates the role the contact fulfills. These
values are maintained in the "Contact-role" IANA registry per
Section 10.2.
1. creator. The entity that generates the document.
2. reporter. The entity that reported the information.
3. admin. An administrative contact or business owner for an
asset or organization.
4. tech. An entity responsible for the day-to-day management of
technical issues for an asset or organization.
5. provider. An external hosting provider for an asset.
6. user. An end-user of an asset or part of an organization.
7. billing. An entity responsible for billing issues for an
asset or organization.
8. legal. An entity responsible for legal issues related to an
asset or organization.
9. irt. An entity responsible for handling security issues for
an asset or organization.
10. abuse. An entity responsible for handling abuse originating
from an asset or organization.
11. cc. An entity that is to be kept informed about the events
related to an asset or organization.
12. cc-irt. A CSIRT or information-sharing organization
coordinating activity related to an asset or organization.
13. leo. A law enforcement organization supporting the
investigation of activity affecting an asset or organization.
14. vendor. The vendor that produces an asset.
15. vendor-support. A vendor that provides services.
16. victim. A victim in the incident.
17. victim-notified. A victim in the incident who has been
notified.
18. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-role
Optional. STRING. A means by which to extend the role attribute.
See Section 5.1.1.
type
Required. ENUM. Indicates the type of contact being described.
This attribute is defined as an enumerated list. These values are
maintained in the "Contact-type" IANA registry per Section 10.2.
1. person. The information for this contact references an
individual.
2. organization. The information for this contact references an
organization.
3. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.9.1. RegistryHandle Class
The RegistryHandle class represents a handle into an Internet registry or community-specific database. +---------------------+ | RegistryHandle | +---------------------+ | STRING | | | | ENUM registry | | STRING ext-registry | +---------------------+ Figure 13: The RegistryHandle Class The content of the class is a handle into a registry of type STRING. The attributes of the RegistryHandle class are: registry Required. ENUM. The database to which the handle belongs. These values are maintained in the "RegistryHandle-registry" IANA registry per Section 10.2. The possible values are: 1. internic. Internet Network Information Center 2. apnic. Asia Pacific Network Information Center 3. arin. American Registry for Internet Numbers 4. lacnic. Latin American and Caribbean Internet Addresses Registry 5. ripe. Reseaux IP Europeens 6. afrinic. African Network Information Center 7. local. A database local to the CSIRT 8. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-registry Optional. STRING. A means by which to extend the registry attribute. See Section 5.1.1.
3.9.2. PostalAddress Class
The PostalAddress class specifies a postal address and associated annotation. +--------------------+ | PostalAddress | +--------------------+ | ENUM type |<>----------[ PAddress ] | STRING ext-type |<>--{0..*}--[ Description ] +--------------------+ Figure 14: The PostalAddress Class The aggregate classes of the PostalAddress class are: PAddress One. POSTAL. A postal address. Description Zero or more. ML_STRING. A free-form text description of the address. The attributes of the PostalAddress class are: type Optional. ENUM. Categorizes the type of address described in the PAddress class. These values are maintained in the "PostalAddress-type" IANA registry per Section 10.2. 1. street. An address describing a physical location. 2. mailing. An address to which correspondence should be sent. 3. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
3.9.3. Email Class
The Email class specifies an email address and associated annotation. +--------------------+ | Email | +--------------------+ | ENUM type |<>----------[ EmailTo ] | STRING ext-type |<>--{0..*}--[ Description ] +--------------------+ Figure 15: The Email Class The aggregate classes of the Email class are: EmailTo One. EMAIL. An email address. Description Zero or more. ML_STRING. A free-form text description of the email address. The attributes of the Email class are: type Optional. ENUM. Categorizes the type of email address described in the EmailTo class. These values are maintained in the "Email- type" IANA registry per Section 10.2. 1. direct. An email address of an individual. 2. hotline. An email address regularly monitored for operational purposes. 3. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
3.9.4. Telephone Class
The Telephone class describes a telephone number and associated annotation. +--------------------+ | Telephone | +--------------------+ | ENUM type |<>----------[ TelephoneNumber ] | STRING ext-type |<>--{0..*}--[ Description ] +--------------------+ Figure 16: The Telephone Class The aggregate classes of the Telephone class are: TelephoneNumber One. PHONE. A telephone number. Description Zero or more. ML_STRING. A free-form text description of the phone number. The attributes of the Telephone class are: type Optional. ENUM. Categorizes the type of telephone number described in the TelephoneNumber class. These values are maintained in the "Telephone-type" IANA registry per Section 10.2. 1. wired. A number of a wire-line (land-line) phone. 2. mobile. A number of a mobile phone. 3. fax. A number to a fax machine. 4. hotline. A number to a regularly monitored operational hotline. 5. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
3.10. Discovery Class
The Discovery class describes how an incident was detected. +------------------------+ | Discovery | +------------------------+ | ENUM source |<>--{0..*}--[ Description ] | STRING ext-source |<>--{0..*}--[ Contact ] | ENUM restriction |<>--{0..*}--[ DetectionPattern ] | STRING ext-restriction | +------------------------+ Figure 17: The Discovery Class The aggregate classes of the Discovery class are: Description Zero or more. ML_STRING. A free-form text description of how this incident was detected. Contact Zero or more. Contact information for the party that discovered the incident. See Section 3.9. DetectionPattern Zero or more. Describes an application-specific configuration that detected the incident. See Section 3.10.1. The attributes of the Discovery class are: source Optional. ENUM. Categorizes the techniques used to discover the incident. These values are partially derived from Table 3-1 of [NIST800.61rev2]. These values are maintained in the "Discovery- source" IANA registry per Section 10.2. 1. nidps. Network Intrusion Detection or Prevention System. 2. hips. Host-based Intrusion Prevention System. 3. siem. Security Information and Event Management System. 4. av. Antivirus or antispam software. 5. third-party-monitoring. Contracted third-party monitoring service.
