IODEF-Document |
- version
- lang?
- format-id?
- private-enum-name?
- private-enum-id?
- Incident+
- AdditionalData*
|
|
Incident |
- purpose
- ext-purpose?
- status?
- ext-status?
- lang?
- restriction?
- ext-restriction?
- observable-id?
- IncidentID
- AlternativeID?
- RelatedActivity*
- DetectTime?
- StartTime?
- EndTime?
- RecoveryTime?
- ReportTime?
- GenerationTime
- Description*
- Discovery*
- Assessment*
- Method*
- Contact+
- EventData*
- Indicator*
- History?
- AdditionalData*
|
|
IncidentID |
- id
- name
- instance?
- restriction?
- ext-restriction?
|
|
AlternativeID |
- restriction?
- ext-restriction?
- IncidentID+
|
|
RelatedActivity |
- restriction?
- ext-restriction?
- IncidentID*
- URL*
- ThreatActor*
- Campaign*
- IndicatorID*
- Confidence?
- Description*
- AdditionalData*
|
|
ThreatActor |
- restriction?
- ext-restriction?
- ThreatActorID*
- URL*
- Description*
- AdditionalData*
|
|
Campaign |
- restriction?
- ext-restriction?
- CampaignID*
- URL*
- Description*
- AdditionalData*
|
|
Contact |
- role
- ext-role?
- type
- ext-type?
- restriction?
- ext-restriction?
- ContactName*
- ContactTitle*
- Description*
- RegistryHandle*
- PostalAddress*
- Email*
- Telephone*
- Timezone?
- Contact*
- AdditionalData*
|
|
RegistryHandle |
- handle
- registry
- ext-registry?
|
|
PostalAddress |
- type?
- ext-type?
- PAddress
- Description*
|
|
Email |
- type?
- ext-type?
- EmailTo
- Description*
|
|
Telephone |
- type?
- ext-type?
- TelephoneNumber
- Description*
|
|
Discovery |
- source?
- ext-source?
- restriction?
- ext-restriction?
- Description*
- Contact*
- DetectionPattern*
|
|
DetectionPattern |
- restriction?
- ext-restriction?
- observable-id?
- Application
- Description*
- DetectionConfiguration*
|
|
Method |
- restriction?
- ext-restriction?
- Reference*
- Description*
- AttackPattern*
- Vulnerability*
- Weakness*
- AdditionalData*
|
|
Weakness |
- restriction?
- ext-restriction?
|
in |
Reference |
- observable-id?
- ReferenceName?
- URL*
- Description*
|
|
Assessment |
- occurrence?
- restriction?
- ext-restriction?
- observable-id?
- IncidentCategory*
- SystemImpact*
- BusinessImpact*
- TimeImpact*
- MonetaryImpact*
- IntendedImpact*
- Counter*
- MitigatingFactor*
- Cause*
- Confidence?
- AdditionalData*
|
|
SystemImpact |
- severity?
- completion?
- type
- ext-type?
- Description*
|
|
BusinessImpact |
- severity?
- ext-severity?
- type
- ext-type?
- Description*
|
|
TimeImpact |
- value
- severity?
- metric
- ext-metric?
- duration?
- ext-duration?
|
|
MonetaryImpact |
- value
- severity?
- currency?
|
|
Confidence |
|
|
History |
- restriction?
- ext-restriction?
- HistoryItem+
|
|
HistoryItem |
- action
- ext-action?
- restriction?
- ext-restriction?
- observable-id?
- DateTime
- IncidentID?
- Contact?
- Description*
- DefinedCOA*
- AdditionalData*
|
|
EventData |
- restriction?
- ext-restriction?
- observable-id?
- Description*
- DetectTime?
- StartTime?
- EndTime?
- RecoveryTime?
- ReportTime?
- Contact*
- Discovery*
- Assessment?
- Method*
- System*
- Expectation*
- RecordData*
- EventData*
- AdditionalData*
|
|
Expectation |
- action?
- ext-action?
- severity?
- restriction?
- ext-restriction?
- observable-id?
- Description*
- DefinedCOA*
- StartTime?
- EndTime?
- Contact?
|
|
System |
- category?
- ext-category?
- interface?
- spoofed?
- virtual?
- ownership?
- ext-ownership?
- restriction?
- ext-restriction?
