Project

General

Profile

IODEF EventData Zoom » History » Version 2

Anonymous, 06/08/2015 12:14 PM

1 1 Anonymous
h1. IODEF EventData Zoom
2 1 Anonymous
3 1 Anonymous
[[IODEF Incident Zoom|Incident]]
4 1 Anonymous
* [[IODEF Contact Zoom|Contact]]
5 1 Anonymous
* [[IODEF Method Zoom|Method]]
6 1 Anonymous
* [[IODEF Assessment Zoom|Assessment]]
7 1 Anonymous
* *EventData*
8 1 Anonymous
** [[IODEF Flow Zoom|Flow]]
9 1 Anonymous
* [[IODEF History Zoom|History]]
10 1 Anonymous
11 1 Anonymous
----
12 1 Anonymous
13 1 Anonymous
!/attachments/download/56/EventData.svg!
14 2 Anonymous
15 2 Anonymous
----
16 2 Anonymous
17 2 Anonymous
h2. EventData Class
18 2 Anonymous
19 2 Anonymous
The EventData class describes a particular event of the incident for a given set of hosts or networks.  This description includes the systems from which the activity originated and those targeted, an assessment of the techniques used by the intruder, the impact of the activity on the organization, and any forensic evidence discovered.
20 2 Anonymous
21 2 Anonymous
h4. The aggregate classes that constitute EventData are:
22 2 Anonymous
23 2 Anonymous
* Description
24 2 Anonymous
> Zero or more.  ML_STRING.  A free-form textual description of the event.
25 2 Anonymous
26 2 Anonymous
* DetectTime
27 2 Anonymous
> Zero or one.  The time the event was detected.
28 2 Anonymous
29 2 Anonymous
* StartTime
30 2 Anonymous
> Zero or one.  The time the event started.
31 2 Anonymous
32 2 Anonymous
* EndTime
33 2 Anonymous
> Zero or one.  The time the event ended.
34 2 Anonymous
35 2 Anonymous
* Contact
36 2 Anonymous
> Zero or more.  Contact information for the parties involved in the event.
37 2 Anonymous
38 2 Anonymous
* Assessment
39 2 Anonymous
> Zero or one.  The impact of the event on the target and the actions taken.
40 2 Anonymous
41 2 Anonymous
* Method
42 2 Anonymous
> Zero or more.  The technique used by the intruder in the event.
43 2 Anonymous
44 2 Anonymous
* Flow
45 2 Anonymous
> Zero or more.  A description of the systems or networks involved.
46 2 Anonymous
47 2 Anonymous
* Expectation
48 2 Anonymous
> Zero or more.  The expected action to be performed by the recipient for the described event.
49 2 Anonymous
50 2 Anonymous
* Record
51 2 Anonymous
> Zero or one.  Supportive data (e.g., log files) that provides additional information about the event.
52 2 Anonymous
53 2 Anonymous
* EventData
54 2 Anonymous
> Zero or more.  EventData instances contained within another EventData instance inherit the values of the parent(s); this recursive definition can be used to group common data pertaining to multiple events.  When EventData elements are defined recursively, only the leaf instances (those EventData instances not containing other EventData instances) represent actual events.
55 2 Anonymous
56 2 Anonymous
* AdditionalData
57 2 Anonymous
> Zero or more.  An extension mechanism for data not explicitly represented in the data model.
58 2 Anonymous
59 2 Anonymous
At least one of the aggregate classes MUST be present in an instance of the EventData class.  This is not enforced in the IODEF schema as there is no simple way to accomplish it.
60 2 Anonymous
61 2 Anonymous
h4. The EventData class has one attribute:
62 2 Anonymous
63 2 Anonymous
* restriction
64 2 Anonymous
> Optional.  ENUM.  This attribute is defined in [[IODEF_Incident_Zoom#Incident-Class| Incident Class]].
65 2 Anonymous
66 2 Anonymous
67 2 Anonymous
h2. Expectation Class
68 2 Anonymous
69 2 Anonymous
The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting.  The scope of the requested action is limited to purview of the EventData class in which this class is aggregated.
70 2 Anonymous
71 2 Anonymous
h4. The aggregate classes that constitute Expectation are:
72 2 Anonymous
73 2 Anonymous
* Description
74 2 Anonymous
> Zero or many.  ML_STRING.  A free-form description of the desired action(s).
75 2 Anonymous
76 2 Anonymous
* StartTime
77 2 Anonymous
> Zero or one.  The time at which the action should be performed.  A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible.  The absence of this element leaves the execution of the expectation to the discretion of the recipient.
78 2 Anonymous
79 2 Anonymous
* EndTime
80 2 Anonymous
> Zero or one.  The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed.
81 2 Anonymous
82 2 Anonymous
* Contact
83 2 Anonymous
> Zero or one.  The expected actor for the action.
84 2 Anonymous
85 2 Anonymous
h4. The Expectations class has four attributes:
86 2 Anonymous
87 2 Anonymous
* restriction
88 2 Anonymous
