Internet Assigned Numbers Authority Incident Object Description Exchange Format v2 (IODEF) Created 2016-08-16 Last Updated 2016-12-01 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries included below * Restriction * Incident-purpose * Incident-status * Contact-role * Contact-type * RegistryHandle-registry * PostalAddress-type * Telephone-type * Email-type * Expectation-action * Discovery-source * SystemImpact-type * BusinessImpact-severity * BusinessImpact-type * TimeImpact-metric * TimeImpact-duration * Confidence-rating * NodeRole-category * System-category * System-ownership * Address-category * Counter-type * Counter-unit * DomainData-system-status * DomainData-domain-status * RecordPattern-type * RecordPattern-offsetunit * Key-registryaction * HashData-scope * BulkObservable-type * IndicatorExpression-operator * ExtensionType-dtype * SoftwareReference-spec-id * SoftwareReference-dtype Restriction Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference public The information can be freely distributed without restriction. [RFC7970] partner The information may be shared within a closed community of peers, partners, or affected parties, but cannot be openly [RFC7970] published. need-to-know The information may be shared only within the organization with individuals that have a need to know. [RFC7970] private The information may not be shared. [RFC7970] default The information can be shared according to an information disclosure policy pre-arranged by the communicating parties. [RFC7970] white Same as 'public'. [RFC7970] green Same as 'partner'. [RFC7970] amber Same as 'need-to-know'. [RFC7970] red Same as 'private'. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. Incident-purpose Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference traceback The incident was sent for trace-back purposes. [RFC7970] mitigation The incident was sent to request aid in mitigating the described activity. [RFC7970] reporting The incident was sent to comply with reporting requirements. [RFC7970] watch The incident was sent to convey indicators that should be monitored. [RFC7970] other The incident was sent for purposes specified in the Expectation class. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. Incident-status Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference new The incident is newly reported, and no action has been taken. [RFC7970] in-progress The contents of this incident are under investigation. [RFC7970] forwarded The incident has been forwarded to another party for handling. [RFC7970] resolved The investigation into the activity in this incident has concluded. [RFC7970] future The described activity has not yet been detected. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. Contact-role Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference creator The entity that generates the document. [RFC7970] reporter The entity that reported the information. [RFC7970] admin An administrative contact or business owner for an asset or organization. [RFC7970] tech An entity responsible for the day-to-day management of technical issues for an asset or organization. [RFC7970] provider An external hosting provider for an asset. [RFC7970] user An end-user of an asset or part of an organization. [RFC7970] billing An entity responsible for billing issues for an asset or organization. [RFC7970] legal An entity responsible for legal issues related to an asset or organization. [RFC7970] irt An entity responsible for handling security issues for an asset or organization. [RFC7970] abuse An entity responsible for handling abuse originating from an asset or organization. [RFC7970] cc An entity that is to be kept informed about the events related to an asset or organization. [RFC7970] cc-irt A CSIRT or information-sharing organization coordinating activity related to an asset or organization. [RFC7970] leo A law enforcement organization supporting the investigation of activity affecting an asset or organization. [RFC7970] vendor The vendor that produces an asset. [RFC7970] vendor-support A vendor that provides services. [RFC7970] victim A victim in the incident. [RFC7970] victim-notified A victim in the incident who has been notified. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding [RFC7970] ext-* attribute. See Section 5.1.1 of [RFC7970]. Contact-type Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference person The information for this contact references an individual. [RFC7970] organization The information for this contact references an organization. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. RegistryHandle-registry Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference internic Internet Network Information Center [RFC7970] apnic Asia Pacific Network Information Center [RFC7970] arin American Registry for Internet Numbers [RFC7970] lacnic Latin-American and Caribbean Internet Addresses Registry [RFC7970] ripe Reseaux IP Europeens [RFC7970] afrinic African Network Information Center [RFC7970] local A database local to the CSIRT [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. PostalAddress-type Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference street An address describing a physical location. [RFC7970] mailing An address to which correspondence should be sent. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. Telephone-type Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference wired A number of a wire-line (land-line) phone. [RFC7970] mobile A number of a mobile phone. [RFC7970] fax A number to a fax machine. [RFC7970] hotline A number to a regularly monitored operational hotline. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. Email-type Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference direct An email address of an individual. [RFC7970] hotline An email address regularly monitored for operational purposes. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. Expectation-action Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference nothing No action is requested. Do nothing with the information. [RFC7970] contact-source-site Contact the site(s) identified as the source of the activity. [RFC7970] contact-target-site Contact the site(s) identified as the target of the activity. [RFC7970] contact-sender Contact the originator of the document. [RFC7970] investigate Investigate the system(s) listed in the event. [RFC7970] block-host Block traffic from the machine(s) listed as sources in the event. [RFC7970] block-network Block traffic from the network(s) lists as sources in the event. [RFC7970] block-port Block the port listed as sources in the event. [RFC7970] rate-limit-host Rate-limit the traffic from the machine(s) listed as sources in the event. [RFC7970] rate-limit-network Rate-limit the traffic from the network(s) listed as sources in the event. [RFC7970] rate-limit-port Rate-limit the port(s) listed as sources in the event. [RFC7970] redirect-traffic Redirect traffic from the intended recipient for further analysis. [RFC7970] honeypot Redirect traffic from systems listed in the event to a honeypot for further analysis. [RFC7970] upgrade-software Upgrade or patch the software or firmware on an asset listed in the event. [RFC7970] rebuild-asset Reinstall the operating system or applications on an asset listed in the event. [RFC7970] harden-asset Change the configuration of an asset listed in the event to reduce the attack surface. [RFC7970] remediate-other Remediate the activity in a way other than by rate limiting or blocking. [RFC7970] status-triage Confirm receipt and begin triaging the incident. [RFC7970] status-new-info Notify the sender when new information is received for this incident. [RFC7970] watch-and-report Watch for the described activity or indicators, and notify the sender when seen. [RFC7970] training Train user to identify or mitigate the described threat. [RFC7970] defined-coa Perform a predefined course of action (COA). The COA is named in the DefinedCOA class. [RFC7970] other Perform a custom action described in the Description class. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding [RFC7970] ext-* attribute. See Section 5.1.1 of [RFC7970]. Discovery-source Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference nidps Network Intrusion Detection or Prevention System. [RFC7970] hips Host-based Intrusion Prevention System. [RFC7970] siem Security Information and Event Management System. [RFC7970] av Antivirus or antispam software. [RFC7970] third-party-monitoring Contracted third-party monitoring service. [RFC7970] incident The activity was discovered while investigating an unrelated incident. [RFC7970] os-log Operating system logs. [RFC7970] application-log Application logs. [RFC7970] device-log Network device logs. [RFC7970] network-flow Network flow analysis. [RFC7970] passive-dns Passive DNS analysis. [RFC7970] investigation Manual investigation initiated based on notification of a new vulnerability or exploit. [RFC7970] audit Security audit. [RFC7970] internal-notification A party within the organization reported the activity. [RFC7970] external-notification A party outside of the organization reported the activity. [RFC7970] leo A law enforcement organization notified the victim organization. [RFC7970] partner A customer or business partner reported the activity to the victim organization. [RFC7970] actor The threat actor directly or indirectly reported this activity to the victim organization. [RFC7970] unknown Unknown detection approach. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the [RFC7970] corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. SystemImpact-type Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference takeover-account Control was taken of a given account. [RFC7970] takeover-service Control was taken of a given service. [RFC7970] takeover-system Control was taken of a given system. [RFC7970] cps-manipulation A cyber-physical system was manipulated. [RFC7970] cps-damage A cyber-physical system was damaged. [RFC7970] availability-data Access to particular data was degraded or denied. [RFC7970] availability-account Access to an account was degraded or denied. [RFC7970] availability-service Access to a service was degraded or denied. [RFC7970] availability-system Access to a system was degraded or