<schema>Unix_Process_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The UnixProcessStateEnum is an enumeration of Unix process states.
Specifies a running process or runnable [on run queue] (R).
Specifies a process in uninterruptable sleep [usually IO] (D).
Specifies a process in interruptable sleep [waiting for an event to complete] (S).
Specifies a stopped process, either by a job control signal or because it is being traced (T).
Specifies a paging process [not valid since the 2.6.xx kernel] (W).
Specifies a dead process [should never be seen] (X).
Specifies a defunct, zombie process [terminated but not reaped by its parent] (Z).
The UnixProcessObjectType type is intended to characterize Unix processes.
The Open_File_Descriptor_List field specifies a listing of the current file descriptors used by the Unix process.
The Priority field specifies the priority of the Unix process.
The RUID field specifies the real user ID, which represents the Unix user who created the process.
The Session_ID field specifies the Unix Session ID of the process.
The UnixProcessStatusType field specifies the current status of the running Unix process. It extends the abstract ProcessStatusType from the CybOX Process Object.
Specifies the current state of the Unix process, using the UnixProcessStatusEnum enumeration.
Specifies when the process started up.
The FileDescriptorListType type specifies a list of Unix file descriptors.
The File_Descriptor field specifies a particular Unix File Descriptor.
UnixProcessStateType specifies Unix process states, via a union of the UnixProcessStateEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. See "man ps" for more information.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Network_Route_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The NetRouteObjectType type is intended to characterize a specific network route.
The is_ipv6 field specifies whether or not the route uses IPv6 addresses.
The is_autoconfigure_address field specifies if the IP address is autoconfigured.
The is_immortal field specifies if the route is immortal.
The is_loopback field specifies if the route is a loopback route (the gateway is on the local host).
The is_publish field specifies if the route is published.
The Description field is intended for use in providing a brief description of the network route.
The Network_Route_Entries field is optional and characterizes a set of network route segment entries.
The Preferred_Lifetime field is intended to specify the preferred time, in seconds, that the IP route entry is valid. A value of 0xffffffff is considered to be infinite.
The Valid_Lifetime field is intended to specify the maximum time, in seconds, that the IP route entry is valid. A value of 0xffffffff is considered to be infinite.
The Route_Age field is intended to characterize the number of seconds since the route was added or modified in the network routing table.
The NetworkRouteEntriesType type is intended to characterize the set of network route segments for this route.
The Network_Route field is optional and characterizes a single network route segment entry.
<schema>DNS_Record_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The DNSRecordObjectType type is intended to characterize an individual DNS record.
The Description field provides a mechanism to specify a structured text description of this DNS_Entry.
The Queried_Date field specifies the date and time at which this DNS record was returned from a query.
The Domain_Name field specifies the name of the domain to which the DNS cache entry points.
The IP_Address field specifies the IP address to which the domain name in the DNS cache entry resolves to.
The Address_Class field specifies the address class (e.g. IN, TXT, ANY, etc.) for the DNS record.
The Entry_Type field specifies the resource record type (e.g. SOA or A) for the DNS record.
The Record_Name field is optional and specifies the name for the DNS record.
The Record_Type field is optional and specifies the type of the DNS record.
The TTL field is optional and specifies the time-to-live for the DNS record.
The Flags field is optional and specifies the relevant flags for the DNS record.
The Data_Length field is optional and specifies the length of raw data to be captured in the Record_Data field.
The Record_Data field is optional and enables capture and expression of the raw record data.
<schema>Account_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The AuthenticationTypeEnum is a (non-exhaustive) enumeration of authentication types for accounts. This is leveraged by the Account Object.
The No Authentication value specifies that there is no authentication mechanism in place.
The Password value specifies password based authentication.
The Cryptographic Key value specifies cryptographic key based authentication.
The Biometrics value specifies biometrics based authentication. Examples include fingerprint or retina readers.
The Hardware Token value specifies authentication requiring physical or hardware tokens. Examples include smart cards, bluetooth tokens, and usb tokens.
The Software Token value specifies an authentication device stored in software form.
The Multifactor authentication value specifies multifactor authentication.
The AuthenticationTokenProtectionMechanismTypeEnum is a (non-exhaustive) enumeration of methods for the protection of authentication tokens.
The authentication tokens are stored in plaintext.
The authentication tokens have been salted and hashed with the GOST hash algorithm.
The authentication tokens have been hashed with the GOST hash algorithm, without salting.
The authentication tokens have been salted and hashed with the HAVAL hash algorithm.
The authentication tokens have been hashed with the HAVAL hash algorithm, without salting.
The authentication tokens have been salted and hashed with the MD2 hash algorithm.
The authentication tokens have been hashed with the MD2 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the MD4 hash algorithm.
The authentication tokens have been hashed with the MD4 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the MD5 hash algorithm.
The authentication tokens have been hashed with the MD5 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the PANAMA hash algorithm.
The authentication tokens have been hashed with the PANAMA hash algorithm, without salting.
The authentication tokens have been salted and hashed with the RadioGatun hash algorithm.
The authentication tokens have been hashed with the RadioGatun hash algorithm, without salting.
The authentication tokens have been salted and hashed with the RIPEMD hash algorithm.
The authentication tokens have been hashed with the RIPEMD hash algorithm, without salting.
The authentication tokens have been salted and hashed with the RIPEMD-128/256 hash algorithm.
The authentication tokens have been hashed with the RIPEMD-128/256 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the RIPEMD-160 hash algorithm.
The authentication tokens have been hashed with the RIPEMD-160 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the RIPEMD-320 hash algorithm.
The authentication tokens have been hashed with the RIPEMD-320 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the SHA-0 hash algorithm.
The authentication tokens have been hashed with the SHA-0 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the SHA-1 hash algorithm.
The authentication tokens have been hashed with the SHA-1 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the SHA-256/224 hash algorithm.
The authentication tokens have been hashed with the SHA-256/224 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the SHA-512/384 hash algorithm.
The authentication tokens have been hashed with the SHA-512/384 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the SHA-3 hash algorithm.
The authentication tokens have been hashed with the SHA-3 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the SHA-3-224 hash algorithm.
The authentication tokens have been hashed with the SHA-3-224 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the SHA-3-256 hash algorithm.
The authentication tokens have been hashed with the SHA-3-256 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the SHA-3-384 hash algorithm.
The authentication tokens have been hashed with the SHA-3-384 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the SHA-3-512 hash algorithm.
The authentication tokens have been hashed with the SHA-3-512 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the Tiger(2)-192/160/128 hash algorithm.
The authentication tokens have been hashed with the Tiger(2)-192/160/128 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the WHIRLPOOL hash algorithm.
The authentication tokens have been hashed with the WHIRLPOOL hash algorithm, without salting.
The authentication tokens have been salted and hashed with the Skein-256 hash algorithm.
The authentication tokens have been hashed with the Skein-256 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the Skein-512 hash algorithm.
The authentication tokens have been hashed with the Skein-512 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the Skein-1024 hash algorithm.
The authentication tokens have been hashed with the Skein-1024 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the Snefru-128 hash algorithm.
The authentication tokens have been hashed with the Snefru-128 hash algorithm, without salting.
The authentication tokens have been salted and hashed with the Snefru-256 hash algorithm.
The authentication tokens have been hashed with the Snefru-256 hash algorithm, without salting.
The authentication tokens have been hashed using an iterative hashing algorithm.
The authentication tokens have been encrypted with the AES algorithm.
The authentication tokens have been encrypted with the Blowfish algorithm.
The authentication tokens have been encrypted with the DES algorithm.
The authentication tokens have been encrypted with the IDEA algorithm.
The authentication tokens have been encrypted with the RC4 algorithm.
The authentication tokens have been encrypted with the Tiny Encryption Algorithm (TEA).
The AccountObjectType type is intended to characterize generic accounts.
The disabled field specifies whether or not the account is disabled.
The locked_out field specifies whether or not the account is locked out.
The Description field is used for providing a description of the account, if applicable.
The Domain field is used for specifying the domain that the account belongs to.
The Authentication field specifies authentication information associated with this account.
The Creation_Date field specifies the date and time that the account was created.
The Modified_Date field specifies the date and time that the account was last modified.
The Last_Accessed_Time field specifies the date and time that the account was last accessed.
The AuthenticationType type specifies authentication information for an account.
The Authentication_Type field specifies the type of authentication required by this Account.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AuthenticationTypeVocab-1.0 in the http://cybox.mitre.org/objects#AccountObject-2 namespace.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Authentication_Data field specifies the data used for the authentication type specified by the Authentication_Type field. For example, if Authentication_Type is set to "Password", this would be the actual password value.
The Authentication_Token_Protection_Mechanism field specifies the method (typically algorithm) of protecting authentication tokens for this account.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AuthenticationTokenProtectionMechanismTypeVocab-1.0 in the http://cybox.mitre.org/objects#AccountObject-2 namespace.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Structured_Authentication_Mechanism field provides authors a field for describing authentication mechanism information in a structured language defined outside of CybOX.
Characterizes the description of an authentication mechanism, such as biometrics-based authentication.
In addition to capturing basic information, this type is intended to be extended to enable the structured description of an authentication mechanism using the XML Schema extension feature. No extension is provided by CybOX to support this, however those wishing to represent structured authentication mechanism information may develop such an extension.
The Description field provides an unstructured description of an individual StructuredAuthenticationMechanismType instance.
<schema>Unix_Pipe_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The UnixPipeObjectType type is intended to characterize Unix pipes.
The Permission_Mode field specifies the Unix permission mode for the pipe.
<schema>File_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The DetectedTypeEnum is an enumeration of entry point signature detection types.
Specifies a type other than those listed.
Specifies an executable that acts as a compiler.
Specifies an executable that acts as a packer.
Specifies an executable that acts as an installer.
The PackerTypeEnum type is a (non-exhaustive) enumeration of packer classes.
Indicates that the packer is an archiver.
Indicates that the packer is an installer.
Indicates that the packer is a self-extracting archiver.
Indicates that the packer is a crypter.
Indicates a packer.
Indicates that the packer is a protector.
Indicates that the packer is a bundler.
Indicates a different type of packer from the ones listed.
The File_ObjectType type is intended to characterize generic files.
The is_packed field is used to indicate whether the file is packed or not.
The is_masqueraded field specifies whether the file is masqueraded as another type of file; e.g., a PDF file that has had its extension changed to TXT to masquerade itself as a text file.
The File_Name field specifies the base name of the file (including an extension, if present).
The File_Path field specifies the relative or fully-qualified path to the file, not including the path to the device where the file system containing the file resides. Whether the path is relative or fully-qualified can be specified via the 'fully_qualified' attribute of this field. The File_Path field may include the name of the file; if so, it must not conflict with the File_Name field. If not, the File_Path field should contain the path of the directory containing the file, and should end with a terminating path separator("\" or "/").
The Device_Path field specifies the path to the physical device where the file system containing the file resides.
The Full_Path field specifies the complete path to the file, including the device path. It should contain the contents that would otherwise be in the Device_Path and File_Path fields, and can be used in case the producer is unable or does not wish to separate the Device_Path and File_Path fields. If the Full_Path field is specified along with the File_Path and/or Device_Path fields, it must not conflict with either. The Full_Path field may include the name of the file; if so, it must not conflict with the File_Name field. If not, the File_Path field should contain the path of the directory containing the file, and should end with a terminating path separator("\" or "/").
The File_Extension field specifies the extension of the name of the file. The File_Extension field must not conflict with the ending of the File_Name field. The File_Extension field should not begin with a "." character, but may contain a "." character in the case of a compound file extension, such as "tar.gz".
The Size_In_Bytes field specifies the size of the file, in bytes.