> Optional.  ENUM.  This attribute is defined in [[IODEF_Incident_Zoom#Incident-Class| Incident Class]].
89 2 Anonymous
90 2 Anonymous
* severity
91 2 Anonymous
> Optional.  ENUM.  Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent.
92 2 Anonymous
>|_.Rank        |_.Keyword          |_.Description|
93 2 Anonymous
>|    1 | low | Low priority|
94 2 Anonymous
>|    2 | medium| Medium priority|
95 2 Anonymous
>|    3 | high | High priority|
96 2 Anonymous
97 2 Anonymous
98 2 Anonymous
* action
99 2 Anonymous
> Optional.  ENUM.  Classifies the type of action requested.  This attribute is an enumerated list with no default value.
100 2 Anonymous
101 2 Anonymous
>|_.Rank        |_.Keyword          |_.Description|
102 2 Anonymous
>|      1 |   nothing|  No action is requested.  Do nothing with the information.|
103 2 Anonymous
>|      2 |  contact-source-site|  Contact the site(s) identified as the source of the activity.|
104 2 Anonymous
>|      3 |  contact-target-site|  Contact the site(s) identified as the target of the activity.|
105 2 Anonymous
>|      4 |  contact-sender|  Contact the originator of the document.|
106 2 Anonymous
>|      5|   investigate|  Investigate the systems(s) listed in the event.|
107 2 Anonymous
>|      6|   block-host|  Block traffic from the machine(s) listed as sources the event.|
108 2 Anonymous
>|      7|   block-network|  Block traffic from the network(s) lists as sources in the event.|
109 2 Anonymous
>|      8|   block-port|  Block the port listed as sources in the event.|
110 2 Anonymous
>|      9|   rate-limit-host|  Rate-limit the traffic from the machine(s) listed as sources in the event.|
111 2 Anonymous
>|      10|  rate-limit-network|  Rate-limit the traffic from the network(s) lists as sources in the event.|
112 2 Anonymous
>|      11|  rate-limit-port|  Rate-limit the port(s) listed as sources in the event.|
113 2 Anonymous
>|      12|  remediate-other|  Remediate the activity in a way other than by rate limiting or blocking.|
114 2 Anonymous
>|      13|  status-triage|  Conveys receipts and the triaging of an incident.|
115 2 Anonymous
>|      14|  status-new-info|  Conveys that new information was received for this incident.|
116 2 Anonymous
>|      15|  other|  Perform some custom action described in the Description class.|
117 2 Anonymous
>|      16|  ext-value|  An escape value used to extend this attribute.|
118 2 Anonymous
119 2 Anonymous
* ext-action
120 2 Anonymous
> Optional.  STRING.  A means by which to extend the action attribute.
121 2 Anonymous
122 2 Anonymous
h2. Flow Class
123 2 Anonymous
124 2 Anonymous
The Flow class groups related the source and target hosts.
125 2 Anonymous
126 2 Anonymous
h4. The aggregate class that constitutes Flow is:
127 2 Anonymous
128 2 Anonymous
* System
129 2 Anonymous
> One or More.  A host or network involved in an event.
130 2 Anonymous
131 2 Anonymous
h4. The Flow System class has no attributes.
132 2 Anonymous
133 2 Anonymous
h2. Record Class
134 2 Anonymous
135 2 Anonymous
The Record class is a container class for log and audit data that provides supportive information about the incident.  The source of this data will often be the output of monitoring tools.  These logs should substantiate the activity described in the document.
136 2 Anonymous
137 2 Anonymous
h4. The aggregate class that constitutes Record is:
138 2 Anonymous
139 2 Anonymous
* RecordData
140 2 Anonymous
> One or more.  Log or audit data generated by a particular type of sensor.  Separate instances of the RecordData class SHOULD be used for each sensor type.
141 2 Anonymous
142 2 Anonymous
h4. The Record class has one attribute:
143 2 Anonymous
144 2 Anonymous
* restriction
145 2 Anonymous
> Optional.  ENUM.  This attribute has been defined in [[IODEF_Incident_Zoom#Incident-Class| Incident Class]].
146 2 Anonymous
147 2 Anonymous
148 2 Anonymous
h2. RecordData Class
149 2 Anonymous
150 2 Anonymous
The RecordData class groups log or audit data from a given sensor (e.g., IDS, firewall log) and provides a way to annotate the output.
151 2 Anonymous
152 2 Anonymous
153 2 Anonymous
h4. The aggregate classes that constitutes RecordData is:
154 2 Anonymous
155 2 Anonymous
* DateTime
156 2 Anonymous
> Zero or one.  Timestamp of the RecordItem data.
157 2 Anonymous
158 2 Anonymous
* Description
159 2 Anonymous
> Zero or more.  ML_STRING.  Free-form textual description of the provided RecordItem data.  At minimum, this description should convey the significance of the provided RecordItem data.
160 2 Anonymous
161 2 Anonymous
* Application
