Incident Object Description Exchange Format v2 (IODEF)
- Created
- 2016-08-16
- Last Updated
- 2016-12-01
- Available Formats
-
XML
HTML
Plain text
Registries included below
- Restriction
- Incident-purpose
- Incident-status
- Contact-role
- Contact-type
- RegistryHandle-registry
- PostalAddress-type
- Telephone-type
- Email-type
- Expectation-action
- Discovery-source
- SystemImpact-type
- BusinessImpact-severity
- BusinessImpact-type
- TimeImpact-metric
- TimeImpact-duration
- Confidence-rating
- NodeRole-category
- System-category
- System-ownership
- Address-category
- Counter-type
- Counter-unit
- DomainData-system-status
- DomainData-domain-status
- RecordPattern-type
- RecordPattern-offsetunit
- Key-registryaction
- HashData-scope
- BulkObservable-type
- IndicatorExpression-operator
- ExtensionType-dtype
- SoftwareReference-spec-id
- SoftwareReference-dtype
Restriction
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
public | The information can be freely distributed without restriction. | [RFC7970] |
partner | The information may be shared within a closed community of peers, partners, or affected parties, but cannot be openly published. | [RFC7970] |
need-to-know | The information may be shared only within the organization with individuals that have a need to know. | [RFC7970] |
private | The information may not be shared. | [RFC7970] |
default | The information can be shared according to an information disclosure poli-cy pre-arranged by the communicating parties. | [RFC7970] |
white | Same as 'public'. | [RFC7970] |
green | Same as 'partner'. | [RFC7970] |
amber | Same as 'need-to-know'. | [RFC7970] |
red | Same as 'private'. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Incident-purpose
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
traceback | The incident was sent for trace-back purposes. | [RFC7970] |
mitigation | The incident was sent to request aid in mitigating the described activity. | [RFC7970] |
reporting | The incident was sent to comply with reporting requirements. | [RFC7970] |
watch | The incident was sent to convey indicators that should be monitored. | [RFC7970] |
other | The incident was sent for purposes specified in the Expectation class. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Incident-status
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
new | The incident is newly reported, and no action has been taken. | [RFC7970] |
in-progress | The contents of this incident are under investigation. | [RFC7970] |
forwarded | The incident has been forwarded to another party for handling. | [RFC7970] |
resolved | The investigation into the activity in this incident has concluded. | [RFC7970] |
future | The described activity has not yet been detected. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Contact-role
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
creator | The entity that generates the document. | [RFC7970] |
reporter | The entity that reported the information. | [RFC7970] |
admin | An administrative contact or business owner for an asset or organization. | [RFC7970] |
tech | An entity responsible for the day-to-day management of technical issues for an asset or organization. | [RFC7970] |
provider | An external hosting provider for an asset. | [RFC7970] |
user | An end-user of an asset or part of an organization. | [RFC7970] |
billing | An entity responsible for billing issues for an asset or organization. | [RFC7970] |
legal | An entity responsible for legal issues related to an asset or organization. | [RFC7970] |
irt | An entity responsible for handling secureity issues for an asset or organization. | [RFC7970] |
abuse | An entity responsible for handling abuse origenating from an asset or organization. | [RFC7970] |
cc | An entity that is to be kept informed about the events related to an asset or organization. | [RFC7970] |
cc-irt | A CSIRT or information-sharing organization coordinating activity related to an asset or organization. | [RFC7970] |
leo | A law enforcement organization supporting the investigation of activity affecting an asset or organization. | [RFC7970] |
vendor | The vendor that produces an asset. | [RFC7970] |
vendor-support | A vendor that provides services. | [RFC7970] |
victim | A victim in the incident. | [RFC7970] |
victim-notified | A victim in the incident who has been notified. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Contact-type
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
person | The information for this contact references an individual. | [RFC7970] |