The Magic_Number specifies the particular magic number (typically a hexadecimal constant used to identify a file format) corresponding to the file, if applicable.
The File_Format field specifies the particular file format of the file, most typically specified by a tool such as the UNIX file command.
The Hashes field specifies any hashes of the file.
The Digital_Signatures field is optional and captures one or more digital signatures for the file.
The Modified_Time field specifies the date/time the file was last modified.
The Accessed_Time field specifies the date/time the file was last accessed.
The Created_Time field specifies the date/time the file was created.
The File_Attributes_List field specifies the particular special attributes set for the file. Since this is a platform-specific Object property, it is defined here as an abstract type and then implemented in any platform specific derived file objects.
The Permissions field specifies that particular permissions that a file may have. Since this is a platform-specific Object property, it is defined here as an abstract type and then implemented in any platform specific derived file objects.
The User_Owner field specifies the name of the user that owns the file.
The Packer_List field specifies any packers that the file may be packed with. The term 'packer' here refers to packers, as well as things like archivers and installers.
The Peak_Entropy field specifies the calculated peak entropy of the file.
The Sym_Links field specifies any symbolic links that may exist for the file.
The Byte_Runs field contains a list of byte runs from the raw file or its storage medium.
A description of features extracted from this file.
The Encryption_Algorithm field specifies the algorithm used to encrypt the file.
The Decryption_Key field specifies the key used to decrypt the file.
The Compression_Method field specifies the method used to compress the file.
The Compression_Version field specifies the version of the compression method used to compress the file.
The Compression_Comment field specifies the comment string associated with the compressed file.
The FileAttributeType type specifies attribute(s) of a file. Since this Object property(ies) is platform-specific, it is defined here as an abstract type.
The FilePermissionsType type specifies a permission of a file. Since this is a platform-specific Object property, it is defined here as an abstract type and then implemented in any platform specific derived file objects.
The PackerListType type specifies a list of file packers.
The Packer field specifies a single file packer.
The PackerType specifies the fields that characterize a particular file packer, such as name and version.
The Name field specifies the name of the packer.
The Version field specifies the version of the packer.
The Entry_Point field specifies the entry point address of the packer, if applicable.
The Signature field specifies the matching signature detected for the packer, if applicable.
The Type field specifies the type of packer being characterized.
The Detected_Entrypoint_Signatures field specifies the entrypoint signatures that were detected for the packer.
The EP_Jump_Codes field characterizes the entry point jump codes of the packer.
Specifies an entry-point jump code used by a packer.
The frequency that a jump instruction is found to be immediately followed by another jump instruction within the PE(Portable Executable) entry point.
The hex value of the bytes located at the jump location for a relative jump identified in the PE(Portable Executable) entry point up to 10 bytes or the end of the RVA(Relative Virtual Address) section.
Specifies an entry point signature for a packer.
Specifies the signature name.
Specifies the type of entry point detected (e.g., packer, compiled file).
Species a list of entry point signatures for a packer.
Specifies a single field in a list of entry point signatures.
The SymLinksListType specifies a list of symbolic links.
The Sym_Link element specifies a single symbolic link.
The FilePathType type specifies the path to the file, not including the device. Whether the path is relative or fully-qualified can be specified via the 'fully_qualified' attribute.
The fully_qualified field specifies whether the path is fully qualified.
PackerCassType specifies packer classes, via a union of the PackerTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This field is optional and specifies the expected type for the value of the specified field.
<schema>Win_Driver_Object</schema>
<version>3.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsDriverObject type is intended to characterize Windows device drivers.
The Device_Object_List field specifies the device objects that were created by the driver.
The Driver_Init field specifies the entry point for the driver's DriverEntry routine. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff544174(v=vs.85).aspx.
The Driver_Name field specifies the name of the driver.
The Driver_Object_Address field specifies the address to the driver's driver object, which contains the storage for the entry point to many of the driver's standard routines. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff548034(v=vs.85).aspx.
The Driver_Start_IO field specifies the entry point for the driver's StartIO routine. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff544174(v=vs.85).aspx.
The Driver_Unload field specifies the entry point for the driver's unload routine. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff544174(v=vs.85).aspx.
The Image_Base field specifies the preferred address of the first byte of the driver's image when it is loaded into memory.
The Image_Size field specifies the size of the driver's image, in bytes.
The IRP_MJ_CLEANUP field represents a count of the number of times the CLEANUP function code was processed by the driver.
The IRP_MJ_CLOSE field represents a count of the number of times the CLOSE function code was processed by the driver.
The IRP_MJ_CREATE field represents a count of the number of times the CREATE function code was processed by the driver.
The IRP_MJ_CREATE_MAILSLOT field represents a count of the number of times the CREATE_MAILSLOT function code was processed by the driver.
The IRP_MJ_CREATE_NAMED_PIPE field represents a count of the number of times the CREATE_NAMED_PIPE function code was processed by the driver.
The IRP_MJ_DEVICE_CHANGE field represents a count of the number of times the DEVICE_CHANGE function code was processed by the driver.
The IRP_MJ_DEVICE_CONTROL field represents a count of the number of times the DEVICE_CONTROL function code was processed by the driver.
The IRP_MJ_DIRECTORY_CONTROL field represents a count of the number of times the DIRECTORY_CONTROL function code was processed by the driver.
The IRP_MJ_FILE_SYSTEM_CONTROL field represents a count of the number of times the FILE_SYSTEM_CONTROL function code was processed by the driver.
The IRP_MJ_FLUSH_BUFFERS field represents a count of the number of times the FLUSH_BUFFERS function code was processed by the driver.
The IRP_MJ_INTERNAL_DEVICE_CONTROL field represents a count of the number of times the INTERNAL_DEVICE_CONTROL function code was processed by the driver.
The IRP_MJ_LOCK_CONROL field represents a count of the number of times the LOCK_CONROL function code was processed by the driver.
The IRP_MJ_PNP field represents a count of the number of times the PNP function code was processed by the driver.
The IRP_MJ_POWER field represents a count of the number of times the POWER function code was processed by the driver.
The IRP_MJ_READ field represents a count of the number of times the READ function code was processed by the driver.
The IRP_MJ_QUERY_EA field represents a count of the number of times the QUERY_EA function code was processed by the driver.
The IRP_MJ_QUERY_INFORMATION field represents a count of the number of times the QUERY_INFORMATION function code was processed by the driver.
The IRP_MJ_QUERY_SECURITY field represents a count of the number of times the QUERY_SECURITY function code was processed by the driver.
The IRP_MJ_QUERY_QUOTA field represents a count of the number of times the QUERY_QUOTA function code was processed by the driver.
The IRP_MJ_QUERY_VOLUME_INFORMATION field represents a count of the number of times the QUERY_VOLUME_INFORMATION function code was processed by the driver.
The IRP_MJ_SET_EA field represents a count of the number of times the SET_EA function code was processed by the driver.
The IRP_MJ_SET_INFORMATION field represents a count of the number of times the SET_INFORMATION function code was processed by the driver.
The IRP_MJ_SET_SECURITY field represents a count of the number of times the SET_SECURITY function code was processed by the driver.
The IRP_MJ_SET_QUOTA field represents a count of the number of times the SET_QUOTA function code was processed by the driver.
The IRP_MJ_SET_VOLUME_INFORMATION field represents a count of the number of times the SET_VOLUME_INFORMATION function code was processed by the driver.
The IRP_MJ_SHUTDOWN field represents a count of the number of times the SHUTDOWN function code was processed by the driver.
The IRP_MJ_SYSTEM_CONTROL field represents a count of the number of times the SYSTEM_CONTROL function code was processed by the driver.
The IRP_MJ_WRITE field represents a count of the number of times the WRITE function code was processed by the driver.
The DeviceObjectStructType type specifies the properties of a device object. In this context, a device object represents a logical, virtual, or physical device for which a driver handles I/O requests. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff543147(v=vs.85).aspx.
The Attached_Device_Name field specifies the name of another device object that was attached to this one. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff543147(v=vs.85).aspx.
The Attached_Device_Object field specifies a pointer to another device object that was attached to this one. Typically this is a filter driver. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff543147(v=vs.85).aspx.
The Attached_To_Device_Name field specifies the name of another device object that this one was attached to.
The Attached_To_Device_Object field specifies a pointer to another device object that this one was attached to.
The Attached_To_Driver_Object field specifies a pointer to the driver to which this device object was attached.
The Attached_To_Driver_Name field specifies the name of the driver to which this device object was attached.
The Device_Name field specifies the name of the device object.
The Device_Object field specifies a pointer to the driver object for the caller.
The DeviceObjectListType specifies a list of device objects.
The Device_Object _Struct field specifies a single device object utilizing the Windows Driver Device Object Struct.
<schema>Memory_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The BlockTypeEnum is a non-exhaustive enumeration of memory block types.
Indicates that the memory block is initialized.
Indicates that the memory block is uninitialized.
Indicates that the memory block is an overlay.
Indicates that the memory block is bit-mapped.
Indicates that the memory block is byte-mapped.
The MemoryObjectType type is intended to characterize generic memory objects.
The is_injected field specifies whether or not the particular memory object has had data/code injected into it by another process.
The is_mapped field specifies whether or not the particular memory object has been assigned a byte-for-byte correlation with some portion of a file or file-like resource.
The is_protected field specifies whether or not the particular memory object is protected (read/write only from the process that allocated it).
The is_volatile field specifies whether or not the particular memory object is volatile.
The Hashes field specifies any hashes of the particular memory object.
The Name field specifies the name of the particular memory object, if applicable.
The name of the source file or segment that produced the bytes that make the particular memory object.
The Region_Size field specifies the size of the particular memory region, in bytes.
The Block_Type field specifies the block type of a particular memory object.
The Region_Start_Address field specifies the starting address of the particular memory region.
The Region_End_Address field specifies the ending address of the particular memory region.
A description of features extracted from this memory region.
BlockType specifies memory block types, via a union of the BlockTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Unix_User_Account_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The UnixUserAccountType type is intended to characterize Unix user accounts.
The Group_ID field specifies the ID of the primary group to which the Unix user account belongs.
The User_ID field specifies the ID of the Unix user account.
The Login_Shell field specifies the name of the default login shell used by the Unix user account.
The UnixGroupType type is used for specifying Unix groups. It extends the abstract GroupType from the Cybox UserAccount construct.
The Group_ID field specifies the Unix ID of the group.
The UnixPrivilegeType type is used to specify Unix privileges. It extends the abstract PrivilegeType from the CybOX UserAccount object.
The Permissions_Mask field specifies the Unix permissions mask for the privilege.
<schema>Win_Pipe_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsPipeObjectType type is intended to characterize Windows pipes.
The Default_Time_Out field specifies the default time-out value for the pipe, in milliseconds.
The Handle field specifies the open Windows handle to the pipe. It imports and uses the WindowsHandleObjectType from the CybOX Windows Handle Object.
The In_Buffer_Size field specifies the number of bytes to reserve for the input buffer of the pipe.
The Max_Instances field specifies the maximum number of instances that can be created for this pipe.
The Open_Mode field specifies the open mode used for the pipe.
The Out_Buffer_Size field specifies the number of bytes to reserve for the output buffer of the pipe.
The Pipe_Mode field specifies the mode used for the pipe.
The Security_Attributes field specifies the Windows security attributes for the pipe.
<schema>Win_System_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsSystemObjectType type is intended to characterize Windows systems.
The domain that the system belongs to.
A list of global flags. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff549557(v=vs.85).aspx.
The NetBIOS_Name field specifies the NetBIOS (Network Basic Input/Output System) name of the Windows system. This is not the same as the host name.
The Open_Handle_List field specifies the list of open handles for the Windows system.