162 2 Anonymous
> Zero or one.  Information about the sensor used to generate the RecordItem data.
163 2 Anonymous
164 2 Anonymous
* RecordPattern
165 2 Anonymous
> Zero or more.  A search string to precisely find the relevant data in a RecordItem.
166 2 Anonymous
167 2 Anonymous
* RecordItem
168 2 Anonymous
> One or more.  Log, audit, or forensic data.
169 2 Anonymous
170 2 Anonymous
* AdditionalData
171 2 Anonymous
> Zero or one.  An extension mechanism for data not explicitly represented in the data model.
172 2 Anonymous
173 2 Anonymous
h4. The RecordData class has one attribute:
174 2 Anonymous
175 2 Anonymous
* restriction
176 2 Anonymous
> Optional.  ENUM.  This attribute has been defined in [[IODEF_Incident_Zoom#Incident-Class| Incident Class]].
177 2 Anonymous
178 2 Anonymous
h2. RecordPattern Class
179 2 Anonymous
180 2 Anonymous
The RecordPattern class describes where in the content of the RecordItem relevant information can be found.  It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data.
181 2 Anonymous
182 2 Anonymous
The specific pattern to search with in the RecordItem is defined in
183 2 Anonymous
the body of the element. 
184 2 Anonymous
185 2 Anonymous
h4. It is further annotated by four attributes:
186 2 Anonymous
187 2 Anonymous
* type
188 2 Anonymous
> Required.  ENUM.  Describes the type of pattern being specified in the element content.  The default is "regex".
189 2 Anonymous
190 2 Anonymous
>|_.Rank        |_.Keyword          |_.Description|
191 2 Anonymous
>|      1|  regex| regular expression, per Appendix F of [3].|
192 2 Anonymous
>|      2|  binary|  Binhex encoded binary pattern, per the HEXBIN data type.|
193 2 Anonymous
>|      3|  xpath|  XML Path (XPath)|
194 2 Anonymous
>|      4|  ext-value|  An escape value used to extend this attribute.|
195 2 Anonymous
196 2 Anonymous
* ext-type
197 2 Anonymous
> Optional.  STRING.  A means by which to extend the type attribute.
198 2 Anonymous
199 2 Anonymous
* offset
200 2 Anonymous
> Optional.  INTEGER.  Amount of units (determined by the offsetunit attribute) to seek into the RecordItem data before matching the pattern.
201 2 Anonymous
202 2 Anonymous
* offsetunit
203 2 Anonymous
> Optional.  ENUM.  Describes the units of the offset attribute. The default is "line".
204 2 Anonymous
205 2 Anonymous
>|_.Rank        |_.Keyword          |_.Description|
206 2 Anonymous
>|      1|  line|  Offset is a count of lines.|
207 2 Anonymous
>|      2|  binary|  Offset is a count of bytes.|
208 2 Anonymous
>|      3|  ext-value|  An escape value used to extend this attribute.|
209 2 Anonymous
210 2 Anonymous
* ext-offsetunit
211 2 Anonymous
> Optional.  STRING.  A means by which to extend the offsetunit attribute.
212 2 Anonymous
213 2 Anonymous
* instance
214 2 Anonymous
> Optional.  INTEGER.  Number of types to apply the specified pattern.
215 2 Anonymous
216 2 Anonymous
h2. RecordItem Class
217 2 Anonymous
218 2 Anonymous
The RecordItem class provides a way to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing the incident.  The class supports both the direct encapsulation of the data, as well as, provides primitives to reference data stored elsewhere.
219 2 Anonymous
220 2 Anonymous
h4. This class is identical to AdditionalData class
221 2 Anonymous
222 2 Anonymous
h2. Application Class
223 2 Anonymous
224 2 Anonymous
The Application class describes an application running on a System providing a Service.
225 2 Anonymous
226 2 Anonymous
The aggregate class that constitutes Application is:
227 2 Anonymous
228 2 Anonymous
* URL
229 2 Anonymous
> Zero or one.  URL.  A URL describing the application.
230 2 Anonymous
231 2 Anonymous
h4. The Application class has seven attributes:
232 2 Anonymous
233 2 Anonymous
* swid
234 2 Anonymous
> Optional.  STRING.  An identifier that can be used to reference this software.
235 2 Anonymous
236 2 Anonymous
* configid
237 2 Anonymous
> Optional.  STRING.  An identifier that can be used to reference a particular configuration of this software.
238 2 Anonymous
239 2 Anonymous
* vendor
240 2 Anonymous
> Optional.  STRING.  Vendor name of the software.
241 2 Anonymous
242 2 Anonymous
* family
243 2 Anonymous
> Optional.  STRING.  Family of the software.
244 2 Anonymous
245 2 Anonymous
* name
246 2 Anonymous
> Optional.  STRING.  Name of the software.
247 2 Anonymous
248 2 Anonymous
* version
249 2 Anonymous
> Optional.  STRING.  Version of the software.
250 2 Anonymous
251 2 Anonymous
* patch
252 2 Anonymous
> Optional.  STRING.  Patch or service pack level of the software.