denied. [RFC7970] damaged-system Hardware on a system was irreparably damaged. [RFC7970] damaged-data Data on a system was deleted. [RFC7970] breach-propietary Sensitive or proprietary information was accessed or exfiltrated. [RFC7970] breach-privacy Personally identifiable information was accessed or exfiltrated. [RFC7970] breach-credential Credential information was accessed or exfiltrated. [RFC7970] breach-configuration System configuration or data inventory was access or exfiltrated. [RFC7970] integrity-data Data on the system was modified. [RFC7970] integrity-configuration Application or system configuration was modified. [RFC7970] integrity-hardware Firmware of a hardware component was modified. [RFC7970] traffic-redirection Network traffic on the system was redirected. [RFC7970] monitoring-traffic Network traffic emerging from a host or enclave was monitored. [RFC7970] monitoring-host System activity (e.g., running processes, keystrokes) were monitored. [RFC7970] policy Activity violated the system owner's acceptable use policy. [RFC7970] unknown The impact is unknown. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the [RFC7970] corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. BusinessImpact-severity Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference none No effect to the organization's ability to provide all services to all users. [RFC7970] low Minimal effect as the organization can still provide all critical services to all users but has lost efficiency. [RFC7970] medium The organization has lost the ability to provide a critical service to a subset of system users. [RFC7970] high The organization is no longer able to provide some critical services to any users. [RFC7970] unknown The impact is not known. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. BusinessImpact-type Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference breach-proprietary Sensitive or proprietary information was accessed or exfiltrated. [RFC7970] breach-privacy Personally identifiable information was accessed or exfiltrated. [RFC7970] breach-credential Credential information was accessed or exfiltrated. [RFC7970] loss-of-integrity Sensitive or proprietary information was changed or deleted. [RFC7970] loss-of-service Service delivery was disrupted. [RFC7970] theft-financial Money was stolen. [RFC7970] theft-service Services were misappropriated. [RFC7970] degraded-reputation The reputation of the organization's brand was diminished. [RFC7970] asset-damage A cyber-physical system was damaged. [RFC7970] asset-manipulation A cyber-physical system was manipulated. [RFC7970] legal The incident resulted in legal or regulatory action. [RFC7970] extortion The incident resulted in actors extorting the victim organization. [RFC7970] unknown The impact is unknown. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding [RFC7970] ext-* attribute. See Section 5.1.1 of [RFC7970]. TimeImpact-metric Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference labor Total staff time to recovery from the activity (e.g., 2 employees working 4 hours each would be 8 hours). [RFC7970] elapsed Elapsed time from the beginning of the recovery to its completion (i.e., wall-clock time). [RFC7970] downtime Duration of time for which some provided service(s) was not available. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. TimeImpact-duration Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference second The unit of the element content is seconds. [RFC7970] minute The unit of the element content is minutes. [RFC7970] hour The unit of the element content is hours. [RFC7970] day The unit of the element content is days. [RFC7970] month The unit of the element content is months. [RFC7970] quarter The unit of the element content is quarters. [RFC7970] year The unit of the element content is years. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. Confidence-rating Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference low Low confidence. [RFC7970] medium Medium confidence. [RFC7970] high High confidence. [RFC7970] numeric The element content contains a number that conveys the confidence of the data. The semantics of this number is outside the [RFC7970] scope of this specification. unknown The confidence rating value is not known. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. NodeRole-category Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference client Client computer. [RFC7970] client-enterprise Client computer on the enterprise network. [RFC7970] client-partner Client computer on network of a partner. [RFC7970] client-remote Client computer remotely connected to the enterprise network. [RFC7970] client-kiosk Client computer serving as a kiosk. [RFC7970] client-mobile Mobile device. [RFC7970] server-internal Server with internal services. [RFC7970] server-public Server with public services. [RFC7970] www WWW server. [RFC7970] mail Mail server. [RFC7970] webmail Web mail server. [RFC7970] messaging Messaging server (e.g., NNTP, IRC, IM). [RFC7970] streaming Streaming-media server. [RFC7970] voice Voice server (e.g., SIP, H.323). [RFC7970] file File server. [RFC7970] ftp FTP