The Product ID. See also: http://support.microsoft.com/gp/pidwin.
The ProductName of the current installation of Windows. This is typically found in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion!ProductName.
The organization that this copy of Windows is registered to.
The person or organization that is the registered owner of this copy of Windows.
The Windows_Directory field specifies the fully-qualified path to the Windows install directory.
The Windows_System_Directory field specifies the fully-qualified path to the Windows system directory.
The Windows_Temp_Directory field specifies the fully-qualified path to the Windows temporary files directory.
The GlobalFlagListType type is a listing of all Windows global flags.
This characterizes Windows global flags. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff549557(v=vs.85).aspx.
The GlobalFlagType type is intended to characterize Windows global flags.
The abbreviation of a global flag. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff549646(v=vs.85).aspx.
The destination of a global flag. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff549646(v=vs.85).aspx.
The hexadecimal value of a global flag. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff549646(v=vs.85).aspx.
The symbolic name of a global flag. See also: http://msdn.microsoft.com/en-us/library/windows/hardware/ff549646(v=vs.85).aspx.
<schema>Win_User_Account_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WinUserAccountObjectType type is intended to characterize Windows user accounts.
Security ID represents the Security ID (SID) of a windows user.
Security Type represents the type of the Security ID (SID).
Windows Group represents a single windows group.
Identifies the name of the windows group.
Windows Privilege represents a single privilege that a user may have within Windows.
User Right represents one right that a user may have.
<schema>Win_Memory_Page_Region_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The MemoryPageProtectionEnum defines an enumeration of memory page protection constants. As a further reference, please see: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx.
From Microsoft: "Enables execute access to the committed region of pages. An attempt to read from or write to the committed region results in an access violation.".
From Microsoft: "Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation.".
From Microsoft: "Enables execute, read-only, or read/write access to the committed region of pages.".
From Microsoft: "Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_EXECUTE_READWRITE, and the change is written to the new page.".
From Microsoft: "Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation.".
From Microsoft: "Enables read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. If Data Execution Prevention is enabled, an attempt to execute code in the committed region results in an access violation.".
From Microsoft: "Enables read-only or read/write access to the committed region of pages. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.".
From Microsoft: "Enables read-only or copy-on-write access to a mapped view of a file mapping object. An attempt to write to a committed copy-on-write page results in a private copy of the page being made for the process. The private page is marked as PAGE_READWRITE, and the change is written to the new page. If Data Execution Prevention is enabled, attempting to execute code in the committed region results in an access violation.".
The MemoryPageStateEnum defines an enumeration of memory page states. As a further reference, please see: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366775(v=vs.85).aspx.
From Microsoft: "Indicates committed pages for which physical storage has been allocated, either in memory or in the paging file on disk.".
From Microsoft: "Indicates free pages not accessible to the calling process and available to be allocated. For free pages, the information in the AllocationBase, AllocationProtect, Protect, and Type members is undefined.".
From Microsoft: "Indicates reserved pages where a range of the process's virtual address space is reserved without any physical storage being allocated. For reserved pages, the information in the Protect member is undefined.".
The MemoryPageTypeEnum defines an enumeration of memory page types. As a further reference, please see: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366775(v=vs.85).aspx.
From Microsoft: "Indicates that the memory pages within the region are mapped into the view of an image section.".
From Microsoft: "Indicates that the memory pages within the region are mapped into the view of a section.".
From Microsoft: "Indicates that the memory pages within the region are private (that is, not shared by other processes).".
The WindowsMemoryPageRegionObjectType type is intended to characterize Windows memory page regions.
The Type field specifies the type of pages in the memory page region.
The Allocation_Base_Address field specifies the base address of the memory page region when the region was first allocated.
The Allocation_Protect field specifies the memory protection option for the memory page region when the region was initially allocated.
The State field specifies the state of the memory pages in the region.
The Protect field specifies the access protection of the memory pages in the region.
MemoryPageStateType specifies memory protection states, via a union of the MemoryPageStateEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
MemoryPageTypeType specifies memory protection type, via a union of the MemoryPageTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
MemoryPageProtectionType specifies memory protection constant types, via a union of the MemoryPageProtectionEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>GUI_Window_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The GUIWindowObjectType is intended to characterize GUI windows.
The Owner_Window specifies the owner window of the window object.
The Parent_Window field contains the parent window of the window object.
The Window_Display_Name field specifies the display name or title bar text of the window object.
<schema>HTTP_Session_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by the MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The HTTPMethodEnum is an enumeration of HTTP method types.
The HTTPSessionObjectType is intended to capture the details of an HTTP session.
The HTTP_Request_Response field specifies a single HTTP Request/Response pair.
The HTTPRequestResponseType captures a single HTTP request/response pair.
The ordinal_position attribute specifies the ordinal positioning of the HTTP request/response pair in the context of the HTTP session. This may be useful in certain cases for preserving observed HTTP request/response ordering.
The HTTP_Client_Request field specifies the HTTP client request portion of a single HTTP request/response pair.
The HTTP_Provisional_Server_Response field specifies an HTTP provisional server response that was sent before the regular HTTP response (captured in the HTTP_Server_Response field).
The HTTP_Server_Response field specifies the HTTP server response portion of a single HTTP request/response pair.
The HTTPClientRequestType field captures the details of an HTTP client request.
The HTTP_Request_Line field specifies the HTTP request line of the HTTP client request.
The HTTP_Request_Header field specifies all of the HTTP header fields that may be found in the HTTP client request.
The HTTP_Message_Body field specifies the optional message body that may be included in the HTTP client request.
The HTTPServerResponseType captures the details of an HTTP server response.
The HTTP_Status_Line field captures the status line returned as part of the HTTP server response.
The HTTP_Response_Header field captures the details of the HTTP Header returned as part of the HTTP server response.
The HTTP_Message_Body field captures the HTTP message body returned as part of the HTTP server response.
The HTTPRequestLineType captures a single HTTP request line.
The HTTP_Method field captures the HTTP method portion of the HTTP request line.
The Value field captures the value (typically a resource path) portion of the HTTP request line.
The Version field captures the HTTP version portion of the HTTP request line.
The HTTPRequestHeaderType captures the raw or parsed header of an HTTP request.
The Raw_Header field captures the HTTP request header as a raw, unparsed string.
The Parsed_Header field captures the HTTP request header as a set of parsed HTTP header fields.
The HTTPRequestHeaderFieldsType captures parsed HTTP request header fields.
The Accept field specifies the HTTP Request Accept header field, which defines the Content-Types that are acceptable.
The Accept-Charset field specifies the HTTP Request Accept-Charset header field, which defines the character sets that are acceptable.
The Accept-Language field specifies the HTTP Request Accept-Language header field, which defines the acceptable languages for response.
The Accept-Datetime field specifies the HTTP Request Accept-Datetime header field, which defines the acceptable version time.
The Accept-Encoding field specifies the HTTP Request Accept-Encoding header field, which defines the acceptable encodings.
The Authorization field specifies the HTTP Request Authorization header field, which defines the authentication credentials for use in HTTP authentication.
The Cache-Control field specifies the HTTP Request Cache-Control header field, which defines the directives that MUST be obeyed by all caching mechanisms along the request/response chain.
The Connection field specifies the HTTP Request Connection header field, which defines the type of connection that the user-agent would prefer.
The Cookie field specifies the HTTP Request Cookie header field, which defines the HTTP cookie previously sent by the server.
The Content-Length field specifies the HTTP Request Content-Length header field, which defines the length of the request body in octets.
The Content-MD5 field specifies the HTTP Request Content-MD5 header field, which defines a Base64 encoded binary MD5 sum of the content of the request body.
The Content-Type field specifies the HTTP Request Content-Type header field, which defines a the MIME type of the body of the request (used with POST and PUT requests).
The Date field specifies the HTTP Request Date header field, which defines the date and time that the message was sent.
The Expect field specifies the HTTP Request Expect header field, which defines the particular server behaviors that are required by the client.
The From field specifies the HTTP Request From header field, which defines the email address of the user making the request.
The Host field specifies the HTTP Request Host header field, which the domain name of the server and the TCP port number on which the server is listening.
The If-Match field specifies the HTTP Request If-Match header field, which allows the action to be performed if the client supplied entity matches the same entity on the server.
The If-Modified-Since field specifies the HTTP Request If-Modified-Since header field, which allows a 304 Not Modified response to be returned if content is unchanged since the input date/time.
The If-Modified-Since field specifies the HTTP Request If-Modified-Since header field, which allows the action to be performed only if the client supplied entity does not match the same entity on the server.
The If-Range field specifies the HTTP Request If-Range header field, which allows the client to request the part(s) of the entity that they are missing, or otherwise the new entity.
The If-Unmodified-Since field specifies the HTTP Request If-Unmodified-Since header field, which allows a response to be sent only if the entity has not been modified since a specific date/time.
The Max-Forwards field specifies the HTTP Request Max-Forwards header field, which defines the maximum number of times the message can be forwarded through proxies or gateways.
The Pragma field specifies the HTTP Request Pragma header field, which defines any implementation-specific values that may have various anywhere along the request-response chain.
The Proxy-Authorization field specifies the HTTP Request Proxy-Authorization header field, which defines the authorization credentials for connecting to a proxy.
The Range field specifies the HTTP Request Range header field, which defines the range, in bytes, for requesting only part of an entity (bytes are numbered from 0).
The Referer field specifies the HTTP Request Range Referer field, which defines the address of the previous web page from which a link to the currently requested page was followed.
The TE field specifies the HTTP Request TE field, which defines the transfer encodings the user agent is willing to accept.
The User-Agent field specifies the HTTP Request User-Agent field, which defines the user agent string of the user agent.
The Via field specifies the HTTP Request Via field, which defines any proxies through which the request was sent.
The Warning field specifies the HTTP Request Warning field, which defines any general warnings about possible problems with the entity body.
The DNT field specifies the non-standard HTTP Request DNT field, which is typically used to request that a web application disable their tracking of a user.
The X-Requested-With field specifies the non-standard HTTP Request X-Requested-With field, which is typically used to identify Ajax requests.
The X-Forwarded-For field specifies the non-standard HTTP Request X-Forwarded-For field, which is typically used to identify the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
The X-Forwarded-Proto field specifies the non-standard HTTP Response X-Forwarded-Proto field, which identifies the originating protocol of an HTTP request.
The X-ATT-DeviceId field specifies the non-standard HTTP Request X-ATT-DeviceId field, which is typically used to identify the make, model, and firmware of AT&T devices.
The X-Wap-Profile field specifies the non-standard HTTP Request X-Wap-Profile field, which is typically used to link to an XML file on the Internet with a full description and details about the device currently connecting.
The HTTPResponseHeaderType captures the raw or parsed header of an HTTP response.
The Raw_Header field captures the HTTP response header as a raw, unparsed string.
The Parsed_Header field captures the HTTP response header as a set of parsed HTTP header fields.
The HTTPRequestHeaderFieldsType captures parsed HTTP request header fields.
The Access-Control-Allow-Origin field specifies the HTTP Response Access-Control-Allow-Origin header field, which defines which web sites can participate in cross-origin resource sharing.
The Accept-Ranges field specifies the HTTP Response Accept-Ranges header field, which defines the partial content range types this server supports.
The Age field specifies the HTTP Response Authorization header field, which defines the age the object has been in a proxy cache, in seconds.
The Cache-Control field specifies the HTTP Response Cache-Control header field, which tells all caching mechanisms from server to client whether they may cache this object.
The Connection field specifies the HTTP Response Connection header field, which specifies the options that are desired for the connection.
The Content-Encoding field specifies the HTTP Response Content-Encoding header field, which defines the type of encoding used on the data.