- Node
- NodeRole*
- Service*
- OperatingSystem*
- Counter*
- AssetID*
- Description*
- AdditionalData*
|
|
Node |
- DomainData*
- Address*
- PostalAddress?
- Location*
- Counter*
|
|
Address |
- value
- category
- ext-category?
- vlan-name?
- vlan-num?
- observable-id?
|
|
NodeRole |
- category
- ext-category?
- Description*
|
|
Counter |
- value
- type
- ext-type?
- unit
- ext-unit?
- meaning?
- duration?
- ext-duration?
|
|
DomainData |
- system-status
- ext-system-status?
- domain-status
- ext-domain-status?
- observable-id?
- Name
- DateDomainWasChecked?
- RegistrationDate?
- ExpirationDate?
- RelatedDNS*
- Nameservers*
- DomainContacts?
|
|
Nameservers |
|
|
DomainContacts |
- SameDomainContact?
- Contact+
|
|
Service |
- ip-protocol?
- observable-id?
- ServiceName?
- Port?
- Portlist?
- ProtoCode?
- ProtoType?
- ProtoField?
- ApplicationHeaderField*
- EmailData?
- Application?
|
|
ServiceName |
- IANAService?
- URL*
- Description*
|
|
EmailData |
- observable-id?
- EmailTo*
- EmailFrom?
- EmailSubject?
- EmailX-Mailer?
- EmailHeaderField*
- EmailHeaders?
- EmailBody?
- EmailMessage?
- HashData*
- Signature*
|
|
RecordData |
- restriction?
- ext-restriction?
- observable-id?
- DateTime?
- Description*
- Application?
- RecordPattern*
- RecordItem*
- URL*
- FileData*
- WindowsRegistryKeysModified*
- CertificateData*
- AdditionalData*
|
|
RecordPattern |
- type
- ext-type?
- offset?
- offsetunit?
- ext-offsetunit?
- instance?
- value
|
|
WindowsRegistryKeysModified |
|
|
Key |
- registryaction?
- ext-registryaction?
- observable-id?
- KeyName
- KeyValue?
|
|
CertificateData |
- restriction?
- ext-restriction?
- observable-id?
- Certificate+
|
|
Certificate |
- observable-id?
- X509Data
- Description*
|
|
FileData |
- restriction?
- ext-restriction?
- observable-id?
- File+
|
|
File |
- observable-id?
- FileName?
- FileSize?
- FileType?
- URL*
- HashData?
- Signature*
- AssociatedSoftware?
- FileProperties*
|
|
HashData |
- scope
- HashTargetID?
- Hash*
- FuzzyHash*
|
|
Hash |
- DigestMethod
- DigestValue
- CanonicalizationMethod?
- Application?
|
|
FuzzyHash |
- FuzzyHashValue+
- Application?
- AdditionalData*
|
|
Indicator |
- restriction?
- ext-restriction?
- IndicatorID
- AlternativeIndicatorID*
- Description*
- StartTime?
- EndTime?
- Confidence?
- Contact*
- Observable?
- uid-ref?
- IndicatorExpression?
- IndicatorReference?
- NodeRole*
- AttackPhase*
- Reference*
- AdditionalData*
|
|
IndicatorID |
|
|
AlternativeIndicatorID |
- restriction?
- ext-restriction?
- IndicatorID+
|
|
Observable |
- restriction?
- ext-restriction?
- System?
- Address?
- DomainData?
- Service?
- EmailData?
- WindowsRegistryKeysModified?
- FileData?
- CertificateData?
- RegistryHandle?
- RecordData?
- EventData?
- Incident?
- Expectation?
- Reference?
- Assessment?
- DetectionPattern?
- HistoryItem?
- BulkObservable?
- AdditionalData*
|
|
BulkObservable |
- type?
- ext-type?
- BulkObservableFormat?
- BulkObservableList
- AdditionalData*
|
|
BulkObservableFormat |
|
|
IndicatorExpression |
- operator?
- ext-operator?
- IndicatorExpression*
- Observable*
- uid-ref*
- IndicatorReference*
- Confidence?
- AdditionalData*
|
|
IndicatorReference |
- uid-ref?
- euid-ref?
- version?
|
|
AttackPhase |
- AttackPhaseID*
- URL*
- Description*
- AdditionalData*
|
|