6. incident. The activity was discovered while investigating an
unrelated incident.
7. os-log. Operating system logs.
8. application-log. Application logs.
9. device-log. Network device logs.
10. network-flow. Network flow analysis.
11. passive-dns. Passive DNS analysis.
12. investigation. Manual investigation initiated based on
notification of a new vulnerability or exploit.
13. audit. Security audit.
14. internal-notification. A party within the organization
reported the activity.
15. external-notification. A party outside of the organization
reported the activity.
16. leo. A law enforcement organization notified the victim
organization.
17. partner. A customer or business partner reported the
activity to the victim organization.
18. actor. The threat actor directly or indirectly reported this
activity to the victim organization.
19. unknown. Unknown detection approach.
20. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-source
Optional. STRING. A means by which to extend the source
attribute. See Section 5.1.1.
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.10.1. DetectionPattern Class
The DetectionPattern class describes a configuration or signature
that can be used by an Intrusion Detection System (IDS) / Intrusion
Prevention System (IPS), SIEM, antivirus, endpoint protection,
network analysis, malware analysis, or host forensics tool to
identify a particular phenomenon. This class requires the
identification of the target application and allows the configuration
to be described in either free form or machine-readable form.
+------------------------+
| DetectionPattern |
+------------------------+
| ENUM restriction |<>----------[ Application ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..*}--[ DetectionConfiguration ]
+------------------------+
Figure 18: The DetectionPattern Class
The aggregate classes of the DetectionPattern class are:
Application
One. SOFTWARE. The application for which the
DetectionConfiguration or Description is being provided.
Description
Zero or more. ML_STRING. A free-form text description of how to
use the information provided in the Application or
DetectionConfiguration classes.
DetectionConfiguration
Zero or more. STRING. A machine-consumable configuration to find
a pattern of activity.
An instance of either the Description or DetectionConfiguration class
MUST be present.
The attributes of the DetectionPattern class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.11. Method Class
The Method class describes the tactics, techniques, procedures, or
weakness used by the threat actor in an incident. This class
consists of both a list of references describing the attack methods
and weaknesses and a free-form text description.
+------------------------+
| Method |
+------------------------+
| ENUM restriction |<>--{0..*}--[ Reference ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ sci:AttackPattern ]
| |<>--{0..*}--[ sci:Vulnerability ]
| |<>--{0..*}--[ sci:Weakness ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 19: The Method Class
The aggregate classes of the Method class are:
Reference
Zero or more. A reference to a vulnerability, malware sample,
advisory, or analysis of an attack technique. See Section 3.11.1.
Description
Zero or more. ML_STRING. A free-form text description of
techniques, tactics, or procedures used by the threat actor.
sci:AttackPattern
Zero or more. A reference to a pattern of attack or exploitation
per [RFC7203].
sci:Vulnerability
Zero or more. A reference to a vulnerability per [RFC7203].
sci:Weakness
Zero or more. A reference to the exploited weakness per
[RFC7203].
AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data
model.
An instance of one of these children MUST be present.
The attributes of the Method class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.11.1. Reference Class
The Reference class is an external reference to relevant information
such as a vulnerability, IDS alert, malware sample, advisory, or
attack technique.
+-------------------------+
| Reference |
+-------------------------+
| ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+-------------------------+
Figure 20: The Reference Class
The aggregate classes of the Reference class are:
enum:ReferenceName
Zero or one. Reference identifier per [RFC7495].
URL
Zero or more. URL. A URL to a reference.
Description
Zero or more. ML_STRING. A free-form text description of this
reference.
At least one of these classes MUST be present.
The attribute of the Reference class is:
observable-id
Optional. ID. See Section 3.3.2.
(page 43 continued on part 3)