The Content-Language field specifies the HTTP Response Content-Language header field, which defines the language the content is in.
The Content-Length field specifies the HTTP Response Content-Length header field, which defines the length of the request body in octets.
The Content-Location field specifies the HTTP Response Content-Location header field, which defines an alternate location for the returned data.
The Content-MD5 field specifies the HTTP Response Content-MD5 header field, which defines the base64-encoded binary MD5 sum of the content of the response.
The Content-Disposition field specifies the HTTP Response Content-Disposition header field, which provides a means for the origin server to suggest a default filename if the user requests that the content is saved to a file.
The Content-Range field specifies the HTTP Response Content-Range header field, which defines where in a full body message the partial message belongs.
The Content-Type field specifies the HTTP Response Content-Type header field, which defines the MIME type of the content.
The Date field specifies the HTTP Request Date header field, which defines the date and time that the message was sent.
The ETag field specifies the HTTP Response ETag header field, which defines an identifier for a specific version of a resource, often a message digest.
The Expires field specifies the HTTP Response Expires header field, which defines the date/time after which the response is considered stale.
The Last-Modified field specifies the HTTP Response Last-Modified header field, which defines the date/time for the requested object, in RFC 2822 format.
The Link field specifies the HTTP Response Link header field, which defines a typed relationship with another resource, where the relation type is defined by RFC 5988.
The Location field specifies the HTTP Response Location header field, which defines the location used in redirection, or when a new resource has been created.
The P3P field specifies the HTTP Response P3P header field, which sets P3P policy to be used by the browser.
The Pragma field specifies the HTTP Response Pragma header field, which defines any implementation-specific values that may have various anywhere along the request-response chain.
The Proxy-Authenticate field specifies the HTTP Response Proxy-Authenticate header field, which defines the type of authentication necessary to access the proxy.
The Refresh field specifies the HTTP Response Refresh header field, which specifies a given interval, in seconds, after which the current page should be refreshed.
The Retry-After field specifies the HTTP Response Retry-After header field, which defines the period, in seconds, after which the client should try again if an entity is temporarily unavailable.
The Server field specifies the HTTP Response Server field, which defines a name for the responding server.
The Set-Cookie field specifies the HTTP Response Set-Cookie field, which defines an HTTP cookie.
The Strict-Transport-Security field specifies the HTTP response Strict-Transport-Security field, which defines the HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.
The Trailer field specifies the HTTP Response Trailer field, which indicates that the given set of header fields is present in the trailer of a message encoded with chunked transfer-coding.
The Transfer-Encoding field specifies the HTTP Response Transfer-Encoding field, which defines the form of encoding used to safely transfer the entity to the user.
The Vary field specifies the HTTP Response Vary field, which informs downstream proxies on how to match future request headers to decide whether the cached response can be used rather than requested a fresh one from the origin server.
The Via field specifies the HTTP Response Via field, which informs the client of proxies through which the response was sent.
The Warning field specifies the HTTP Response Warning field, which defines any general warnings about possible problems with the entity body.
The WWW-Authenticate field specifies the HTTP Response WWW-Authenticate field, which defines the authentication scheme that should be used to access the requested entity.
The X-Frame-Options field specifies the non-standard HTTP Response X-Frame-Options field, which is used as a form of clickjacking protection, supporting no rendering within a frame and no rendering if origin mismatch.
The X-XSS-Protection field specifies the non-standard HTTP Response X-XSS-Protection field, which is used as a cross-site scripting (XSS) filter.
The X-Content-Type-Options field specifies the non-standard HTTP Response X-Content-Type-Options field, which supports the 'nosniff' parameter to prevent the MIME-sniffing of a response away from the declared content type.
The X-Powered-By field specifies the non-standard HTTP Response X-Powered-By field, which specifies the technology supporting the web application running on the server.
The X-UA-Compatible field specifies the non-standard HTTP Response X-UA-Compatible field, which is used to recommend the preferred rendering engine to use to display the content.
The HTTPMessageType captures a single HTTP message body and its length.
The Length field captures the length of the HTTP message body, in bytes.
The Message_Body field captures the data contained in the HTTP message body.
The HTTPStatusLineType captures a single HTTP response status line.
The Version field captures the HTTP version portion of the HTTP status line.
The Status_Code field captures the HTTP status code portion of the HTTP status line.
The Reason_Phrase field captures the HTTP reason phrase portion of the HTTP status line.
The HostFieldType captures the details of the HTTP request Host header field.
The Domain_Name field specifies the domain name of the server.
The Port field specifies the TCP port number on which the server is listening.
HTTPMethodType specifies HTTP method types, via a union of the HTTPMethodEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>URI_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The URITypeEnum is an enumeration of types of URIs.
Specifies a URL type of URI.
Specifies a General URN type of URI.
Specifies a Domain Name type of URI.
The URIObjectType type is intended to characterize Uniform Resource Identifiers (URI's).
The type field specifies the type of URI that is being defined.
The Value field specifies the value of the URI.
<schema>Product_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The ProductObjectType type is intended to characterize software or hardware products.
The Edition field specifies the edition of the product, if applicable.
The Language field specifies the language of the product, if applicable.
The Product field specifies the name of the product. This field is required.
The Update field specifies the update/revision of the product, if applicable.
The Vendor field specifies the name of the product vendor. This field is required.
The Version field specifies the version of the product, if applicable.
The Device_Details field captures the device-specific properties of a device product. It uses the abstract ObjectPropertiesType which permits the specification of any Object; however, it is strongly recommended that the Device Object or one of its subtypes be used in this context.
<schema>Address_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The CategoryTypeEnum type is an enumeration of address types.
The asn value specifies an identifier for an Autonomous System Number.
The atm value specifies an Asynchronous Transfer Mode address.
The CIDR value specifies an address in Classless Inter-domain Routing notation (the IP address and its associated routing prefix).
The e-mail value specifies an e-mail address.
The mac value specifies a system's MAC address.
The IPV4-addr value specifies an IPV4 address.
The IPV4-net-mask value specifies an IPV4 bitwise netmask.
The IPV6-addr value specifies an IPV6 address.
The IPV6-net-mask value specifies an IPV6 bitwise netmask.
The AddressObjectType is intended to characterize cyber addresses.
The category field specifies the address category that is being defined.
The is_source field specifies if this is a "Source" address.
The is_destination field specifies if this is a "Destination" address.
The is_spoofed field specifies whether the address is spoofed, i.e. forged to conceal its identity or true source.
The required Address_Value construct specifies the actual value of the address.
The VLAN_Name field specifies the name of the Virtual LAN to which the address belongs.
The VLAN_Num field specifies the number of the Virtual LAN to which the address belongs.
<schema>Win_Kernel_Hook_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The KernelHookTypeEnum type is a non-exhaustive enumeration of Windows kernel hook types.
Specifies a kernel hook type of IAT_API.
Specifies an inline function type of kernel hook.
Specifies an instruction hooking type of kernel hook.
The WindowsKernelHookObjectType type is intended to characterize Windows kernel function hooks.
The Digital_Signature_Hooked field is optional and specifies the digital signature of the hooking code.
The Digital_Signature_Hooked field is optional and specifies the digital signature of the hooked code.
The Hooking_Address field is optional and specifies the address from where the hooking occurs.
The Hook_Description field is optional and provides a description of the nature of the hook.
The Hooked_Function field specifies the name of the function that is hooked.
The Hooked_Module field specifies the name of the module that is hooked.
The Hooking_Module field specifies the name of the module that is doing the hooking.
The Type field specifies the type of hook being characterized.
KernelHookType specifies Windows kernel hook types via a union of the KernelHookTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Code_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
CodeTypeEnum is a (non-exhaustive) enumeration of code types.
The code represented is in the form of Source Code.
The code represented is in the form of Byte Code.
The code represented is in the form of binary code.
CodePurposeEnum is a (non-exhaustive) enumeration of classes of code intended purposes.
The code represented is intended as application code.
The code represented is intended as library code.
The code represented is intended as shellcode.
The code represented is intended as exploit code.
The code represented is intended for unknown purposes.
The code represented is intended for a purpose other than those listed in this enumeration.
The CodeLanguageEnum simple type is an (non-exhaustive) enumeration of computer code languages.
Indicates the code is written in the C programming language.
Indicates the code is written in the C++ programming language.
Indicates the code is written in the C# programming language.
Indicates the code is written in the Java programming language.
Indicates the code is written in the JSP (Java Server Pages) language.
Indicates the code is written in the Javascript programming language.
Indicates the code is written in the ASP.NET programming language.
Indicates the code is written in SQL (Standard Query Language).
Indicates the code is written in the Python programming language.
Indicates the code is written in the Perl programming language.
Indicates the code is written in the PHP programming language.
Indicates the code is written as a SOAP message.
Indicates the code is written in the Ruby programming language.
Indicates the code is written as a Shell script.
Indicates the code is written as pseudo code.
Indicates the code utilizes the .NET framework.
Indicates the code is written in an assembly language.
Indicates the code is written in XML (eXtensible Markup Language).
Indicates the code is written in HTML (HyperText Markup Language).
Indicates the code is written in a language not found in this enumeration.
The ProcessorTypeEnum simple type is an (non-exhaustive) enumeration of computer processor architectures.
Indicates a x86 32bit processor.
Indicates a x86 64bit processor.
Indicates an IA (Intel Itanium) 64bit processor.
Indicates a PowerPC processor.
Indicates an ARM processor.
Indicates an Alpha processor.
Indicates a SPARC processor.
Indicates a z/Architecture (IBM) processor.
Indicates an eSi-RISC processor.
Indicates a MIPS processor.
Indicates a Motorola 68k processor.
Indicates a processor outside of this enumeration.
The CodeObjectType type is intended to characterize a body of computer code.
The Description field is intended for use in providing a brief description of the code that is encapsulated in this field.
The type field is intended to provide a way of specifying the type of code being characterized.
The type field is intended to provide a way of specifying the purpose or flavor of code being characterized.
The code_language field refers to the code language used in the code characterized in this field.
The Targeted_Platforms field specifies a list platforms that this code is targeted for.
The processor_family field specifies the class of processor that the code snippet is targeting. This field may be specified multiple times for code snippets that are applicable across multiple processor families.
The Discovery_Method field is intended to characterize the method and/or tool used to discover the code.
The start_address field can be used to reference the start address of the code, if it was discovered inside a binary.
The Code_Segment field encompasses any arbitrary code segment in unencoded (plaintext or binary) format. Code would typically be included here within a CDATA section.
The Code_Segment_XOR field encompasses any arbitrary code segment. Its contents should contain the actual code segment XORed with the pattern defined in the xorpattern property. This is so that the code contained in the pattern does not trigger IDS, AV, or other signature-based scanners. XOR'd Code would typically be included here within a CDATA section.
The Digital_Signatures field is optional and captures one or more digital signatures for the code.
A description of features extracted from this code segment.
A list of targeted platforms.
The Targeted_Platform field specifies a particular platform that this code is targeted for.
Used to encapsulate a segment of code that has been XORed with a pattern in order to avoid tripping anti-virus detection.
The xor_pattern field contains a 16-hexadecimal-character hex string, which represents the pattern that the Code_Segment_XOR field should be XORed with in order to recover the actual code. The default value is 55AA55AA55AA55BB, as specified by IETF RFC 5901.
CodeLanguageType specifies languages of code, via a union of the CodeLanguageEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This field is optional and specifies the expected type for the value of the specified field.
CodePurposeType specifies intended purposes of code, via a union of the CodePurposeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This field is optional and specifies the expected type for the value of the specified field.
CodeTypeType specifies types of code, via a union of the CodeTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This field is optional and specifies the expected type for the value of the specified field.