server. [RFC7970] p2p Peer-to-peer node. [RFC7970] name Name server (e.g., DNS, WINS). [RFC7970] directory Directory server (e.g., LDAP, finger, whois). [RFC7970] credential Credential server (e.g., domain controller, Kerberos). [RFC7970] print Print server. [RFC7970] application Application server. [RFC7970] database Database server. [RFC7970] backup Backup server. [RFC7970] dhcp DHCP server. [RFC7970] assessment Assessment server (e.g., vulnerability scanner, endpoint assessment). [RFC7970] source-control Source code control server. [RFC7970] config-management Configuration management server. [RFC7970] monitoring Security monitoring server (e.g., IDS). [RFC7970] infra Infrastructure server (e.g., router, firewall, DHCP). [RFC7970] infra-firewall Firewall. [RFC7970] infra-router Router. [RFC7970] infra-switch Switch. [RFC7970] camera Camera and video system. [RFC7970] proxy Proxy server. [RFC7970] remote-access Remote access server. [RFC7970] log Log server (e.g., syslog). [RFC7970] virtualization Server running virtual machines. [RFC7970] pos Point-of-sale device. [RFC7970] scada Supervisory control and data acquisition (SCADA) system. [RFC7970] scada-supervisory Supervisory system for a SCADA. [RFC7970] sinkhole Traffic sinkhole destination. [RFC7970] honeypot Honeypot server. [RFC7970] anonymization Anonymization server (e.g., Tor node). [RFC7970] c2-server Malicious command and control server. [RFC7970] malware-distribution Server that distributes malware. [RFC7970] drop-server Server to which exfiltrated content is uploaded. [RFC7970] hop-point Intermediary server used to get to a victim. [RFC7970] reflector A system used in a reflector attack. [RFC7970] phishing-site Site hosting phishing content. [RFC7970] spear-phishing-site Site hosting spear-phishing content. [RFC7970] recruiting-site Site to recruit. [RFC7970] fraudulent-site Fraudulent site. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding [RFC7970] ext-* attribute. See Section 5.1.1 of [RFC7970]. System-category Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference source The System was the source of the event. [RFC7970] target The System was the target of the event. [RFC7970] intermediate The System was an intermediary in the event. [RFC7970] sensor The System was a sensor monitoring the event. [RFC7970] infrastructure The System was an infrastructure node of the IODEF document exchange. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. System-ownership Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference organization Corporate or enterprise owned. [RFC7970] personal Personally owned by an employee or affiliate of the corporation or enterprise. [RFC7970] partner Owned by a partner of the corporation or enterprise. [RFC7970] customer Owned by a customer of the corporation or enterprise. [RFC7970] no-relationship Owned by an entity that has no known relationship with the victim organization. [RFC7970] unknown Ownership is unknown. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding [RFC7970] ext-* attribute. See Section 5.1.1 of [RFC7970]. Address-category Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference asn Autonomous System Number. [RFC7970] atm Asynchronous Transfer Mode (ATM) address. [RFC7970] e-mail Email address, per the EMAIL data type. [RFC7970] ipv4-addr IPv4 host address in dotted-decimal notation (i.e., a.b.c.d). [RFC7970] ipv4-net IPv4 network address in dotted-decimal notation, slash, significant bits (i.e., a.b.c.d/nn). [RFC7970] ipv4-net-masked A sanitized IPv4 address with significant bits per "ipv4-net" but with the character 'x' replacing any digit(s) in the [RFC7970] address or prefix. ipv4-net-mask IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (i.e., [RFC7970] a.b.c.d/w.x.y.z). ipv6-addr IPv6 host address per Section 4 of [RFC5952]. [RFC7970] ipv6-net IPv6 network address, slash, prefix per Section 2.3 of [RFC4291]. [RFC7970] ipv6-net-masked A sanitized IPv6 address and prefix per "ipv6-net" but with the character 'x' replacing any hexadecimal digit(s) in [RFC7970] the address or digit(s) in the prefix. mac Media Access Control (MAC) address (i.e., aa:bb:cc:dd:ee:ff). [RFC7970] site-uri A URL or URI for a resource, per the URL data type. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding [RFC7970] ext-* attribute. See Section 5.1.1 of [RFC7970]. Counter-type Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference count The Counter class value is a counter. [RFC7970] peak The Counter class value is a peak value. [RFC7970] average The Counter class value is an average. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. Counter-unit Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference byte Bytes transferred. [RFC7970] mbit Megabits (Mbits) transferred. [RFC7970] packet Packets. [RFC7970] flow Network flow records. [RFC7970] session Sessions. [RFC7970] alert Notifications generated by another system (e.g., IDS or SIEM system). [RFC7970] message Messages (e.g., mail messages). [RFC7970] event Events. [RFC7970] host Hosts. [RFC7970] site Site. [RFC7970] organization Organizations. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. DomainData-system-status Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference spoofed This domain was spoofed. [RFC7970] fraudulent This domain was operated with fraudulent intentions. [RFC7970] innocent-hacked This domain was compromised by a third party. [RFC7970] innocent-hijacked This domain was deliberately hijacked. [RFC7970] unknown No categorization for this domain known. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding [RFC7970] ext-* attribute. See Section 5.1.1 of [RFC7970]. DomainData-domain-status Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference reservedDelegation The domain is permanently inactive. [RFC7970] assignedAndActive The domain is in a normal state. [RFC7970] assignedAndInactive The domain has an assigned registration, but the delegation is inactive. [RFC7970] assignedAndOnHold The domain is in dispute. [RFC7970] revoked The domain is in the process of being purged from the database. [RFC7970] transferPending The domain is pending a change in authority. [RFC7970] registryLock The domain is on hold by the registry. [RFC7970] registrarLock Same as "registryLock". [RFC7970] other The domain has a known status, but it is not one of the redefined enumerated values. [RFC7970] unknown The domain has an unknown status. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding [RFC7970] ext-* attribute. See Section 5.1.1 of [RFC7970]. RecordPattern-type Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference regex Regular expression as defined by POSIX Extended Regular Expressions (ERE) in Chapter 9 of "Information Technology - Portable [RFC7970] Operating System Interface (POSIX) - Part 1: Base Definitions", IEEE 1003.1, June 2001. binary Binhex-encoded binary pattern, per the HEXBIN data type. [RFC7970] xpath XML Path (XPath) [XML Path Language (XPath) 3.1]. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. RecordPattern-offsetunit Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference line Offset is a count of lines. [RFC7970] byte Offset is a count of bytes. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. Key-registryaction Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference add-key Registry key added. [RFC7970] add-value Value added to a registry key. [RFC7970] delete-key Registry key deleted. [RFC7970] delete-value Value deleted from a registry key. [RFC7970] modify-key Registry key modified. [RFC7970] modify-value Value modified in a registry key. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. HashData-scope Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference file-contents A hash computed over the entire contents of a file. [RFC7970] A hash computed on a given section of a Windows Portable Executable (PE) file. If set to this value, the file-pe-section HashTargetID class MUST identify the section being hashed. A section is identified by an ordinal number (starting [RFC7970] at 1) corresponding to the order in which the given section header was defined in the Section Table of the PE file header. A hash computed on the Import Address Table (IAT) of a PE file. As IAT hashes are often tool dependent, if this file-pe-iat value is set, the Application class of either the Hash or FuzzyHash classes MUST specify the tool used to generate [RFC7970] the hash. A hash computed on a given resource in a PE file. If set to this value, the HashTargetID class MUST identify the file-pe-resource resource being hashed. A resource is identified by an ordinal number (starting at 1) corresponding to the order in [RFC7970] which the given resource is declared in the Resource Directory of the Data Dictionary in the PE file header. file-pdf-object A hash computed on a given object in a Portable Document Format (PDF) file. If set to this value, the HashTargetID [RFC7970] class MUST identify the object being hashed. This object is identified by its offset in the PDF file. email-hash A hash computed over the headers and body of an email message. [RFC7970] email-headers-hash A hash computed over all of the headers of an email message. [RFC7970] email-body-hash A hash computed over the body of an email message. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding [RFC7970] ext-* attribute. See Section 5.1.1 of [RFC7970]. BulkObservable-type Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference asn Autonomous System Number (per the Address@category attribute). [RFC7970] atm Asynchronous Transfer Mode (ATM) address (per the Address@category attribute). [RFC7970] e-mail Email address (per the Address@category attribute). [RFC7970] ipv4-addr IPv4 host address in dotted-decimal notation, e.g., 192.0.2.1 (per the Address@category attribute). [RFC7970] ipv4-net IPv4 network address in dotted-decimal notation, slash, significant bits, e.g., 192.0.2.0/24 (per the [RFC7970] Address@category attribute). ipv4-net-mask IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation, i.e., [RFC7970] 192.0.2.0/255.255.255.0 (per the Address@category attribute). ipv6-addr IPv6 host address, e.g., 2001:DB8::3 (per the Address@category attribute). [RFC7970] ipv6-net IPv6 network address, slash, significant bits, e.g., 2001:DB8::/32 (per the Address@category