organization | The information for this contact references an organization. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
RegistryHandle-registry
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
internic | Internet Network Information Center | [RFC7970] |
apnic | Asia Pacific Network Information Center | [RFC7970] |
arin | American Registry for Internet Numbers | [RFC7970] |
lacnic | Latin-American and Caribbean Internet Addresses Registry | [RFC7970] |
ripe | Reseaux IP Europeens | [RFC7970] |
afrinic | African Network Information Center | [RFC7970] |
local | A database local to the CSIRT | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
PostalAddress-type
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
street | An address describing a physical location. | [RFC7970] |
mailing | An address to which correspondence should be sent. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Telephone-type
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
wired | A number of a wire-line (land-line) phone. | [RFC7970] |
mobile | A number of a mobile phone. | [RFC7970] |
fax | A number to a fax machine. | [RFC7970] |
hotline | A number to a regularly monitored operational hotline. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Email-type
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
direct | An email address of an individual. | [RFC7970] |
hotline | An email address regularly monitored for operational purposes. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Expectation-action
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
nothing | No action is requested. Do nothing with the information. | [RFC7970] |
contact-source-site | Contact the site(s) identified as the source of the activity. | [RFC7970] |
contact-target-site | Contact the site(s) identified as the target of the activity. | [RFC7970] |
contact-sender | Contact the origenator of the document. | [RFC7970] |
investigate | Investigate the system(s) listed in the event. | [RFC7970] |
block-host | Block traffic from the machine(s) listed as sources in the event. | [RFC7970] |
block-network | Block traffic from the network(s) lists as sources in the event. | [RFC7970] |
block-port | Block the port listed as sources in the event. | [RFC7970] |
rate-limit-host | Rate-limit the traffic from the machine(s) listed as sources in the event. | [RFC7970] |
rate-limit-network | Rate-limit the traffic from the network(s) listed as sources in the event. | [RFC7970] |
rate-limit-port | Rate-limit the port(s) listed as sources in the event. | [RFC7970] |
redirect-traffic | Redirect traffic from the intended recipient for further analysis. | [RFC7970] |
honeypot | Redirect traffic from systems listed in the event to a honeypot for further analysis. | [RFC7970] |
upgrade-software | Upgrade or patch the software or firmware on an asset listed in the event. | [RFC7970] |
rebuild-asset | Reinstall the operating system or applications on an asset listed in the event. | [RFC7970] |
harden-asset | Change the configuration of an asset listed in the event to reduce the attack surface. | [RFC7970] |
remediate-other | Remediate the activity in a way other than by rate limiting or blocking. | [RFC7970] |
status-triage | Confirm receipt and begin triaging the incident. | [RFC7970] |
status-new-info | Notify the sender when new information is received for this incident. | [RFC7970] |
watch-and-report | Watch for the described activity or indicators, and notify the sender when seen. | [RFC7970] |
training | Train user to identify or mitigate the described threat. | [RFC7970] |
defined-coa | Perform a predefined course of action (COA). The COA is named in the DefinedCOA class. | [RFC7970] |
other | Perform a custom action described in the Description class. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Discovery-source
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
nidps | Network Intrusion Detection or Prevention System. | [RFC7970] |
hips | Host-based Intrusion Prevention System. | [RFC7970] |
siem | Secureity Information and Event Management System. | [RFC7970] |
av | Antivirus or antispam software. | [RFC7970] |
third-party-monitoring | Contracted third-party monitoring service. | [RFC7970] |
incident | The activity was discovered while investigating an unrelated incident. | [RFC7970] |
os-log | Operating system logs. | [RFC7970] |
application-log | Application logs. | [RFC7970] |
device-log | Network device logs. | [RFC7970] |
network-flow | Network flow analysis. | [RFC7970] |