ProcessorTypeType specifies relevant processor families, via a union of the ProcessorTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Mutex_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The MutexObjectType type is intended to characterize generic mutual exclusion (mutex) objects.
The named field specifies whether the Mutex is named.
The Name field specifies the name for a named mutex object.
<schema>Disk_Partition_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The PartitionTypeEnum type is a non-exhaustive enumeration of partition types. See http://www.win.tue.nl/~aeb/partitions/partition_types-1.html for more information about the various partition types.
Indicates an unused partition entry.
Indicates a FAT 12 partition.
Indicates a XENIX type 1 partition.
Indicates a XENIX type 2 partition.
Indicates a XENIX FAT 16 partition.
Indicates a XENIX extended partition.
Specifies an MS-DOS V4 huge partition. This value indicates that there is no Microsoft file system on the partition. Use this value when creating a logical volume.
Indicates an IFS partition.
Indicates an OS/2 boot manager partition.
Indicates a FAT32 partition.
Indicates a FAT32 Extended-INT13 equivalent partition to the FAT32 partition.
Indicates an XINT13 partition.
Indicates an extended XINT13 partition.
Indicates a PReP (Power PC Reference Platform) partition.
Indicates an LDM partition.
Indicates a UNIX partition.
Specifies a valid NTFT partition. The high bit of a partition type code indicates that a partition is part of an NTFT mirror or striped array.
Specifies an NTFT partition.
Refers to an unknown partition or a partition other than those listed.
The DiskPartitionType type is intended to characterize partitions of disk drives.
The Created field specifies the date/time the partition was created.
The Device_Name field specifies the name of the device on which the partition resides.
The Mount_Point field specifies the mount point of the partition.
The Partition_ID field specifies the numerical identifier of the partition.
The Partition_Length field specifies the length of the partition, in bytes.
The Partition_Offset field specifies the starting offset of the partition, in bytes.
The Space_Left field specifies the amount of space left on the partition, in bytes.
The Space_Used field specifies the amount of space used on the partition, in bytes.
The Total_Space field specifies the total amount of space available on the partition, in bytes.
The Type field specifies the type of partition being characterized.
PartitionType specifies partition types, via a union of the PartitionTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_Mailslot_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsMailslotObjectType is intended to characterize Windows mailslot objects.
The Handle field specifies the open Windows handle to the mailslot. It imports and uses the WindowsHandleObjectType from the CybOX Windows Handle Object.
The Max_Message_Size field specifies the maximum message size for the mailslot, in bytes.
The Name field specifies the name of the mailslot.
The Read_Timeout field specifies the amount of time, in milliseconds, a read operation can wait for a message to be written to the mailslot before a time-out occurs.
The Security_Attributes field specifies the Windows security attributes for the mailslot.
<schema>Win_Process_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsProcessObjectType type is intended to characterize Windows processes.
The aslr_enabled field specifies whether Address Space Layout Randomization (ASLR) is enabled for the process.
The dep_enabled field specifies whether Data Execution Prevention (DEP) is enabled for the process.
The Handle_List field specifies a list of Windows Handles opened or used by the process.
The Priority field specifies the current priority of the process in Windows.
The Section_List field specifies the memory sections used by the process.
The Security_ID field specifies the Security ID (SID) value assigned to the process.
The Startup_Info field specifies the STARTUP_INFO struct used by the process.
The Security_Type field specifies the type of Security ID (SID) assigned to the process.
The Window_Title field specifies the title of the main window of the process.
The Thread field specifies a single thread created to execute within the virtual address space of the process.
The MemorySectionListType type specifies a list of memory sections used by the process.
The Memory_Section field specifies a memory section used by the process. It imports and uses the MemoryObjectType from the CybOX Memory Object.
The StartupInfoType type encapsulates the information contained in the STARTUPINFO struct for the process.
The lpDesktop field specifies the name of the desktop, or the name of both the desktop and window station for this process.
The lpTitle field specifies the title displayed in the title bar if a new console window is created.
The dwX field specifies the x offset of the upper left corner of a window if a new window is created, in pixels.
The dwY field specifies the y offset of the upper left corner of a window if a new window is created, in pixels.
The dwXSize field specifies the width of the window if a new window is created, in pixels.
The dwYSize field specifies the height of the window if a new window is created, in pixels.
The dwXCountChars field specifies the screen buffer width, in character columns.
The dwYCountChars field specifies the screen buffer height, in character rows.
The dwFillAttribute field specifies the initial text and background colors if a new console window is created in a console application.
The dwFlags field specifies a bitfield that determines whether certain STARTUPINFO members are used when the process creates a window.
The wShowWindow field specifies STARTF_USESHOWWINDOW, this member can be any of the values that can be specified in the nCmdShow parameter for the ShowWindow function, except for SW_SHOWDEFAULT.
The hStdInput field specifies the standard input handle for the process.
The hStdOutput field specifies the standard output handle for the process.
The hStdError field specifies the standard error handle for the process.
<schema>Unix_Volume_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The UnixVolumeObjectType type is intended to characterize Unix disk volumes.
The Mount_Point field specifies the specific mounting point for the Unix volume.
The Options field specifies any options used when mounting the volume.
<schema>Network_Flow_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
This enumeration describe the field types in NetFlow Version 9. Only the first 20 have been enumerated so far. Please see Section 8 in http://www.ietf.org/rfc/rfc3954.txt for the complete list (79 in total).
The IN_BYTES(1) field represents the incoming counter with length N x 8 bits for number of bytes associated with an IP Flow.
The IN_PKTS(2) field represents the incoming counter with length N x 8 bits for the number of packets associated with an IP Flow.
The FLOWS(3) field represents the number of flows that were aggregated; default for N is 4.
The PROTOCOL(4) field represents the IP protocol byte.
The TOS(5) field represents the Type of Service byte setting when entering incoming interface.
The TCP_FLAGS(6) field is cumulative of all the TCP flags seen for this flow.
The L4_SRC_PORT(7) field represents the TCP/UDP source port number i.e.: FTP, Telnet, or equivalent.
The IPV4_SRC_ADDR(8) field represents the IPv4 source address.
The SRC_MASK(9) field represents the number of contiguous bits in the source address subnet mask i.e.: the submask in slash notation.
The INPUT_SNMP(10) field represents the number of contiguous bits in the source address subnet mask i.e.: the submask in slash notation.
The LP_DST_PORT(11) field represents the TCP/UDP destination port number i.e.: FTP, Telnet, or equivalent.
The IPV4_DST_ADDR(12) field represents the IPv4 destination address.
The DST_MASK(13) field represents the number of contiguous bits in the destination address subnet mask i.e.: the submask in slash notation.
The OUTPUT_SNMP(14) field represents the output interface index; default for N is 2 but higher values could be used.
The IPV4_NEXT_HOP(15) field represents the IPv4 address of next-hop router.
The SRC_AS(16) field represents the source BGP autonomous system number where N could be 2 or 4.
The DST_AS(17) field represents the destination BGP autonomous system number where N could be 2 or 4.
The BGP_IPV4_NEXT_HOP(18) field represents the next-hop router's IP in the BGP domain.
The MUL_DST_PKTS(19) field represents the IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow.
The MUL_DST_BYTES(20) field represents the IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow.
These describe the scope field types, found in the relevant portion of the NetFlow process to which the options record refers. http://www.ietf.org/rfc/rfc3954.txt.
Indicates the System scope field type.
Indicates the Interface scope field type.
Indicates the Line Card scope field type.
Indicates the NetFlow Cache scope field type.
Describes the Template scope field type.
The SiLKFlowAttributesTypeEnum specifies the flow attributes set by the flow generator. This is field 28 of the rwstats options. See http://tools.netsa.cert.org/silk/rwstats.html for more information.
Indicates that the flow generator saw additional packets in this flow following a packet with a FIN flag (excluding ACK packets).
Indicates that the flow generator prematurely created a record for a long-running connection due to a timeout. (When the flow generator yaf(1) is run with the --silk switch, it will prematurely create a flow and mark it with T if the byte count of the flow cannot be stored in a 32-bit value.).
Indicates that the flow generator created this flow as a continuation of long-running connection, where the previous flow for this connection met a timeout (or a byte threshold in the case of yaf).
Environment variable allows user to specify the address type mapping file. A partial, typical list is currently given--see http://tools.netsa.cert.org/silk/addrtype.html for more information.
Denotes a (non-routable) IP address.
Denotes an IP address internal to the monitored network.
Denotes an IP address external to the monitored network.
Enumerates direction of traffic. Not all are currently enumerated.
Denotes inbound traffic relative to a sensor.
Denotes inbound web traffic relative to a sensor. SiLK categorizes a flow as web if the protocol is TCP and either the source port or destination port is one of 80, 443, or 8080.
Denotes null inbound traffic relative to a sensor.
Denotes outbound traffic relative to a sensor.
Denotes outbound web traffic relative to a sensor. SiLK categorizes a flow as web if the protocol is TCP and either the source port or destination port is one of 80, 443, or 8080.
Denotes null outbound traffic relative to a sensor.
Enumerates SiLK sensor classes. Currently just one class (all) is defined.
Defines sensor class "all".
Environment variable allows user to specify a country code mapping file. No enumerations are currently defined.
Defines the fields necessary to summarize network traffic, expressed as flows of multiple packets. Does not include the packet payload data (i.e. the actual data that was uploaded/downloaded to and from the Dest IP to Source IP as included in packet monitoring tools, such as Wireshark).
Represents elements common to all flow records formats - either expressed as a 5-tuple or an extended 7-tuple (actually an 8-tuple because for organizational reasons, we include the egress interface index). Because these fields are defined here, they are excluded from the fields associated directly with each different flow record format type.
Network layer information (relative to the OSI network model) which is typically captured in all types of network flow records.
Represents the source IP socket address, consisting of an IP address and port number, for the network flow expressed. Note that not all flow protocols support IPv6 addresses.
Represents the destination IP socket address, consisting of an IP address and port number, for the network flow expressed. Note that not all flow protocols support IPv6 addresses.
The IP Protocol of the network flow. This is usually TCP, UDP, or SCTP, but can include others as represented in NetFlow as an integer from 0 to 255. Please refer to http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml for reference.
The NetworkFlowLabelType contains elements that are common to all flow record formats. It builds off of network layer information (a 5-tuple that commonly defines a flow) and includes ingress and egress interface indexes and IP protocol information (not present if all flow record formats). Egress information is usually not thought of as part of the extended 7-tuple, but we include it for organizational purposes. Because these fields are defined here, they are excluded from the fields associated directly with each different flow record format type.
Represents the index (in SNMP, by default) of the network interface card where the flows entered the router.
Represents the index (in SNMP, by default) of the network interface card where the flows leave the router.
Type of service field from the IP header. Specifies the IP Type of Service (ToS). See RFC 1349 for more information.
Netflow record formats that capture traffic in one direction.
Network record formats that capture traffic in both directions. Later, we plan to add Argus as a network flow format type. Argus supports bidirectional flows, and as such, is usually used as an alternative to NetFlow v5 analysis via SiLK (http://www.qosient.com/argus/).
Represents flow records generated via YAF (Yet Another Flowmeter), a bidirectional network flow meter. See http://www.usenix.org/event/lisa10/tech/full_papers/Inacio.pdf or http://tools.netsa.cert.org/yaf/index.html for more information.
The IPFIX protocol provides IP flow information. http://tools.ietf.org/html/rfc5101.
Set is a generic term for a collection of records that have a similar structure. In an IPFIX Message, one or more Sets follow the Message Header. http://tools.ietf.org/html/rfc5101.
The Message Header is the first part of an IPFIX Message, which provides basic information about the message, such as the IPFIX version, length of the message, message sequence number, etc. http://tools.ietf.org/html/rfc5101.
