3.21. EmailData Class
The EmailData class describes headers from an email message and cryptographic hashes and signatures applied to it. +-------------------------+ | EmailData | +-------------------------+ | ID observable-id |<>--{0..*}--[ EmailTo ] | |<>--{0..1}--[ EmailFrom ] | |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..1}--[ EmailHeaders ] | |<>--{0..1}--[ EmailBody ] | |<>--{0..1}--[ EmailMessage ] | |<>--{0..*}--[ HashData ] | |<>--{0..*}--[ SignatureData ] +-------------------------+ Figure 44: EmailData Class The aggregate classes of the EmailData class are: EmailTo Zero or more. EMAIL. The value of the "To:" header field (Section 3.6.3 of [RFC5322]) in an email. EmailFrom Zero or one. EMAIL. The value of the "From:" header field (Section 3.6.2 of [RFC5322]) in an email. EmailSubject Zero or one. STRING. The value of the "Subject:" header field in an email. See Section 3.6.5 of [RFC5322]. EmailX-Mailer Zero or one. STRING. The value of the "X-Mailer:" header field in an email. EmailHeaderField Zero or more. EXTENSION. The header name and value of an arbitrary header field of the email message. The name attribute MUST be set to the header name. The header value MUST be set in the element body. The dtype attribute MUST be set to "string". EmailHeaders Zero or one. STRING. The headers of an email message.
EmailBody Zero or one. STRING. The body of an email message. EmailMessage Zero or one. STRING. The headers and body of an email message. HashData Zero or more. Hash(es) associated with this email message. See Section 3.26. SignatureData Zero or more. Signature(s) associated with this email message. See Section 3.27. The attribute of the EmailData class is: observable-id Optional. ID. See Section 3.3.2.3.22. Record Class
The Record class is a container class for log and audit data that provides supportive information about the events in an incident. The source of this data will often be the output of monitoring tools. These logs substantiate the activity described in the document. +------------------------+ | Record | +------------------------+ | ENUM restriction |<>--{1..*}--[ RecordData ] | STRING ext-restriction | +------------------------+ Figure 45: The Record Class The aggregate classes of the Record class are: RecordData One or more. Log or audit data generated by a particular tool. Separate instances of the RecordData class SHOULD be used for each type of log. See Section 3.22.1. The attributes of the Record class are: restriction Optional. ENUM. See Section 3.3.1.
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.3.22.1. RecordData Class
The RecordData class describes or references log or audit data from a given type of tool and provides a means to annotate the output. +------------------------+ | RecordData | +------------------------+ | ENUM restriction |<>--{0..1}--[ DateTime ] | STRING ext-restriction |<>--{0..*}--[ Description ] | ID observable-id |<>--{0..1}--[ Application ] | |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ URL ] | |<>--{0..*}--[ FileData ] | |<>--{0..*}-- | | [ WindowsRegistryKeysModified ] | |<>--{0..*}--[ CertificateData ] | |<>--{0..*}--[ AdditionalData ] +------------------------+ Figure 46: The RecordData Class The aggregate classes of the RecordData class are: DateTime Zero or one. DATETIME. A timestamp of the data found in the RecordItem or URL classes. Description Zero or more. ML_STRING. A free-form text description of the data provided in the RecordItem or URL classes. Application Zero or one. SOFTWARE. Identifies the tool used to generate the data in the RecordItem or URL classes. RecordPattern Zero or more. A search string to precisely find the relevant data in the RecordItem or URL classes. See Section 3.22.2. RecordItem Zero or more. EXTENSION. Log, audit, or forensic data to support the conclusions made during the course of analyzing the incident.
URL Zero or more. URL. A URL reference to a log or audit data. FileData Zero or one. The files involved in the incident. See Section 3.25. WindowsRegistryKeysModified Zero or more. The registry keys that were involved in the incident. See Section 3.23. CertificateData Zero or more. The certificates that were involved in the incident. See Section 3.24. AdditionalData Zero or more. EXTENSION. An extension mechanism for data not explicitly represented in the data model. At least one of the following classes MUST be present: RecordItem, URL, FileData, WindowsRegistryKeysModified, CertificateData, or AdditionalData. The attributes of the RecordData class are: restriction Optional. ENUM. See Section 3.3.1. ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1. observable-id Optional. ID. See Section 3.3.2.3.22.2. RecordPattern Class
The RecordPattern class describes where in the log data provided or referenced in the RecordData class relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data.