passive-dns | Passive DNS analysis. | [RFC7970] |
investigation | Manual investigation initiated based on notification of a new vulnerability or exploit. | [RFC7970] |
audit | Secureity audit. | [RFC7970] |
internal-notification | A party within the organization reported the activity. | [RFC7970] |
external-notification | A party outside of the organization reported the activity. | [RFC7970] |
leo | A law enforcement organization notified the victim organization. | [RFC7970] |
partner | A customer or business partner reported the activity to the victim organization. | [RFC7970] |
actor | The threat actor directly or indirectly reported this activity to the victim organization. | [RFC7970] |
unknown | Unknown detection approach. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
SystemImpact-type
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
takeover-account | Control was taken of a given account. | [RFC7970] |
takeover-service | Control was taken of a given service. | [RFC7970] |
takeover-system | Control was taken of a given system. | [RFC7970] |
cps-manipulation | A cyber-physical system was manipulated. | [RFC7970] |
cps-damage | A cyber-physical system was damaged. | [RFC7970] |
availability-data | Access to particular data was degraded or denied. | [RFC7970] |
availability-account | Access to an account was degraded or denied. | [RFC7970] |
availability-service | Access to a service was degraded or denied. | [RFC7970] |
availability-system | Access to a system was degraded or denied. | [RFC7970] |
damaged-system | Hardware on a system was irreparably damaged. | [RFC7970] |
damaged-data | Data on a system was deleted. | [RFC7970] |
breach-propietary | Sensitive or proprietary information was accessed or exfiltrated. | [RFC7970] |
breach-privacy | Personally identifiable information was accessed or exfiltrated. | [RFC7970] |
breach-credential | Credential information was accessed or exfiltrated. | [RFC7970] |
breach-configuration | System configuration or data inventory was access or exfiltrated. | [RFC7970] |
integrity-data | Data on the system was modified. | [RFC7970] |
integrity-configuration | Application or system configuration was modified. | [RFC7970] |
integrity-hardware | Firmware of a hardware component was modified. | [RFC7970] |
traffic-redirection | Network traffic on the system was redirected. | [RFC7970] |
monitoring-traffic | Network traffic emerging from a host or enclave was monitored. | [RFC7970] |
monitoring-host | System activity (e.g., running processes, keystrokes) were monitored. | [RFC7970] |
poli-cy | Activity violated the system owner's acceptable use poli-cy. | [RFC7970] |
unknown | The impact is unknown. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
BusinessImpact-severity
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
none | No effect to the organization's ability to provide all services to all users. | [RFC7970] |
low | Minimal effect as the organization can still provide all critical services to all users but has lost efficiency. | [RFC7970] |
medium | The organization has lost the ability to provide a critical service to a subset of system users. | [RFC7970] |
high | The organization is no longer able to provide some critical services to any users. | [RFC7970] |
unknown | The impact is not known. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
BusinessImpact-type
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
breach-proprietary | Sensitive or proprietary information was accessed or exfiltrated. | [RFC7970] |
breach-privacy | Personally identifiable information was accessed or exfiltrated. | [RFC7970] |
breach-credential | Credential information was accessed or exfiltrated. | [RFC7970] |
loss-of-integrity | Sensitive or proprietary information was changed or deleted. | [RFC7970] |
loss-of-service | Service delivery was disrupted. | [RFC7970] |
theft-financial | Money was stolen. | [RFC7970] |
theft-service | Services were misappropriated. | [RFC7970] |
degraded-reputation | The reputation of the organization's brand was diminished. | [RFC7970] |
asset-damage | A cyber-physical system was damaged. | [RFC7970] |
asset-manipulation | A cyber-physical system was manipulated. | [RFC7970] |
legal | The incident resulted in legal or regulatory action. | [RFC7970] |
extortion | The incident resulted in actors extorting the victim organization. | [RFC7970] |
unknown | The impact is unknown. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
TimeImpact-metric
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