This type represents the message header for the IPFIX format. For more information about each of the fields, please refer to RFC 5101 (http://tools.ietf.org/html/rfc5101) under the heading, "Message Header Field Descriptions." Note that common elements are included in the Network_Flow_Label.
Indicates the version number of Flow Record format exported in this message. The value of this field is 0x000a for the current version, incrementing by one the version used in the NetFlow services export version 9 [see RFC3954].
Indicates the total byte length of the IPFIX Message, measured in octets, including Message Header and Set(s).
Indicates the time, in seconds, since 0000 UTC Jan 1, 1970, at which the IPFIX message header leaves the Exporter.
Indicates the incremental sequence counter modulo 2^32 of all IPFIX Data Records sent on this PR-SCTP stream from the current Observation Domain by the Exporting Process. This value SHOULD be used by the Collecting Process to identify whether any IPFIX Data Records have been missed. Template and Options Template Records do not increase the Sequence Number.
Indicates a 32-bit identifier of the Observation Domain that is locally unique to the Exporting Process. See RFC 5101 under Observation Domain ID for more information.
Represents the possible sets of records that can be represented in an IPFIX message. See RFC 5101 and look for the terms "Template Set", "Options Template Set", and "Data Set", for more information.
Specifies the regions of a Template Set, of which there are three: the Set Header, the collection of Template Records, and the optional padding at the end of the Template Set. See RFC 5101 under Set Format, which is section 3.3.1, for more information.
Indicates the Set Header region, which is 32-bit region containing the 16-bit fields Set ID and Length.
Indicates the region of Template Records. These are the same fields referenced in the IPFIXTemplateRecordType.
Indicates the optional Padding at the end of a Template Set. As mentioned in RFC 5101, the Exporting Process MAY insert some padding octets, so that the subsequent Set starts at an aligned boundary. For security reasons, the padding octet(s) MUST be composed of zero (0) valued octets, and the padding length MUST be shorter than any allowable record in this Set. For more information see RFC 5101 under Padding.
Specifies the regions of an Options Template Set, of which there are three: the Set Header, the collection of Options Template Records, and the optional padding at the end of the Options Template Set. See RFC 5101 under Set Format, which is section 3.3.1, for more information.
Indicates the Set Header region, which is 32-bit region containing the 16-bit fields Set ID and Length, in that order. These are the same fields referenced in the IPFIXSetHeaderType.
Indicates the region of Options Template Records. These are the same fields referenced in the IPFIXOptionsTemplateRecordType.
Indicates the optional Padding at the end of an Options Template Set. As mentioned in RFC 5101, the Exporting Process MAY insert some padding octets, so that the subsequent Set starts at an aligned boundary. For security reasons, the padding octet(s) MUST be composed of zero (0) valued octets, and the padding length MUST be shorter than any allowable record in this Set. For more information see RFC 5101 under Padding.
Specifies the regions of a Data Set, of which there are three: the Set Header, the collection of Data Records, and the optional padding at the end of the Data Set. See RFC 5101 under Set Format, which is section 3.3.1, for more information.
Indicates the Set Header region, which is 32-bit region containing the 16-bit fields Set ID and Length, appended in that order. These are the same fields referenced in the IPFIXSetHeaderType.
Indicates the region of Data Records, which consist of a series of field values without a header, according to RFC 5101, section 3.4.3.
Indicates the optional Padding at the end of a Data Set. As mentioned in RFC 5101, the Exporting Process MAY insert some padding octets, so that the subsequent Set starts at an aligned boundary. For security reasons, the padding octet(s) MUST be composed of zero (0) valued octets, and the padding length MUST be shorter than any allowable record in this Set. For more information see RFC 5101 under Padding.
Defines the elements of the IPFIX set header.
Indicates a 16-bit value that identifies the set. The values of 0 and 1 are not used for historical reasons according to RFC 3954. Otherwise, a value of 2 is reserved for the Template Set and 3 is reserved for the Option Template Set. All other values from 4 to 255 are reserved for future use.
Total length of the set, in octets, including the set header, all records, and the optional padding. Because an individual Set MAY contain multiple records, the Length value MUST be used to determine the position of the next Set. http://tools.ietf.org/html/rfc5101.
Specifies the regions of a Template Record, of which there are two: the Template Record Header, and the Field Specifiers. See RFC 5101 under Template Record Format, section 3.4.1, for more information.
Indicates the Template Record Header region, which is a 32-bit region containing the 16-bit fields Template ID (> 255) and Field Count, appended in that order. These are the same fields referenced in the IPFIXTemplateRecordHeaderType.
Indicates the region of Field Specifiers. These are the same fields referenced in the IPFIXTemplateRecordFieldSpecifiersType.
Specifies the fields in a Template Record Header, Template_ID and Field_Count, as explained in RFC 5101, section 3.4.1.
Specifies a unique Template ID which is numbered 256-65535 since IDs 0-255 are reserved for Template Sets, Options Template Sets, and other reserved Sets yet to be created.
Specifies the number of fields in this Template Record.
Specifies the fields in a Template Record Field Specifier, as explained in RFC 5101, section 3.2.
Specifies the Enterprise bit, either 0 or 1. If this bit is zero, the Information Element Identifier identifies an IETF-specified Information Element, and the four-octet Enterprise Number field SHOULD NOT be present. If this bit is one, the Information Element identifier identifies an enterprise-specific Information Element, and the Enterprise Number filed SHOULD be present. NOTE: While it is legal to use "true" and "false" here, this value SHOULD be set to 0 or 1 for consistency with RFC 5101.
Specifies the 15-bit (NOT 16-bit) Information Element ID referring to the type of Information Element, as shown in RFC 5102.
Specifies the 16-bit Field Length, in octets, of the corresponding encoded Information Element as defined in RFC 5102. The field length may be smaller than the definition in RFC 5102 if the reduced size encoding is used (see Section 6.2 of RFC 5101). The value 65535 is reserved for variable length Information Elements.
Specifies the 32-bit IANA Enterprise Number of the authority defining the Information Element identifier in this Template Record. Information Element Identifiers 1.2 and 2.1 are defined by the IETF (Enterprise bit = 0) and, therefore, do not need an Enterprise Number to identify them.
Specifies the regions of an Options Template Record, of which there are two: the Options Template Record Header, and the Field Specifiers. See RFC 5101 under Options Template Record Format, section 3.4.2.2, for more information.
Indicates the Options Template Record Header region, which is a 48-bit region containing the 16-bit fields Template ID, Field Count, and Scope Field Count, appended in that order.
Indicates the region of Field Specifiers. These are the same fields referenced in the IPFIXOptionsTemplateRecordFieldSpecifiersType.
Defines the header of an options template record.
Specifies a unique Template ID which is numbered 256-65535 since IDs 0-255 are reserved for Template Sets, Options Template Sets, and other reserved Sets yet to be created.
Specifies the number of fields in this Options Template Record, INCLUDING the Scope Fields.
Specifies the number of scope fields in this Options Template Record, which is NONZERO. The Scope Fields are normal Fields except that they are interpreted as scope at the Collector.
Specifies the fields in an Options Template Record Field Specifier, as explained in RFC 5101, sections 3.2 and 3.4.2.2. It consists of two sequences: Scope Fields and Option Fields, appended together.
Specifies the Option Enterprise bit, either 0 or 1. If this bit is zero, the Information Element Identifier identifies an IETF-specified Information Element, and the four-octet Enterprise Number field SHOULD NOT be present. If this bit is one, the Information Element identifier identifies an enterprise-specific Information Element, and the Enterprise Number filed SHOULD be present. NOTE: While it is legal to use "true" and "false" here, this value SHOULD be set to 0 or 1 for consistency with RFC 5101.
Specifies the 32-bit IANA Option Enterprise Number of the authority defining the Information Element identifier in this Template Record. Information Element Identifiers 1.2 and 2.1 are defined by the IETF (Enterprise bit = 0) and, therefore, do not need an Enterprise Number to identify them.
Specifies the 16-bit Option Field Length, in octets, of the corresponding encoded Information Element as defined in RFC 5102. The field length may be smaller than the definition in RFC 5102 if the reduced size encoding is used (see Section 6.2 of RFC 5101). The value 65535 is reserved for variable length Information Elements.
Specifies the 15-bit (NOT 16-bit) Option Information Element ID referring to the type of Information Element, as shown in RFC 5102.
Specifies the Scope Enterprise bit, either 0 or 1. If this bit is zero, the Information Element Identifier identifies an IETF-specified Information Element, and the four-octet Enterprise Number field SHOULD NOT be present. If this bit is one, the Information Element identifier identifies an enterprise-specific Information Element, and the Enterprise Number filed SHOULD be present. NOTE: While it is legal to use "true" and "false" here, this value SHOULD be set to 0 or 1 for consistency with RFC 5101.
Specifies the 32-bit IANA Scope Enterprise Number of the authority defining the Information Element identifier in this Template Record. Information Element Identifiers 1.2 and 2.1 are defined by the IETF (Enterprise bit = 0) and, therefore, do not need an Enterprise Number to identify them.
Specifies the 16-bit Scope Field Length, in octets, of the corresponding encoded Information Element as defined in RFC 5102. The field length may be smaller than the definition in RFC 5102 if the reduced size encoding is used (see Section 6.2 of RFC 5101). The value 65535 is reserved for variable length Information Elements.
Specifies the 15-bit (NOT 16-bit) Scope Information Element ID referring to the type of Information Element, as shown in RFC 5102.
Data records are sent in data sets. A data record consists of only one more Field values.
Indicates the individual Field Value, which need not be 16-bit. The Template ID to which the Field Values belong to is encoded in the Data Set Header field "Set ID", i.e. "Set ID" = "Template ID".
Netflow v9 was developed by Cisco and provides access to IP flow information. http://www.ietf.org/rfc/rfc3954.txt.
Specifies a FlowSet, which is a collection of Flow Records that have similar structure. In an Export Packet, one or more FlowSets follow the Packet Header. There are three different types of FlowSets, as defined in RFC 3954: a Template FlowSet, Options Template FlowSet and Data FlowSet.
Specifies the Packet Header, which is the first part of an Export Packet. The Packet Header provides basic information about the packet such as the NetFlow version, number of records contained within the packet, and sequence numbering. See RFC 3954 for more information.
Header fields defined for Netflow v9. Note that common elements are included in the Network_Flow_Label. http://www.ietf.org/rfc/rfc3954.txt.
Specifies the version of flow record format exported in this packet. The value of this field is 9 for the Netflow v9.
Specifies the total number of records in the Export Packet, which is the sum of Options FlowSet records, Template FlowSet records, and Data FlowSet records. http://www.ietf.org/rfc/rfc3954.txt.
Specifies the time in milliseconds since this device was first booted.
Specifies the time in seconds since 0000 UTC 1970 at which the Export Packet leaves the Exporter.
Incremental sequence counter of all Export Packets sent from the current Observation Domain by the Exporter. This value MUST be cumulative, and SHOULD be used by the Collector to identify whether any Export Packets have been missed. http://www.ietf.org/rfc/rfc3954.txt.
Specifies a 32-bit value that identifies the Exporter Observation Domain. NetFlow Collectors SHOULD use the combination of the source IP address and the Source ID field to separate different export streams originating from the same Exporter.
In an Export Packet, one or more FlowSets follow the Packet Header. There are three different types of FlowSets, as defined in RFC 3954: a Template FlowSet, Options Template FlowSet and Data FlowSet.
Provides the format of the Template FlowSet.
Specifies the FlowSet ID, which is fixed to 0 for the Template FlowSet.
