Project

General

Profile

IODEF EventData Zoom

Incident


EventData Class

The EventData class describes a particular event of the incident for a given set of hosts or networks. This description includes the systems from which the activity originated and those targeted, an assessment of the techniques used by the intruder, the impact of the activity on the organization, and any forensic evidence discovered.

The aggregate classes that constitute EventData are:

  • Description

Zero or more. ML_STRING. A free-form textual description of the event.

  • DetectTime

Zero or one. The time the event was detected.

  • StartTime

Zero or one. The time the event started.

  • EndTime

Zero or one. The time the event ended.

  • Contact

Zero or more. Contact information for the parties involved in the event.

  • Assessment

Zero or one. The impact of the event on the target and the actions taken.

  • Method

Zero or more. The technique used by the intruder in the event.

  • Flow

Zero or more. A description of the systems or networks involved.

  • Expectation

Zero or more. The expected action to be performed by the recipient for the described event.

  • Record

Zero or one. Supportive data (e.g., log files) that provides additional information about the event.

  • EventData

Zero or more. EventData instances contained within another EventData instance inherit the values of the parent(s); this recursive definition can be used to group common data pertaining to multiple events. When EventData elements are defined recursively, only the leaf instances (those EventData instances not containing other EventData instances) represent actual events.

  • AdditionalData

Zero or more. An extension mechanism for data not explicitly represented in the data model.

At least one of the aggregate classes MUST be present in an instance of the EventData class. This is not enforced in the IODEF schema as there is no simple way to accomplish it.

The EventData class has one attribute:

  • restriction

Optional. ENUM. This attribute is defined in Incident Class.

Expectation Class

The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. The scope of the requested action is limited to purview of the EventData class in which this class is aggregated.

The aggregate classes that constitute Expectation are:

  • Description

Zero or many. ML_STRING. A free-form description of the desired action(s).

  • StartTime

Zero or one. The time at which the action should be performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible. The absence of this element leaves the execution of the expectation to the discretion of the recipient.

  • EndTime

Zero or one. The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed.

  • Contact

Zero or one. The expected actor for the action.

The Expectations class has four attributes:

  • restriction

Optional. ENUM. This attribute is defined in Incident Class.

  • severity
Optional. ENUM. Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent.
Rank Keyword Description
1 low Low priority
2 medium Medium priority
3 high High priority
  • action

Optional. ENUM. Classifies the type of action requested. This attribute is an enumerated list with no default value.

Rank Keyword Description
1 nothing No action is requested. Do nothing with the information.
2 contact-source-site Contact the site(s) identified as the source of the activity.
3 contact-target-site Contact the site(s) identified as the target of the activity.
4 contact-sender Contact the originator of the document.
5 investigate Investigate the systems(s) listed in the event.
6 block-host Block traffic from the machine(s) listed as sources the event.
7 block-network Block traffic from the network(s) lists as sources in the event.
8 block-port Block the port listed as sources in the event.
9 rate-limit-host Rate-limit the traffic from the machine(s) listed as sources in the event.
10 rate-limit-network Rate-limit the traffic from the network(s) lists as sources in the event.
11 rate-limit-port Rate-limit the port(s) listed as sources in the event.
12 remediate-other Remediate the activity in a way other than by rate limiting or blocking.
13 status-triage Conveys receipts and the triaging of an incident.
14 status-new-info Conveys that new information was received for this incident.
15 other Perform some custom action described in the Description class.
16 ext-value An escape value used to extend this attribute.
  • ext-action

Optional. STRING. A means by which to extend the action attribute.

Flow Class

The Flow class groups related the source and target hosts.

The aggregate class that constitutes Flow is:

  • System

One or More. A host or network involved in an event.

The Flow System class has no attributes.

Record Class

The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs should substantiate the activity described in the document.

The aggregate class that constitutes Record is:

  • RecordData

One or more. Log or audit data generated by a particular type of sensor. Separate instances of the RecordData class SHOULD be used for each sensor type.

The Record class has one attribute:

  • restriction

Optional. ENUM. This attribute has been defined in Incident Class.

RecordData Class

The RecordData class groups log or audit data from a given sensor (e.g., IDS, firewall log) and provides a way to annotate the output.

The aggregate classes that constitutes RecordData is:

  • DateTime

Zero or one. Timestamp of the RecordItem data.

  • Description

Zero or more. ML_STRING. Free-form textual description of the provided RecordItem data. At minimum, this description should convey the significance of the provided RecordItem data.

  • Application

Zero or one. Information about the sensor used to generate the RecordItem data.

  • RecordPattern

Zero or more. A search string to precisely find the relevant data in a RecordItem.

  • RecordItem

One or more. Log, audit, or forensic data.

  • AdditionalData

Zero or one. An extension mechanism for data not explicitly represented in the data model.

The RecordData class has one attribute:

  • restriction

Optional. ENUM. This attribute has been defined in Incident Class.

RecordPattern Class

The RecordPattern class describes where in the content of the RecordItem relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data.

The specific pattern to search with in the RecordItem is defined in
the body of the element.

It is further annotated by four attributes:

  • type

Required. ENUM. Describes the type of pattern being specified in the element content. The default is "regex".

Rank Keyword Description
1 regex regular expression, per Appendix F of [3].
2 binary Binhex encoded binary pattern, per the HEXBIN data type.
3 xpath XML Path (XPath)
4 ext-value An escape value used to extend this attribute.
  • ext-type

Optional. STRING. A means by which to extend the type attribute.

  • offset

Optional. INTEGER. Amount of units (determined by the offsetunit attribute) to seek into the RecordItem data before matching the pattern.

  • offsetunit

Optional. ENUM. Describes the units of the offset attribute. The default is "line".

Rank Keyword Description
1 line Offset is a count of lines.
2 binary Offset is a count of bytes.
3 ext-value An escape value used to extend this attribute.
  • ext-offsetunit

Optional. STRING. A means by which to extend the offsetunit attribute.

  • instance

Optional. INTEGER. Number of types to apply the specified pattern.

RecordItem Class

The RecordItem class provides a way to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing the incident. The class supports both the direct encapsulation of the data, as well as, provides primitives to reference data stored elsewhere.

This class is identical to AdditionalData class

Application Class

The Application class describes an application running on a System providing a Service.

The aggregate class that constitutes Application is:

  • URL

Zero or one. URL. A URL describing the application.

The Application class has seven attributes:

  • swid

Optional. STRING. An identifier that can be used to reference this software.

  • configid

Optional. STRING. An identifier that can be used to reference a particular configuration of this software.

  • vendor

Optional. STRING. Vendor name of the software.

  • family

Optional. STRING. Family of the software.

  • name

Optional. STRING. Name of the software.

  • version

Optional. STRING. Version of the software.

  • patch

Optional. STRING. Patch or service pack level of the software.

EventData.svg View - IODEF UML Diagram EventData Zoom (183 KB) Sélim Menouar, 06/24/2015 03:42 PM