attribute). [RFC7970] ipv6-net-mask IPv6 network address, slash, network mask (per the Address@category attribute). [RFC7970] mac Media Access Control (MAC) address, i.e., a:b:c:d:e:f (per the Address@category attribute). [RFC7970] site-uri A URL or URI for a resource (per the Address@category attribute). [RFC7970] domain-name A fully qualified domain name or part of a name (e.g., fqdn.example.com, example.com). [RFC7970] domain-to-ipv4 A mapping of FQDN to IPv4 address specified as a comma-separated list (e.g., "fqdn.example.com, 192.0.2.1"). [RFC7970] domain-to-ipv6 A mapping of FQDN to IPv6 address specified as a comma separated list (e.g., "fqdn.example.com, [RFC7970] 2001:DB8::3"). domain-to-ipv4-timestamp Same as domain-to-ipv4 but with a timestamp (in the DATETIME format) of the resolution (e.g., [RFC7970] "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00"). domain-to-ipv6-timestamp Same as domain-to-ipv6 but with a timestamp (in the DATETIME format) of the resolution (e.g., [RFC7970] "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00"). ipv4-port An IPv4 address, port, and protocol tuple (e.g., 192.0.2.1, 80, tcp). The protocol name corresponds to the [RFC7970] "Keyword" column in the [IANA registry protocol-numbers]. ipv6-port An IPv6 address, port, and protocol tuple (e.g., 2001:DB8::3, 80, tcp). The protocol name corresponds to the [RFC7970] "Keyword" column in the [IANA registry protocol-numbers]. windows-reg-key A Microsoft Windows registry key. [RFC7970] file-hash A file hash. The format of this hash is described in the Hash class that MUST be present in a sibling [RFC7970] BulkObservableFormat class. email-x-mailer An X-Mailer field from an email. [RFC7970] email-subject An email subject line. [RFC7970] http-user-agent A User Agent field from an HTTP request header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) [RFC7970] Gecko/20100101 Firefox/38.0"). http-request-uri The Request URI from an HTTP request header. [RFC7970] mutex The name of a system mutex (mutual exclusion lock). [RFC7970] file-path A file path (e.g., "/tmp/local/file", "c:\windows\system32\file.sys"). [RFC7970] user-name A username. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the [RFC7970] corresponding ext-* attribute. See Section 5.1.1 of [RFC7970]. IndicatorExpression-operator Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference not negation operator. [RFC7970] and conjunction operator. [RFC7970] or disjunction operator. [RFC7970] xor exclusive disjunction operator. [RFC7970] ExtensionType-dtype Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference boolean The element content is of type BOOLEAN. [RFC7970] byte The element content is of type BYTE. [RFC7970] bytes The element content is of type HEXBIN. [RFC7970] character The element content is of type CHARACTER. [RFC7970] date-time The element content is of type DATETIME. [RFC7970] ntp-stamp Same as date-time. [RFC7970] integer The element content is of type INTEGER. [RFC7970] portlist The element content is of type PORTLIST. [RFC7970] real The element content is of type REAL. [RFC7970] string The element content is of type STRING. [RFC7970] file The element content is a base64-encoded binary file encoded as a BYTE[] type. [RFC7970] path The element content is a file-system path encoded as a STRING type. [RFC7970] frame The element content is a Layer 2 frame encoded as a HEXBIN type. [RFC7970] packet The element content is a Layer 3 packet encoded as a HEXBIN type. [RFC7970] ipv4-packet The element content is an IPv4 packet encoded as a HEXBIN type. [RFC7970] ipv6-packet The element content is an IPv6 packet encoded as a HEXBIN type. [RFC7970] url The element content is of type URL. [RFC7970] csv The element content is a comma-separated value (CSV) list per Section 2 of [RFC4180] encoded as a STRING type. [RFC7970] winreg The element content is a Microsoft Windows registry key encoded as a STRING type. [RFC7970] xml The element content is XML. See Section 5.2 of [RFC7970]. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. SoftwareReference-spec-id Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference custom The element content is free-form and of the data type specified by the dtype attribute. If this value is selected, then the [RFC7970] dtype attribute MUST be set. cpe The element content describes a Common Platform Enumeration (CPE) entry per [[NIST.CPE]]. [RFC7970] swid The element content describes a software identification (SWID) tag per [ISO19770]. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. SoftwareReference-dtype Registration Procedure(s) Expert Review Expert(s) Roman Danyliw, Takeshi Takahashi Reference [RFC7970] Available Formats [IMG] CSV Value Description Reference bytes The element content is of type HEXBIN. [RFC7970] integer The element content is of type INTEGER. [RFC7970] real The element content is of type REAL. [RFC7970] string The element content is of type STRING. [RFC7970] xml The element content is XML. See Section 5.2 of [RFC7970]. [RFC7970] ext-value A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* [RFC7970] attribute. See Section 5.1.1 of [RFC7970]. Licensing Terms