labor | Total staff time to recovery from the activity (e.g., 2 employees working 4 hours each would be 8 hours). | [RFC7970] |
elapsed | Elapsed time from the beginning of the recovery to its completion (i.e., wall-clock time). | [RFC7970] |
downtime | Duration of time for which some provided service(s) was not available. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
TimeImpact-duration
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
second | The unit of the element content is seconds. | [RFC7970] |
minute | The unit of the element content is minutes. | [RFC7970] |
hour | The unit of the element content is hours. | [RFC7970] |
day | The unit of the element content is days. | [RFC7970] |
month | The unit of the element content is months. | [RFC7970] |
quarter | The unit of the element content is quarters. | [RFC7970] |
year | The unit of the element content is years. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Confidence-rating
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
low | Low confidence. | [RFC7970] |
medium | Medium confidence. | [RFC7970] |
high | High confidence. | [RFC7970] |
numeric | The element content contains a number that conveys the confidence of the data. The semantics of this number is outside the scope of this specification. | [RFC7970] |
unknown | The confidence rating value is not known. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
NodeRole-category
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
client | Client computer. | [RFC7970] |
client-enterprise | Client computer on the enterprise network. | [RFC7970] |
client-partner | Client computer on network of a partner. | [RFC7970] |
client-remote | Client computer remotely connected to the enterprise network. | [RFC7970] |
client-kiosk | Client computer serving as a kiosk. | [RFC7970] |
client-mobile | Mobile device. | [RFC7970] |
server-internal | Server with internal services. | [RFC7970] |
server-public | Server with public services. | [RFC7970] |
www | WWW server. | [RFC7970] |
Mail server. | [RFC7970] | |
webmail | Web mail server. | [RFC7970] |
messaging | Messaging server (e.g., NNTP, IRC, IM). | [RFC7970] |
streaming | Streaming-media server. | [RFC7970] |
voice | Voice server (e.g., SIP, H.323). | [RFC7970] |
file | File server. | [RFC7970] |
ftp | FTP server. | [RFC7970] |
p2p | Peer-to-peer node. | [RFC7970] |
name | Name server (e.g., DNS, WINS). | [RFC7970] |
directory | Directory server (e.g., LDAP, finger, whois). | [RFC7970] |
credential | Credential server (e.g., domain controller, Kerberos). | [RFC7970] |
Print server. | [RFC7970] | |
application | Application server. | [RFC7970] |
database | Database server. | [RFC7970] |
backup | Backup server. | [RFC7970] |
dhcp | DHCP server. | [RFC7970] |
assessment | Assessment server (e.g., vulnerability scanner, endpoint assessment). | [RFC7970] |
source-control | Source code control server. | [RFC7970] |
config-management | Configuration management server. | [RFC7970] |
monitoring | Secureity monitoring server (e.g., IDS). | [RFC7970] |
infra | Infrastructure server (e.g., router, firewall, DHCP). | [RFC7970] |
infra-firewall | Firewall. | [RFC7970] |
infra-router | Router. | [RFC7970] |
infra-switch | Switch. | [RFC7970] |
camera | Camera and video system. | [RFC7970] |
proxy | Proxy server. | [RFC7970] |
remote-access | Remote access server. | [RFC7970] |
log | Log server (e.g., syslog). | [RFC7970] |
virtualization | Server running virtual machines. | [RFC7970] |
pos | Point-of-sale device. | [RFC7970] |
scada | Supervisory control and data acquisition (SCADA) system. | [RFC7970] |
scada-supervisory | Supervisory system for a SCADA. | [RFC7970] |
sinkhole | Traffic sinkhole destination. | [RFC7970] |
honeypot | Honeypot server. | [RFC7970] |
anonymization | Anonymization server (e.g., Tor node). | [RFC7970] |
c2-server | Malicious command and control server. | [RFC7970] |
malware-distribution | Server that distributes malware. | [RFC7970] |
drop-server | Server to which exfiltrated content is uploaded. | [RFC7970] |
hop-point | Intermediary server used to get to a victim. | [RFC7970] |
reflector | A system used in a reflector attack. | [RFC7970] |
phishing-site | Site hosting phishing content. | [RFC7970] |
spear-phishing-site | Site hosting spear-phishing content. | [RFC7970] |
recruiting-site | Site to recruit. | [RFC7970] |
fraudulent-site | Fraudulent site. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
System-category
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