Length is the sum of the lengths of the FlowSet ID, the Length itself, and all Template Records within this FlowSet.
Specifies the Template Record region, which includes the template ID, field count, field type, and field length.
Specifies the Template Record region, which includes the template ID, field count, field type, and field length.
Specifies the length of the corresponding field type, in bytes.
Specifies a numeric value that represents the type of the field. Refer to the "Field Type Definitions" section in RFC 3954 for descriptions of these types.
Specifies a unique Template ID for the Template Record. IDs in the range 0-255 are reserved for Template FlowSets, Options FlowSets, and other reserved Sets yet to be created. http://www.ietf.org/rfc/rfc3954.txt.
Specifies the number of fields in this Template Record.
NetflowV9FieldType specifies possible fields types for Netflow v9, via a union of the NetflowV9FieldTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
Specifies an Options Template FlowSet, which is one or more Options Template Records that have been grouped together in an Export Packet.
Specifies the FlowSet ID, which is fixed to 1 for the Options Template FlowSet.
Specifies the total length of this FlowSet, in octets, including the set header, all records, and the optional padding.
Specifies the Options Template Record region, which includes the Option Scope Length, Option Length, and fields specifying the Scope field type and Scope field length.
Specifies the number of padding bytes to be inserted so that the subsequent FlowSet starts at a 4-byte aligned boundary. It is important to note that the Length field includes the padding bytes. Padding SHOULD be using zeros.
Specifies the Options Template Record region, which includes the Option Scope Length, Option Length, and fields specifying the Scope field type and Scope field length.
Specifies the length (in bytes) of the Option field.
Specifies the type of field that would appear in the Options Template Record. More information can be found in RFC 3954.
Specifies the length (in bytes) of the Scope field as it would appear in an Options Data Record.
Specifies the relevant portion of the Exporter/NetFlow process to which the Options Template Record refers. Currently defined values include 1 for System, 2 for Interface, 3 for Line Card, 4 for Cache, and 5 for Template. More information can be found in RFC 3954.
Specifies the template ID of this Options Template, which must be greater than 255.
Specifies the length of bytes of any Scope field definition contained in the Options Template Record.
Specifies the length of bytes of any options field definitions contained in this Options Template Record.
NetflowV9ScopeFieldType specifies scope field types for Netflow v9, via a union of the NetflowV9ScopeFieldTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
Specifies a Data FlowSet, which is one or more records, of the same type, that are grouped together in an Export Packet. Each record is either a Flow Data Record or an Options Data Record previously defined by a Template Record or an Options Template Record. http://www.ietf.org/rfc/rfc3954.txt.
Specifies the FlowSet ID, which corresponds to the Template ID from a Template Flow Set or an Options Template Flow Set.
Specifies the length of this FlowSet.
The remainder of the Data FlowSet is a collection of Flow Data Record(s), each containing a set of field values. The Type and Length of the fields have been previously defined in the Template Record referenced by the FlowSet ID or Template ID. Specifies either a template flow set or an options template flow set. http://www.ietf.org/rfc/rfc3954.txt.
Specifies the padding bytes used so that the subsequent FlowSet starts at a 4-byte aligned boundary. It is important to note that the Length field includes the padding bytes. Padding SHOULD be using zeros.
A Data FlowSet is one or more records, of the same type, that are grouped together in an Export Packet. Each record is either a Flow Data Record or an Options Data Record previously defined by a Template Record or an Options Template Record. http://www.ietf.org/rfc/rfc3954.txt.
A Flow Data Record is a data record that contains values of the Flow parameters corresponding to a Template Record.
For each flow record, field values are listed.
Field values are associated with each record in the collection of a flow data record.
Set of fields values for a given Flow Data Record.
The data record that contains values and scope information of the Flow measurement parameters, corresponding to an Options Template Record.
For each option data record, field values are listed.
Corresponds to a previously defined Options Template Record.
Field values are associated with each option in the collection of an option data record.
Set of field values for a given Options Data Record.
Defines the contents of a Netflow v5 packet. As of 2012, Netflow v5 is still the most commonly used network flow format. Netflow v5 was developed by Cisco. http://netflow.caligare.com/netflow_v5.htm.
See Network_Flow_Label for other common fields. Padding of 0-bytes is not captured. REF: http://netflow.caligare.com/netflow_v5.htm REF: http://tools.netsa.cert.org/silk/faq.html#ipfix-fields.
Elements of a netflow v5 header.
Defines elements of a netflow v5 header. http://netflow.caligare.com/netflow_v5.htm.
Specifies the NetFlow export format version number, which defaults to 5 in this case.
Specifies the number of flows exported in the packet (1-30).
Specifies the current time in milliseconds since the export device booted.
Specifies the current time in milliseconds since 0000 UTC 1970.
Specifies the residual in nanoseconds since 0000 UTC 1970.
Specifies the sequence counter of total flows seen.
Specifies the type of flow-switching engine.
Specifies the slot number of the flow-switching engine.
Specifies the sampling interval field, which consists of the first two bits holding the sampling mode, with the remaining 14 bits holding the value of the sampling interval.
Defines elements of a Netflow v5 flow record. Recall that the seven elements that define the flow itself (e.g., source IP address) are provided in NetworkFlowLabelType. https://bto.bluecoat.com/packetguide/8.6/info/netflow5-records.htm.
Represents the IP address of the next hop router.
Represents the number of packets in the flow.
Represents the total number of bytes in the flow.
Represents the SysUpTime at start of flow: the total time in milliseconds starting from when the first packet in the flow was seen.
Represents the SysUpTime at end of flow: when the last packet in the flow was seen.
One byte of padding.
Specifies the union of all TCP flags observed over the life of the flow.
Specifies the source autonomous system number, either origin or peer.
Specifies the destination autonomous system number, either origin or peer.
Specifies the source address prefix mask bits.
Specifies the destination address prefix mask bits.
Unused (zero) bytes, which is used for purposes of padding.
System for Internet-Level Knowledge (CMU/SEI). The fields are taken from a list shown in http://tools.netsa.cert.org/silk/rwcut.html. Fields common to all network flows are defined in NetworkFlowLabelType (e.g., source IP, SNMP ingress, etc.). For additional references, see http://tools.netsa.cert.org/silk/analysis-handbook.pdf, http://tools.netsa.cert.org/silk/faq.html#ipfix-fields.
Represents the number of packets in the flow.
Represents the number of Layer 3 bytes in the packets of the flow.
Specifies the union of all TCP flags observed over the life of the flow.
Represents the SysUpTime at start of flow, i.e. the total time in milliseconds starting from when the router booted. There is another element "Start_Time+msec" which is the starting time of flow including milliseconds, but milliseconds are the resolution of Start_Time unless the -legacy-timestamps switch is specified, so "Start_Time+msec" is not defined separately.
Specifies the duration of the flow. There is another element "Duration+msec" which is the starting time of flow including milliseconds, but milliseconds are the resolution of Duration unless the -legacy-timestamps switch is specified, so "Duration+msec" is not defined separately.
Represents the SysUpTime at end of flow. There is another element "End_Time+msec" which is the starting time of flow including milliseconds, but milliseconds are the resolution of End_Time unless the -legacy-timestamps switch is specified, so "End_Time+msec" is not defined separately.
Defines the fields associated with the sensor at the collection point.
ICMP type for ICMP flows. Empty for non-ICMP flows.
ICMP code for ICMP flows. Empty for non-ICMP flows.
Router next hop IP.
TCP flags on first packet in the flow.
bit-wise OR of TCP flags over all packets except the first in the flow.
Flow attributes set by the flow generator.
Based on an examination of payload contents, this value = the port number traditionally used for that type of traffic (21 for FTP traffic even if actually routed over port 80). Documentation (http://tools.netsa.cert.org/silk/rwcut.html) says this is a "guess as to the content of the flow".
The type of the source IP in terms of whether the address is routable, external, etc.
The type of the destination IP in terms of whether the address is routable, external, etc.
A two-letter country code denoting the country of location of the source IP address.
A two-letter country code denoting the country of location of the destination IP address.
User defined string for integrating external information into SiLK records. See documentation on SiLK pmap filter for details (defined in the prefix map associated with MAPNAME).
User defined string for integrating external information into SiLK records. See documentation on SiLK pmap filter for details (defined in the prefix map associated with MAPNAME).
SiLKFlowAttributesType specifies SiLK flow attributes, via a union of the SiLKFlowAttributesTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
SiLKAddressType specifies SiLK address types, via a union of the SiLKAddressTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
SiLKCountryCodeType specifies country codes used by SiLK, via a union of the SiLKCountryCodeTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
Defines elements associated with a SiLK sensor.
Name or ID of sensor at the collection point.
By default, only one "all" class. Others can be configured.
Specifies the direction of traffic, which is enumerated by SiLKDirectionType.
SiLKType specifies direction of SiLK traffic, via a union of the SiLKDirectionTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
SiLKSensorClassType specifies the sensor class, via a union of the SiLKSensorClassTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
YAF (Yet Another Flowmeter) is bidirectional network flow meter. It processes packet data from pcap(3) dumpfiles as generated by tcpdump(1) or via live capture from an interface using pcap(3) into bidirectional flows, then exports those flows to IPFIX. (REF: http://www.usenix.org/event/lisa10/tech/full_papers/Inacio.pdf).
The elements in a YAF record have been separated based on flow direction. These elements are defined for the general forward flow.
Some elements in a YAF record correspond to the reverse flow. These elements are given here.
These elements of a YAF record correspond to the flow generally or to the forward portion of the flow. Elements common to all network flow objects are defined in the NetworkFlowLabelType (src ip address, ingress/egress interface).
Flow start time in milliseconds since 1970-01-01 00:00:00 UTC.
Flow end time in milliseconds since 1970-01-01 00:00:00 UTC.
Number of octets in packets in forward direction of flow. May be encoded in 4 octets using IPFIX reduced-length encoding.
Number of packets in forward direction of flow.
The reason for Flow termination. It may contain SiLK-specific tags. The range of values may include the following: 0x01: idle timeout (the Flow was terminated because it was considered to be idle). 0x02: active timeout (the Flow was terminated for reporting purposes while it was still active, for example, after the maximum lifetime of unreported Flows was reached). 0x03: end of Flow detected (the Flow was terminated because the Metering Process detected signals indicating the end of the Flow, for example, the TCP FIN flag.) 0x04: forced end (the Flow was terminated because of some external event, for example, a shutdown of the Metering Process initiated by a network management application.) 0x05: lack of resources (the Flow was terminated because of lack of resources available to the Metering Process and/or the Exporting Process.) See http://www.iana.org/assignments/ipfix/ipfix.xml for more information.
The SiLK_App_Label is the port number that is traditionally used for that type of traffic (see the /etc/services file on most UNIX systems). For example, traffic that the flow generator recognizes as FTP will have a value of 21, even if that traffic is being routed through the standard HTTP/web port (80).
Shannon Entropy calculation of the forward payload data. The calculation generates a real number value between 0.0 and 8.0. That number is then converted into an 8-bit integer value between 0 and 255. Roughly, numbers above 230 are generally compressed (or encrypted) and numbers centered around approximately 140 are English text. Lower numbers carry even less information content.
Machine-learning app label.
Contains TCP-related information of the network flow.
The MAC address.
OS name and version.
First forward packet IP payload.
Second forward packet IP payload.
Initial n bytes of forward direction of applications payload.
These elements correspond to the reverse flow captured by in YAF record.
Number of octets in packets in reverse direction of flow. May be encoded in 4 octets using IPFIX reduced-length encoding.
Number of packets in reverse direction of flow.
