2016-08-16 2016-12-01 Expert Review Roman Danyliw, Takeshi Takahashi public The information can be freely distributed without restriction. partner The information may be shared within a closed community of peers, partners, or affected parties, but cannot be openly published. need-to-know The information may be shared only within the organization with individuals that have a need to know. private The information may not be shared. default The information can be shared according to an information disclosure policy pre-arranged by the communicating parties. white Same as 'public'. green Same as 'partner'. amber Same as 'need-to-know'. red Same as 'private'. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi traceback The incident was sent for trace-back purposes. mitigation The incident was sent to request aid in mitigating the described activity. reporting The incident was sent to comply with reporting requirements. watch The incident was sent to convey indicators that should be monitored. other The incident was sent for purposes specified in the Expectation class. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi new The incident is newly reported, and no action has been taken. in-progress The contents of this incident are under investigation. forwarded The incident has been forwarded to another party for handling. resolved The investigation into the activity in this incident has concluded. future The described activity has not yet been detected. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi creator The entity that generates the document. reporter The entity that reported the information. admin An administrative contact or business owner for an asset or organization. tech An entity responsible for the day-to-day management of technical issues for an asset or organization. provider An external hosting provider for an asset. user An end-user of an asset or part of an organization. billing An entity responsible for billing issues for an asset or organization. legal An entity responsible for legal issues related to an asset or organization. irt An entity responsible for handling security issues for an asset or organization. abuse An entity responsible for handling abuse originating from an asset or organization. cc An entity that is to be kept informed about the events related to an asset or organization. cc-irt A CSIRT or information-sharing organization coordinating activity related to an asset or organization. leo A law enforcement organization supporting the investigation of activity affecting an asset or organization. vendor The vendor that produces an asset. vendor-support A vendor that provides services. victim A victim in the incident. victim-notified A victim in the incident who has been notified. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi person The information for this contact references an individual. organization The information for this contact references an organization. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi internic Internet Network Information Center apnic Asia Pacific Network Information Center arin American Registry for Internet Numbers lacnic Latin-American and Caribbean Internet Addresses Registry ripe Reseaux IP Europeens afrinic African Network Information Center local A database local to the CSIRT ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi street An address describing a physical location. mailing An address to which correspondence should be sent. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi wired A number of a wire-line (land-line) phone. mobile A number of a mobile phone. fax A number to a fax machine. hotline A number to a regularly monitored operational hotline. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi direct An email address of an individual. hotline An email address regularly monitored for operational purposes. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi nothing No action is requested. Do nothing with the information. contact-source-site Contact the site(s) identified as the source of the activity. contact-target-site Contact the site(s) identified as the target of the activity. contact-sender Contact the originator of the document. investigate Investigate the system(s) listed in the event. block-host Block traffic from the machine(s) listed as sources in the event. block-network Block traffic from the network(s) lists as sources in the event. block-port Block the port listed as sources in the event. rate-limit-host Rate-limit the traffic from the machine(s) listed as sources in the event. rate-limit-network Rate-limit the traffic from the network(s) listed as sources in the event. rate-limit-port Rate-limit the port(s) listed as sources in the event. redirect-traffic Redirect traffic from the intended recipient for further analysis. honeypot Redirect traffic from systems listed in the event to a honeypot for further analysis. upgrade-software Upgrade or patch the software or firmware on an asset listed in the event. rebuild-asset Reinstall the operating system or applications on an asset listed in the event. harden-asset Change the configuration of an asset listed in the event to reduce the attack surface. remediate-other Remediate the activity in a way other than by rate limiting or blocking. status-triage Confirm receipt and begin triaging the incident. status-new-info Notify the sender when new information is received for this incident. watch-and-report Watch for the described activity or indicators, and notify the sender when seen. training Train user to identify or mitigate the described threat. defined-coa Perform a predefined course of action (COA). The COA is named in the DefinedCOA class. other Perform a custom action described in the Description class. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi nidps Network Intrusion Detection or Prevention System. hips Host-based Intrusion Prevention System. siem Security Information and Event Management System. av Antivirus or antispam software. third-party-monitoring Contracted third-party monitoring service. incident The activity was discovered while investigating an unrelated incident. os-log Operating system logs. application-log Application logs. device-log Network device logs. network-flow Network flow analysis. passive-dns Passive DNS analysis. investigation Manual investigation initiated based on notification of a new vulnerability or exploit. audit Security audit. internal-notification A party within the organization reported the activity. external-notification A party outside of the organization reported the activity. leo A law enforcement organization notified the victim organization. partner A customer or business partner reported the activity to the victim organization. actor The threat actor directly or indirectly reported this activity to the victim organization. unknown Unknown detection approach. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi takeover-account Control was taken of a given account. takeover-service Control was taken of a given service. takeover-system Control was taken of a given system. cps-manipulation A cyber-physical system was manipulated. cps-damage A cyber-physical system was damaged. availability-data Access to particular data was degraded or denied. availability-account Access to an account was degraded or denied. availability-service Access to a service was degraded or denied. availability-system Access to a system was degraded or denied. damaged-system Hardware on a system was irreparably damaged. damaged-data Data on a system was deleted. breach-propietary Sensitive or proprietary information was accessed or exfiltrated. breach-privacy Personally identifiable information was accessed or exfiltrated. breach-credential Credential information was accessed or exfiltrated. breach-configuration System configuration or data inventory was access or exfiltrated. integrity-data Data on the system was modified. integrity-configuration Application or system configuration was modified. integrity-hardware Firmware of a hardware component was modified. traffic-redirection Network traffic on the system was redirected. monitoring-traffic Network traffic emerging from a host or enclave was monitored. monitoring-host System activity (e.g., running processes, keystrokes) were monitored. policy Activity violated the system owner's acceptable use policy. unknown The impact is unknown. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi none No effect to the organization's ability to provide all services to all users. low Minimal effect as the organization can still provide all critical services to all users but has lost efficiency. medium The organization has lost the ability to provide a critical service to a subset of system users. high The organization is no longer able to provide some critical services to any users. unknown The impact is not known. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi breach-proprietary Sensitive or proprietary information was accessed or exfiltrated. breach-privacy Personally identifiable information was accessed or exfiltrated. breach-credential Credential information was accessed or exfiltrated. loss-of-integrity Sensitive or proprietary information was changed or deleted. loss-of-service Service delivery was disrupted. theft-financial Money was stolen. theft-service Services were misappropriated. degraded-reputation The reputation of the organization's brand was diminished. asset-damage A cyber-physical system was damaged. asset-manipulation A cyber-physical system was manipulated. legal The incident resulted in legal or regulatory action. extortion The incident resulted in actors extorting the victim organization. unknown The impact is unknown. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi labor Total staff time to recovery from the activity (e.g., 2 employees working 4 hours each would be 8 hours). elapsed Elapsed time from the beginning of the recovery to its completion (i.e., wall-clock time). downtime Duration of time for which some provided service(s) was not available. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi second The unit of the element content is seconds. minute The unit of the element content is minutes. hour The unit of the element content is hours. day The unit of the element content is days. month The unit of the element content is months. quarter The unit of the element content is quarters. year The unit of the element content is years. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi low Low confidence. medium Medium confidence. high High confidence. numeric The element content contains a number that conveys the confidence of the data. The semantics of this number is outside the scope of this specification. unknown The confidence rating value is not known. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi client Client computer. client-enterprise Client computer on the enterprise network. client-partner Client computer on network of a partner. client-remote Client computer remotely connected to the enterprise network. client-kiosk Client computer serving as a kiosk. client-mobile Mobile device. server-internal Server with internal services. server-public Server with public services. www WWW server. mail Mail server. webmail Web mail server. messaging Messaging server (e.g., NNTP, IRC, IM). streaming Streaming-media server. voice Voice server (e.g., SIP, H.323). file File server. ftp FTP server. p2p Peer-to-peer node. name Name server (e.g., DNS, WINS). directory Directory server (e.g., LDAP, finger, whois). credential Credential server (e.g., domain controller, Kerberos). print Print server. application Application server. database Database server. backup Backup server. dhcp