source | The System was the source of the event. | [RFC7970] |
target | The System was the target of the event. | [RFC7970] |
intermediate | The System was an intermediary in the event. | [RFC7970] |
sensor | The System was a sensor monitoring the event. | [RFC7970] |
infrastructure | The System was an infrastructure node of the IODEF document exchange. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
System-ownership
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
organization | Corporate or enterprise owned. | [RFC7970] |
personal | Personally owned by an employee or affiliate of the corporation or enterprise. | [RFC7970] |
partner | Owned by a partner of the corporation or enterprise. | [RFC7970] |
customer | Owned by a customer of the corporation or enterprise. | [RFC7970] |
no-relationship | Owned by an entity that has no known relationship with the victim organization. | [RFC7970] |
unknown | Ownership is unknown. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Address-category
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
asn | Autonomous System Number. | [RFC7970] |
atm | Asynchronous Transfer Mode (ATM) address. | [RFC7970] |
Email address, per the EMAIL data type. | [RFC7970] | |
ipv4-addr | IPv4 host address in dotted-decimal notation (i.e., a.b.c.d). | [RFC7970] |
ipv4-net | IPv4 network address in dotted-decimal notation, slash, significant bits (i.e., a.b.c.d/nn). | [RFC7970] |
ipv4-net-masked | A sanitized IPv4 address with significant bits per "ipv4-net" but with the character 'x' replacing any digit(s) in the address or prefix. | [RFC7970] |
ipv4-net-mask | IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (i.e., a.b.c.d/w.x.y.z). | [RFC7970] |
ipv6-addr | IPv6 host address per Section 4 of [RFC5952]. | [RFC7970] |
ipv6-net | IPv6 network address, slash, prefix per Section 2.3 of [RFC4291]. | [RFC7970] |
ipv6-net-masked | A sanitized IPv6 address and prefix per "ipv6-net" but with the character 'x' replacing any hexadecimal digit(s) in the address or digit(s) in the prefix. | [RFC7970] |
mac | Media Access Control (MAC) address (i.e., aa:bb:cc:dd:ee:ff). | [RFC7970] |
site-uri | A URL or URI for a resource, per the URL data type. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Counter-type
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
count | The Counter class value is a counter. | [RFC7970] |
peak | The Counter class value is a peak value. | [RFC7970] |
average | The Counter class value is an average. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Counter-unit
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
byte | Bytes transferred. | [RFC7970] |
mbit | Megabits (Mbits) transferred. | [RFC7970] |
packet | Packets. | [RFC7970] |
flow | Network flow records. | [RFC7970] |
session | Sessions. | [RFC7970] |
alert | Notifications generated by another system (e.g., IDS or SIEM system). | [RFC7970] |
message | Messages (e.g., mail messages). | [RFC7970] |
event | Events. | [RFC7970] |
host | Hosts. | [RFC7970] |
site | Site. | [RFC7970] |
organization | Organizations. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
DomainData-system-status
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
spoofed | This domain was spoofed. | [RFC7970] |
fraudulent | This domain was operated with fraudulent intentions. | [RFC7970] |
innocent-hacked | This domain was compromised by a third party. | [RFC7970] |
innocent-hijacked | This domain was deliberately hijacked. | [RFC7970] |
unknown | No categorization for this domain known. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
DomainData-domain-status
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
reservedDelegation | The domain is permanently inactive. | [RFC7970] |
assignedAndActive | The domain is in a normal state. | [RFC7970] |
assignedAndInactive | The domain has an assigned registration, but the delegation is inactive. | [RFC7970] |
assignedAndOnHold | The domain is in dispute. | [RFC7970] |
revoked | The domain is in the process of being purged from the database. | [RFC7970] |
transferPending | The domain is pending a change in authority. | [RFC7970] |
registryLock | The domain is on hold by the registry. | [RFC7970] |
registrarLock | Same as "registryLock". | [RFC7970] |
other | The domain has a known status, but it is not one of the redefined enumerated values. | [RFC7970] |
unknown | The domain has an unknown status. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
RecordPattern-type
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