+-----------------------+ | RecordPattern | +-----------------------+ | STRING | | | | ENUM type | | STRING ext-type | | INTEGER offset | | ENUM offsetunit | | STRING ext-offsetunit | | INTEGER instance | +-----------------------+ Figure 47: The RecordPattern Class The content of the class is of type STRING and specifies a search pattern. The attributes of the RecordPattern class are: type Required. ENUM. Describes the type of pattern being specified in the element content. The default is "regex". These values are maintained in the "RecordPattern-type" IANA registry per Section 10.2. 1. regex. Regular expression as defined by POSIX Extended Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX]. 2. binary. Binhex-encoded binary pattern, per the HEXBIN data type. 3. xpath. XML Path (XPath) [W3C.XPATH]. 4. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1. offset Optional. INTEGER. Amount of units (determined by the offsetunit attribute) to seek into the RecordItem data before matching the pattern.
offsetunit Optional. ENUM. Describes the units of the offset attribute. The default is "line". These values are maintained in the "RecordPattern-offsetunit" IANA registry per Section 10.2. 1. line. Offset is a count of lines. 2. byte. Offset is a count of bytes. 3. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-offsetunit Optional. STRING. A means by which to extend the offsetunit attribute. See Section 5.1.1. instance Optional. INTEGER. Number of times to apply the specified pattern.3.23. WindowsRegistryKeysModified Class
The WindowsRegistryKeysModified class describes Windows operating system registry keys and the operations that were performed on them. This class was derived from [RFC5901]. +-----------------------------+ | WindowsRegistryKeysModified | +-----------------------------+ | ID observable-id |<>--{1..*}--[ Key ] +-----------------------------+ Figure 48: The WindowsRegistryKeysModified Class The aggregate classes of the WindowsRegistryKeysModified class are: Key One or more. The Windows registry key. See Section 3.23.1. The attribute of the WindowsRegistryKeysModified class is: observable-id Optional. ID. See Section 3.3.2.
3.23.1. Key Class
The Key class describes a Windows operating system registry key name and value pair, as well as the operation performed on it. +---------------------------+ | Key | +---------------------------+ | ENUM registryaction |<>----------[ KeyName ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | ID observable-id | +---------------------------+ Figure 49: The Key Class The aggregate classes of the Key class are: KeyName One. STRING. The name of a Windows operating system registry key (e.g., [HKEY_LOCAL_MACHINE\Software\Test\KeyName]). KeyValue Zero or one. STRING. The value of the registry key identified in the KeyName class encoded per the .reg file format [KB310516]. The attributes of the Key class are: registryaction Optional. ENUM. The type of action taken on the registry key. These values are maintained in the "Key-registryaction" IANA registry per Section 10.2. 1. add-key. Registry key added. 2. add-value. Value added to a registry key. 3. delete-key. Registry key deleted. 4. delete-value. Value deleted from a registry key. 5. modify-key. Registry key modified. 6. modify-value. Value modified in a registry key. 7. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
ext-registryaction Optional. STRING. A means by which to extend the registryaction attribute. See Section 5.1.1. observable-id Optional. ID. See Section 3.3.2.3.24. CertificateData Class
The CertificateData class describes X.509 certificates. +------------------------+ | CertificateData | +------------------------+ | ENUM restriction |<>--{1..*}--[ Certificate ] | STRING ext-restriction | | ID observable-id | +------------------------+ Figure 50: The CertificateData Class The aggregate classes of the CertificateData class are: Certificate One or more. A description of an X.509 certificate or certificate chain. See Section 3.24.1. The attributes of the CertificateData class are: restriction Optional. ENUM. See Section 3.3.1. ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1. observable-id Optional. ID. See Section 3.3.2.
3.24.1. Certificate Class
The Certificate class describes a given X.509 certificate or certificate chain. +--------------------------+ | Certificate | +--------------------------+ | ID observable-id |<>----------[ ds:X509Data ] | |<>--{0..*}--[ Description ] +--------------------------+ Figure 51: The Certificate Class The aggregate classes of the Certificate class are: ds:X509Data One. A given X.509 certificate or chain. See Section 4.4.4 of [W3C.XMLSIG]. Description Zero or more. ML_STRING. A free-form text description explaining the context of this certificate. The attributes of the Certificate class are: observable-id Optional. ID. See Section 3.3.2.3.25. FileData Class
The FileData class describes a file or set of files. +------------------------+ | FileData | +------------------------+ | ENUM restriction |<>--{1..*}--[ File ] | STRING ext-restriction | | ID observable-id | +------------------------+ Figure 52: The FileData Class The aggregate classes of the FileData class are: File One or more. A description of a file. See Section 3.25.1.
The attributes of the FileData class are: restriction Optional. ENUM. See Section 3.3.1. ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1. observable-id Optional. ID. See Section 3.3.2.3.25.1. File Class
The File class describes a file; its associated metadata; and cryptographic hashes and signatures applied to it. +-----------------------+ | File | +-----------------------+ | ID observable-id |<>--{0..1}--[ FileName ] | |<>--{0..1}--[ FileSize ] | |<>--{0..1}--[ FileType ] | |<>--{0..*}--[ URL ] | |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ SignatureData ] | |<>--{0..1}--[ AssociatedSoftware ] | |<>--{0..*}--[ FileProperties ] +-----------------------+ Figure 53: The File Class The aggregate classes of the File class are: FileName Zero or one. STRING. The name of the file. FileSize Zero or one. INTEGER. The size of the file in bytes. FileType Zero or one. STRING. The type of file per the IANA "Media Types" registry [IANA.Media]. Valid values correspond to the text in the "Template" column (e.g., "application/pdf"). URL Zero or more. URL. A URL reference to the file.