DHCP server. assessment Assessment server (e.g., vulnerability scanner, endpoint assessment). source-control Source code control server. config-management Configuration management server. monitoring Security monitoring server (e.g., IDS). infra Infrastructure server (e.g., router, firewall, DHCP). infra-firewall Firewall. infra-router Router. infra-switch Switch. camera Camera and video system. proxy Proxy server. remote-access Remote access server. log Log server (e.g., syslog). virtualization Server running virtual machines. pos Point-of-sale device. scada Supervisory control and data acquisition (SCADA) system. scada-supervisory Supervisory system for a SCADA. sinkhole Traffic sinkhole destination. honeypot Honeypot server. anonymization Anonymization server (e.g., Tor node). c2-server Malicious command and control server. malware-distribution Server that distributes malware. drop-server Server to which exfiltrated content is uploaded. hop-point Intermediary server used to get to a victim. reflector A system used in a reflector attack. phishing-site Site hosting phishing content. spear-phishing-site Site hosting spear-phishing content. recruiting-site Site to recruit. fraudulent-site Fraudulent site. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi source The System was the source of the event. target The System was the target of the event. intermediate The System was an intermediary in the event. sensor The System was a sensor monitoring the event. infrastructure The System was an infrastructure node of the IODEF document exchange. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi organization Corporate or enterprise owned. personal Personally owned by an employee or affiliate of the corporation or enterprise. partner Owned by a partner of the corporation or enterprise. customer Owned by a customer of the corporation or enterprise. no-relationship Owned by an entity that has no known relationship with the victim organization. unknown Ownership is unknown. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi asn Autonomous System Number. atm Asynchronous Transfer Mode (ATM) address. e-mail Email address, per the EMAIL data type. ipv4-addr IPv4 host address in dotted-decimal notation (i.e., a.b.c.d). ipv4-net IPv4 network address in dotted-decimal notation, slash, significant bits (i.e., a.b.c.d/nn). ipv4-net-masked A sanitized IPv4 address with significant bits per "ipv4-net" but with the character 'x' replacing any digit(s) in the address or prefix. ipv4-net-mask IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (i.e., a.b.c.d/w.x.y.z). ipv6-addr IPv6 host address per Section 4 of . ipv6-net IPv6 network address, slash, prefix per Section 2.3 of . ipv6-net-masked A sanitized IPv6 address and prefix per "ipv6-net" but with the character 'x' replacing any hexadecimal digit(s) in the address or digit(s) in the prefix. mac Media Access Control (MAC) address (i.e., aa:bb:cc:dd:ee:ff). site-uri A URL or URI for a resource, per the URL data type. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi count The Counter class value is a counter. peak The Counter class value is a peak value. average The Counter class value is an average. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi byte Bytes transferred. mbit Megabits (Mbits) transferred. packet Packets. flow Network flow records. session Sessions. alert Notifications generated by another system (e.g., IDS or SIEM system). message Messages (e.g., mail messages). event Events. host Hosts. site Site. organization Organizations. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi spoofed This domain was spoofed. fraudulent This domain was operated with fraudulent intentions. innocent-hacked This domain was compromised by a third party. innocent-hijacked This domain was deliberately hijacked. unknown No categorization for this domain known. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi reservedDelegation The domain is permanently inactive. assignedAndActive The domain is in a normal state. assignedAndInactive The domain has an assigned registration, but the delegation is inactive. assignedAndOnHold The domain is in dispute. revoked The domain is in the process of being purged from the database. transferPending The domain is pending a change in authority. registryLock The domain is on hold by the registry. registrarLock Same as "registryLock". other The domain has a known status, but it is not one of the redefined enumerated values. unknown The domain has an unknown status. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi regex Regular expression as defined by POSIX Extended Regular Expressions (ERE) in Chapter 9 of "Information Technology - Portable Operating System Interface (POSIX) - Part 1: Base Definitions", IEEE 1003.1, June 2001. binary Binhex-encoded binary pattern, per the HEXBIN data type. xpath XML Path (XPath) XML Path Language (XPath) 3.1. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi line Offset is a count of lines. byte Offset is a count of bytes. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi add-key Registry key added. add-value Value added to a registry key. delete-key Registry key deleted. delete-value Value deleted from a registry key. modify-key Registry key modified. modify-value Value modified in a registry key. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi file-contents A hash computed over the entire contents of a file. file-pe-section A hash computed on a given section of a Windows Portable Executable (PE) file. If set to this value, the HashTargetID class MUST identify the section being hashed. A section is identified by an ordinal number (starting at 1) corresponding to the order in which the given section header was defined in the Section Table of the PE file header. file-pe-iat A hash computed on the Import Address Table (IAT) of a PE file. As IAT hashes are often tool dependent, if this value is set, the Application class of either the Hash or FuzzyHash classes MUST specify the tool used to generate the hash. file-pe-resource A hash computed on a given resource in a PE file. If set to this value, the HashTargetID class MUST identify the resource being hashed. A resource is identified by an ordinal number (starting at 1) corresponding to the order in which the given resource is declared in the Resource Directory of the Data Dictionary in the PE file header. file-pdf-object A hash computed on a given object in a Portable Document Format (PDF) file. If set to this value, the HashTargetID class MUST identify the object being hashed. This object is identified by its offset in the PDF file. email-hash A hash computed over the headers and body of an email message. email-headers-hash A hash computed over all of the headers of an email message. email-body-hash A hash computed over the body of an email message. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi asn Autonomous System Number (per the Address@category attribute). atm Asynchronous Transfer Mode (ATM) address (per the Address@category attribute). e-mail Email address (per the Address@category attribute). ipv4-addr IPv4 host address in dotted-decimal notation, e.g., 192.0.2.1 (per the Address@category attribute). ipv4-net IPv4 network address in dotted-decimal notation, slash, significant bits, e.g., 192.0.2.0/24 (per the Address@category attribute). ipv4-net-mask IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation, i.e., 192.0.2.0/255.255.255.0 (per the Address@category attribute). ipv6-addr IPv6 host address, e.g., 2001:DB8::3 (per the Address@category attribute). ipv6-net IPv6 network address, slash, significant bits, e.g., 2001:DB8::/32 (per the Address@category attribute). ipv6-net-mask IPv6 network address, slash, network mask (per the Address@category attribute). mac Media Access Control (MAC) address, i.e., a:b:c:d:e:f (per the Address@category attribute). site-uri A URL or URI for a resource (per the Address@category attribute). domain-name A fully qualified domain name or part of a name (e.g., fqdn.example.com, example.com). domain-to-ipv4 A mapping of FQDN to IPv4 address specified as a comma-separated list (e.g., "fqdn.example.com, 192.0.2.1"). domain-to-ipv6 A mapping of FQDN to IPv6 address specified as a comma separated list (e.g., "fqdn.example.com, 2001:DB8::3"). domain-to-ipv4-timestamp Same as domain-to-ipv4 but with a timestamp (in the DATETIME format) of the resolution (e.g., "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00"). domain-to-ipv6-timestamp Same as domain-to-ipv6 but with a timestamp (in the DATETIME format) of the resolution (e.g., "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00"). ipv4-port An IPv4 address, port, and protocol tuple (e.g., 192.0.2.1, 80, tcp). The protocol name corresponds to the "Keyword" column in the . ipv6-port An IPv6 address, port, and protocol tuple (e.g., 2001:DB8::3, 80, tcp). The protocol name corresponds to the "Keyword" column in the . windows-reg-key A Microsoft Windows registry key. file-hash A file hash. The format of this hash is described in the Hash class that MUST be present in a sibling BulkObservableFormat class. email-x-mailer An X-Mailer field from an email. email-subject An email subject line. http-user-agent A User Agent field from an HTTP request header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"). http-request-uri The Request URI from an HTTP request header. mutex The name of a system mutex (mutual exclusion lock). file-path A file path (e.g., "/tmp/local/file", "c:\windows\system32\file.sys"). user-name A username. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi not negation operator. and conjunction operator. or disjunction operator. xor exclusive disjunction operator. Expert Review Roman Danyliw, Takeshi Takahashi boolean The element content is of type BOOLEAN. byte The element content is of type BYTE. bytes The element content is of type HEXBIN. character The element content is of type CHARACTER. date-time The element content is of type DATETIME. ntp-stamp Same as date-time. integer The element content is of type INTEGER. portlist The element content is of type PORTLIST. real The element content is of type REAL. string The element content is of type STRING. file The element content is a base64-encoded binary file encoded as a BYTE[] type. path The element content is a file-system path encoded as a STRING type. frame The element content is a Layer 2 frame encoded as a HEXBIN type. packet The element content is a Layer 3 packet encoded as a HEXBIN type. ipv4-packet The element content is an IPv4 packet encoded as a HEXBIN type. ipv6-packet The element content is an IPv6 packet encoded as a HEXBIN type. url The element content is of type URL. csv The element content is a comma-separated value (CSV) list per Section 2 of encoded as a STRING type. winreg The element content is a Microsoft Windows registry key encoded as a STRING type. xml The element content is XML. See Section 5.2 of . ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi custom The element content is free-form and of the data type specified by the dtype attribute. If this value is selected, then the dtype attribute MUST be set. cpe The element content describes a Common Platform Enumeration (CPE) entry per [NIST.CPE]. swid The element content describes a software identification (SWID) tag per [ISO19770]. ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of . Expert Review Roman Danyliw, Takeshi Takahashi bytes The element content is of type HEXBIN. integer The element content is of type INTEGER. real The element content is of type REAL. string The element content is of type STRING. xml The element content is XML. See Section 5.2 of . ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of .