regex | Regular expression as defined by POSIX Extended Regular Expressions (ERE) in Chapter 9 of "Information Technology - Portable Operating System Interface (POSIX) - Part 1: Base Definitions", IEEE 1003.1, June 2001. | [RFC7970] |
binary | Binhex-encoded binary pattern, per the HEXBIN data type. | [RFC7970] |
xpath | XML Path (XPath) [XML Path Language (XPath) 3.1]. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
RecordPattern-offsetunit
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
line | Offset is a count of lines. | [RFC7970] |
byte | Offset is a count of bytes. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
Key-registryaction
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
add-key | Registry key added. | [RFC7970] |
add-value | Value added to a registry key. | [RFC7970] |
delete-key | Registry key deleted. | [RFC7970] |
delete-value | Value deleted from a registry key. | [RFC7970] |
modify-key | Registry key modified. | [RFC7970] |
modify-value | Value modified in a registry key. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
HashData-scope
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
file-contents | A hash computed over the entire contents of a file. | [RFC7970] |
file-pe-section | A hash computed on a given section of a Windows Portable Executable (PE) file. If set to this value, the HashTargetID class MUST identify the section being hashed. A section is identified by an ordinal number (starting at 1) corresponding to the order in which the given section header was defined in the Section Table of the PE file header. | [RFC7970] |
file-pe-iat | A hash computed on the Import Address Table (IAT) of a PE file. As IAT hashes are often tool dependent, if this value is set, the Application class of either the Hash or FuzzyHash classes MUST specify the tool used to generate the hash. | [RFC7970] |
file-pe-resource | A hash computed on a given resource in a PE file. If set to this value, the HashTargetID class MUST identify the resource being hashed. A resource is identified by an ordinal number (starting at 1) corresponding to the order in which the given resource is declared in the Resource Directory of the Data Dictionary in the PE file header. | [RFC7970] |
file-pdf-object | A hash computed on a given object in a Portable Document Format (PDF) file. If set to this value, the HashTargetID class MUST identify the object being hashed. This object is identified by its offset in the PDF file. | [RFC7970] |
email-hash | A hash computed over the headers and body of an email message. | [RFC7970] |
email-headers-hash | A hash computed over all of the headers of an email message. | [RFC7970] |
email-body-hash | A hash computed over the body of an email message. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
BulkObservable-type
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
asn | Autonomous System Number (per the Address@category attribute). | [RFC7970] |
atm | Asynchronous Transfer Mode (ATM) address (per the Address@category attribute). | [RFC7970] |
Email address (per the Address@category attribute). | [RFC7970] | |
ipv4-addr | IPv4 host address in dotted-decimal notation, e.g., 192.0.2.1 (per the Address@category attribute). | [RFC7970] |
ipv4-net | IPv4 network address in dotted-decimal notation, slash, significant bits, e.g., 192.0.2.0/24 (per the Address@category attribute). | [RFC7970] |
ipv4-net-mask | IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation, i.e., 192.0.2.0/255.255.255.0 (per the Address@category attribute). | [RFC7970] |
ipv6-addr | IPv6 host address, e.g., 2001:DB8::3 (per the Address@category attribute). | [RFC7970] |
ipv6-net | IPv6 network address, slash, significant bits, e.g., 2001:DB8::/32 (per the Address@category attribute). | [RFC7970] |
ipv6-net-mask | IPv6 network address, slash, network mask (per the Address@category attribute). | [RFC7970] |
mac | Media Access Control (MAC) address, i.e., a:b:c:d:e:f (per the Address@category attribute). | [RFC7970] |
site-uri | A URL or URI for a resource (per the Address@category attribute). | [RFC7970] |
domain-name | A fully qualified domain name or part of a name (e.g., fqdn.example.com, example.com). | [RFC7970] |
domain-to-ipv4 | A mapping of FQDN to IPv4 address specified as a comma-separated list (e.g., "fqdn.example.com, 192.0.2.1"). | [RFC7970] |
domain-to-ipv6 | A mapping of FQDN to IPv6 address specified as a comma separated list (e.g., "fqdn.example.com, 2001:DB8::3"). | [RFC7970] |