HashData Zero or one. Hash(es) associated with this file. See Section 3.26. SignatureData Zero or one. Signature(s) associated with this file. See Section 3.27. AssociatedSoftware Zero or one. SOFTWARE. The software application or operating system to which this file belongs or by which it can be processed. FileProperties Zero or more. EXTENSION. Mechanism by which to extend the data model to describe properties of the file. The attributes of the File class are: observable-id Optional. ID. See Section 3.3.2.3.26. HashData Class
The HashData class describes different types of hashes on a given object (e.g., file, part of a file, email). +--------------------------+ | HashData | +--------------------------+ | ENUM scope |<>--{0..1}--[ HashTargetID ] | |<>--{0..*}--[ Hash ] | |<>--{0..*}--[ FuzzyHash ] +--------------------------+ Figure 54: The HashData Class The aggregate classes of the HashData class are: HashTargetID Zero or one. STRING. An identifier that references a subset of the object being hashed. The semantics of this identifier are specified by the scope attribute. Hash Zero or more. The hash of an object. See Section 3.26.1. FuzzyHash Zero or more. The fuzzy hash of an object. See Section 3.26.2.
At least one instance of either Hash or FuzzyHash MUST be present. The attribute of the HashData class is: scope Required. ENUM. Describes on which part of the object the hash should be applied. These values are maintained in the "HashData- scope" IANA registry per Section 10.2. 1. file-contents. A hash computed over the entire contents of a file. 2. file-pe-section. A hash computed on a given section of a Windows Portable Executable (PE) file. If set to this value, the HashTargetID class MUST identify the section being hashed. A section is identified by an ordinal number (starting at 1) corresponding to the order in which the given section header was defined in the Section Table of the PE file header. 3. file-pe-iat. A hash computed on the Import Address Table (IAT) of a PE file. As IAT hashes are often tool dependent, if this value is set, the Application class of either the Hash or FuzzyHash classes MUST specify the tool used to generate the hash. 4. file-pe-resource. A hash computed on a given resource in a PE file. If set to this value, the HashTargetID class MUST identify the resource being hashed. A resource is identified by an ordinal number (starting at 1) corresponding to the order in which the given resource is declared in the Resource Directory of the Data Dictionary in the PE file header. 5. file-pdf-object. A hash computed on a given object in a Portable Document Format (PDF) file. If set to this value, the HashTargetID class MUST identify the object being hashed. This object is identified by its offset in the PDF file. 6. email-hash. A hash computed over the headers and body of an email message. 7. email-headers-hash. A hash computed over all of the headers of an email message. 8. email-body-hash. A hash computed over the body of an email message.
9. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1. ext-scope Optional. STRING. A means by which to extend the scope attribute. See Section 5.1.1.3.26.1. Hash Class
The Hash class describes a cryptographic hash value; the algorithm and application used to generate it; and the canonicalization method applied to the object being hashed. +----------------+ | Hash | +----------------+ | |<>----------[ ds:DigestMethod ] | |<>----------[ ds:DigestValue ] | |<>--{0..1}--[ ds:CanonicalizationMethod ] | |<>--{0..1}--[ Application ] +----------------+ Figure 55: The Hash Class The aggregate classes of the Hash class are: ds:DigestMethod One. The hash algorithm used to generate the hash. See Section 4.3.3.5 of [W3C.XMLSIG]. ds:DigestValue One. The computed hash value. See Section 4.3.3.6 of [W3C.XMLSIG]. ds:CanonicalizationMethod Zero or one. The canonicalization method used on the object being hashed. See Section 4.3.1 of [W3C.XMLSIG]. Application Zero or one. SOFTWARE. The application used to calculate the hash. The HashData class has no attributes.
3.26.2. FuzzyHash Class
The FuzzyHash class describes a fuzzy hash and the application used to generate it. +--------------------------+ | FuzzyHash | +--------------------------+ | |<>--{1..*}--[ FuzzyHashValue ] | |<>--{0..1}--[ Application ] | |<>--{0..*}--[ AdditionalData ] +--------------------------+ Figure 56: The FuzzyHash Class The aggregate classes of the FuzzyHash class are: FuzzyHashValue One or more. EXTENSION. The computed fuzzy hash value. Application Zero or one. SOFTWARE. The application used to calculate the hash. AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model. The FuzzyData class has no attributes.3.27. SignatureData Class
The SignatureData class describes different types of digital signatures on an object. +--------------------------+ | SignatureData | +--------------------------+ | |<>--{1..*}--[ ds:Signature ] +--------------------------+ Figure 57: The SignatureData Class
The aggregate class of the SignatureData class is: Signature One or more. A given signature. See Section 4.2 of [W3C.XMLSIG]. The SignatureData class has no attributes.3.28. IndicatorData Class
The IndicatorData class describes indicators and metadata associated with them. +--------------------------+ | IndicatorData | +--------------------------+ | |<>--{1..*}--[ Indicator ] +--------------------------+ Figure 58: The IndicatorData Class The aggregate class of the IndicatorData class is: Indicator One or more. A description of an indicator. See Section 3.29. The IndicatorData class has no attributes.