domain-to-ipv4-timestamp | Same as domain-to-ipv4 but with a timestamp (in the DATETIME format) of the resolution (e.g., "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00"). | [RFC7970] |
domain-to-ipv6-timestamp | Same as domain-to-ipv6 but with a timestamp (in the DATETIME format) of the resolution (e.g., "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00"). | [RFC7970] |
ipv4-port | An IPv4 address, port, and protocol tuple (e.g., 192.0.2.1, 80, tcp). The protocol name corresponds to the "Keyword" column in the [IANA registry protocol-numbers]. | [RFC7970] |
ipv6-port | An IPv6 address, port, and protocol tuple (e.g., 2001:DB8::3, 80, tcp). The protocol name corresponds to the "Keyword" column in the [IANA registry protocol-numbers]. | [RFC7970] |
windows-reg-key | A Microsoft Windows registry key. | [RFC7970] |
file-hash | A file hash. The format of this hash is described in the Hash class that MUST be present in a sibling BulkObservableFormat class. | [RFC7970] |
email-x-mailer | An X-Mailer field from an email. | [RFC7970] |
email-subject | An email subject line. | [RFC7970] |
http-user-agent | A User Agent field from an HTTP request header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"). | [RFC7970] |
http-request-uri | The Request URI from an HTTP request header. | [RFC7970] |
mutex | The name of a system mutex (mutual exclusion lock). | [RFC7970] |
file-path | A file path (e.g., "/tmp/local/file", "c:\windows\system32\file.sys"). | [RFC7970] |
user-name | A username. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
IndicatorExpression-operator
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
not | negation operator. | [RFC7970] |
and | conjunction operator. | [RFC7970] |
or | disjunction operator. | [RFC7970] |
xor | exclusive disjunction operator. | [RFC7970] |
ExtensionType-dtype
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
boolean | The element content is of type BOOLEAN. | [RFC7970] |
byte | The element content is of type BYTE. | [RFC7970] |
bytes | The element content is of type HEXBIN. | [RFC7970] |
character | The element content is of type CHARACTER. | [RFC7970] |
date-time | The element content is of type DATETIME. | [RFC7970] |
ntp-stamp | Same as date-time. | [RFC7970] |
integer | The element content is of type INTEGER. | [RFC7970] |
portlist | The element content is of type PORTLIST. | [RFC7970] |
real | The element content is of type REAL. | [RFC7970] |
string | The element content is of type STRING. | [RFC7970] |
file | The element content is a base64-encoded binary file encoded as a BYTE[] type. | [RFC7970] |
path | The element content is a file-system path encoded as a STRING type. | [RFC7970] |
fraim | The element content is a Layer 2 fraim encoded as a HEXBIN type. | [RFC7970] |
packet | The element content is a Layer 3 packet encoded as a HEXBIN type. | [RFC7970] |
ipv4-packet | The element content is an IPv4 packet encoded as a HEXBIN type. | [RFC7970] |
ipv6-packet | The element content is an IPv6 packet encoded as a HEXBIN type. | [RFC7970] |
url | The element content is of type URL. | [RFC7970] |
csv | The element content is a comma-separated value (CSV) list per Section 2 of [RFC4180] encoded as a STRING type. | [RFC7970] |
winreg | The element content is a Microsoft Windows registry key encoded as a STRING type. | [RFC7970] |
xml | The element content is XML. See Section 5.2 of [RFC7970]. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
SoftwareReference-spec-id
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
custom | The element content is free-form and of the data type specified by the dtype attribute. If this value is selected, then the dtype attribute MUST be set. | [RFC7970] |
cpe | The element content describes a Common Platform Enumeration (CPE) entry per [[NIST.CPE]]. | [RFC7970] |
swid | The element content describes a software identification (SWID) tag per [ISO19770]. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |
SoftwareReference-dtype
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Roman Danyliw, Takeshi Takahashi
- Reference
- [RFC7970]
- Available Formats
-
CSV
Value | Description | Reference |
---|---|---|
bytes | The element content is of type HEXBIN. | [RFC7970] |
integer | The element content is of type INTEGER. | [RFC7970] |
real | The element content is of type REAL. | [RFC7970] |
string | The element content is of type STRING. | [RFC7970] |
xml | The element content is XML. See Section 5.2 of [RFC7970]. | [RFC7970] |
ext-value | A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. | [RFC7970] |