Shannon Entropy calculation of the reverse payload data. The calculation generates a real number value between 0.0 and 8.0. That number is then converted into an 8-bit integer value between 0 and 255. Roughly, numbers above 230 are generally compressed (or encrypted) and numbers centered around approximately 140 are English text. Lower numbers carry even less information content.
RTT of initial handshake.
The associated elements relate to the reverse packets of the flow.
Reverse MAC address.
OS name and version of the reverse flow.
First reverse packet IP payload.
Initial n bytes of reverse direction of flow payload.
Contains TCP-related information of the network flow.
TCP sequence number.
TCP flags of the first packet.
The union of the TCP flags of the 2...nth packet.
Represents flow-record formats that capture data in one direction only (e.g., Netflow v9).
Represents flow-record formats that capture data in both directions (e.g., YAF).
Represents an Internet Protocol Flow Information eXport (IPFIX) protocol. IPFIX is based on NetFlow v9. Has several extensions such as Enterprise-defined fields types and variable length fields. See RFC 5101 for more information.
Represents the NetFlow v5 flow record format, which is commonly used to represent network flow data.
Represents the Netflow V9 flow record format. See RFC 3954 (Netflow v9) for more information.
Represents a network flow record in the System for Internet-Level Knowledge (SiLK) format, developed by CERT at Carnegie Mellon University (CMU)'s Software Engineering Institute (SEI) as part of the NetSA security suite. See http://tools.netsa.cert.org/silk/analysis-handbook.pdf for more information.
Indicates one or more Data Records, of the same type, that have been grouped together in an IPFIX message. Each Data Record is previously defined by a Template Record or an Options Template Record.
Indicates a collection of one or more Options Template Records that have been grouped together in an IPFIX message.
Indicates a collection of one or more Template Records that have been grouped together in an IPFIX message.
Specifies a Data FlowSet, which is one or more records, of the same type, that are grouped together in an Export Packet. Each record is either a Flow Data Record or an Options Data Record previously defined by a Template Record or an Options Template Record.
Specifies an Options Template FlowSet, which is one or more Options Template Records that have been grouped together in an Export Packet.
One of the essential elements in the NetFlow format is the Template FlowSet. Templates greatly enhance the flexibility of the Flow Record format because they allow the NetFlow Collector to process Flow Records without necessarily knowing the interpretation of all the data in the Flow Record. http://www.ietf.org/rfc/rfc3954.txt.
Specifies a Flow Data Record, which corresponds to a FieldType defined in the Template Record. Each one will have multiple values associated with it.
Specifies an Options Data Record, which Corresponds to a previously defined Options Template Record.
<schema>Win_File_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The FileAttributesEnum type is an enumeration of Windows file attributes. These refer to the constants specified in http://msdn.microsoft.com/en-us/library/gg258117(v=vs.85).aspx.
<p><span>Specifies a file is read only, as denoted by the constant value, 0x1. Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories. For more information as to why, see http://go.microsoft.com/FWLink/?LinkId=125896.</span></p>
<p><span>Specifies a file or directory is hidden, as denoted by the constant value, 0x2. It is not included in an ordinary directory listing.</span></p>
<p><span>Specifies a file or directory that the operating system uses a part of, or uses exclusively, as denoted by the constant value, 0x4.</span></p>
<p><span>Specifies a directory, as denoted by the constant value, 0x10.</span></p>
<p><span>Specifies a file or directory that is an archive file or directory, as denoted by the constant value, 0x20. Applications typically use this attribute to mark files for backup or removal.</span></p>
<p><span>Specifies a reserved system value, as denoted by the constant value, 0x40.</span></p>
<p><span>Specifies a file that has no other attributes set, and is only valid when this attribute is used alone, as denoted by the constant value, 0x80.</span></p>
<p><span>Specifies a file being used for temporary storage, as denoted by the constant value, 0x100.</span></p>
<p><span>Specifies a sparse file, as denoted by the constant value, 0x200.</span></p>
<p><span>Specifies a file or directory that has an associated reparse point, or a file that is a symbolic link, as denoted by the constant value, 0x400.</span></p>
<p><span>Specifies a file or directory that is compressed, as denoted by the constant value, 0x800. For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories.</span></p>
<p><span>Specifies that the data of a file is not available immediately, as denoted by the constant value, 0x1000. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is the hierarchical storage management software. Applications should not arbitrarily change this attribute.</span></p>
<p><span>Specifies that a file is not to be indexed by the content indexing service, as denoted by the constant value, 0x2000.</span></p>
<p><span>Specifies a file or directory that is encrypted, as denoted by the constant value, 0x4000. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.</span></p>
<p><span>Specifies a file or directory that is marked as deleted.</span></p>
<p><span>Specifies the directory or user data stream is configured with integrity (only supported on ReFS volumes), as denoted by the constant value, 0x8000. It is not included in an ordinary directory listing. The integrity setting persists with the file if it's renamed. If a file is copied the destination file will have integrity set if either the source file or destination directory have integrity set. NOTE: This flag is supported ONLY for Windows Server 8 Beta and later.</span></p>
<p><span>Specifies a reserved system value, as denoted by the constant value, 0x10000.</span></p>
<p><span>The user data stream not to be read by the background data integrity scanner (AKA scrubber), as denoted by the constant value, 0x20000. When set on a directory it only provides inheritance. This flag is only supported on Storage Spaces and ReFS volumes in Windows 8 and Windows Server 8 Beta and later. It is not included in an ordinary directory listing.</span></p>
The WindowsFileObjectType type is intended to characterize Windows files.
The Filename_Accessed_Time field specifies the date/time the filename of the Windows file was last accessed.
The Filename_Created_Time field specifies the date/time the filename of the Windows file was created.
The Filename_Modified_Time field specifies the date/time the filename of the Windows file was last modified.
The Drive field specifies the drive letter of the drive that the file resides on.
The Security_ID field specifies the Security ID (SID) value assigned to the file.
The Security_Type field specifies the type of Security ID (SID) assigned to the file.
The Stream_List field specifies any alternate data streams contained within the file.
The StreamObjectType type is intended to characterize NTFS alternate data streams.
The Name field specifies the name of the alternate data stream.
The Size_In_Bytes field specifies the size of the alternate data stream, in bytes.
The StreamListType type specifies a list of NTFS alternate data streams.
The Stream field characterizes a single NTFS alternate data stream.
The WindowsFileAttributesType type specifies Windows file attributes. It imports and extends the FileAttributeType from the CybOX File Object.
The WindowsFileAttributeType specifies a single Windows file attribute.
The WindowsFilePermissionsType type specifies Windows file permissions. It imports and extends the FilePermissionsType from the CybOX File Object.
The Full_Control field specifies whether reading, writing, changing and deleting of the file is perfmitted.
The Modify field specifies whether reading and writing or deletion of the file is permitted.
The Read field specifies whether viewing or accessing of the file's contents is permitted.
The Read_And_Execute field specifies whether viewing and accessing of the file's contents as well as executing of the file is permitted.
The Write field specifies whether writing to the file is permitted.
WindowsFileAttributeType specifies Windows file attributes via a union of the FileAttributesEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Disk_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The DiskTypeEnum type contains a non-exhaustive enumeration of disk types.
Indicates the removable disk type.
Indicates the fixed disk type.
Indicates the remote disk type.
Indicates the CDRom disk type.
Indicates the RAMDisk disk type.
The DiskObjectType type is intended to characterize disk drives.
The Disk_Name field specifies the name of the disk.
The Disk_Size field specifies the size of the disk, in bytes.
The Free_Space field specifies the amount of free space on the disk, in bytes.
The Partition_List field specifies the partitions that reside on the disk.
The Type field specifies the type of disk being characterized, e.g. removable.
The PartionListType type specifies a list of partitions.
The Partition field specifies a single partition that resides on the disk.
DiskType specifies disk types, via a union of the DiskTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_Registry_Key_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The RegistryDataTypesEnum type is an enumeration of Windows registry datatypes (REG_*). See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx See also: http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=361.
No defined value type.
A null-terminated string. This will be either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions.
A null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%"). It will be a Unicode or ANSI string depending on whether you use the Unicode or ANSI functions.
Binary data in any form.
A 32-bit number.
A 32-bit number in big-endian format. Some UNIX systems support big-endian architectures.
A null-terminated Unicode string that contains the target path of a symbolic link.
A sequence of null-terminated strings, terminated by an empty string (\0).
A series of nested arrays designed to store a resource list used by a hardware device driver or one of the physical devices it controls. This data is detected and written into the ResourceMap tree by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value.
A series of nested arrays designed to store a resource list used by a physical hardware device. This data is detected and written into the HardwareDescription tree by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value.
Device driver list of hardware resource requirements in Resource Map tree. See http://www.mdgx.com/reg.htm.
A 64-bit number.
Specifies an invalid key.
The RegistryHiveEnum type is an enumeration of Windows registry hives (HKEY_*). See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724836(v=vs.85).aspx.
Registry entries subordinate to this key define types (or classes) of documents and the properties associated with those types. Shell and COM applications use the information stored under this key.
Contains information about the current hardware profile of the local computer system. The information under HKEY_CURRENT_CONFIG describes only the differences between the current hardware configuration and the standard configuration.
Registry entries subordinate to this key define the preferences of the current user. These preferences include the settings of environment variables, data about program groups, colors, printers, network connections, and application preferences. This key makes it easier to establish the current user's settings; the key maps to the current user's branch in HKEY_USERS.
Registry entries subordinate to this key define the physical state of the computer, including data about the bus type, system memory, and installed hardware and software.
Registry entries subordinate to this key define the default user configuration for new users on the local computer and the user configuration for the current user.
Registry entries subordinate to this key define preferences of the current user that are local to the machine. These entries are not included in the per-user registry portion of a roaming user profile.
Registry entries subordinate to this key allow you to access performance data. The data is not actually stored in the registry; the registry functions cause the system to collect the data from its source.
Registry entries subordinate to this key reference the text strings that describe counters in the local language of the area in which the computer system is running. These entries are not available to Regedit.exe and Regedt32.exe.
Registry entries subordinate to this key reference the text strings that describe counters in US English. These entries are not available to Regedit.exe and Regedt32.exe.
The WindowsRegistryObjectType type is intended to characterize Windows registry objects, including Keys and Key/Value pairs.
The Key field specifies the full key to the Windows registry object, not including the hive.
The Hive field specifies the Windows registry hive to which the registry object belongs to.
The Number_Values field specifies the number of values found in the registry key.
The Values field specifies the values (with their name/data pairs) held within the registry key.
The Modified_Time field specifies the last date/time that the registry object was modified.
The Creator_Username field specifies the name of the user who created the registry object.
The Handle_List field specifies a list of open Handles for this registry object.
The Number_Subkeys field specifies the number of subkeys contained under the registry key.
The Subkeys field specifies the set of subkeys contained under the registry key.
The Byte_Runs field contains a list of byte runs from the raw registry.
The RegistryValueType type is intended to characterize Windows registry Value name/data pairs.
The Name field specifies the name of the registry value. For specifying the default value in a registry key, an empty string should be used.
The Data field specifies the data contained in the registry value.
The Datatype field specifies the registry (REG_*) datatype used in the registry value.
The Byte_Runs field contains a list of byte runs from the raw registry key entry.
The RegistryValuesType type specifies the values (with their name/data pairs) held within the registry key.
The Value field specifies the value (with name/data pair) held within the registry key.
The RegistrySubkeysType specifies the set of subkeys contained under the registry key.
The Subkey field specifies a single subkey contained under the registry key.
RegistryHiveType specifies Windows registry hive types via a union of the RegistryHiveEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
Registry_Datatype specifies Windows registry datatypes via a union of the RegistryDataTypesEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_Critical_Section_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsCriticalSectionObjectType type is intended to characterize Windows Critical Section objects.
The Address field specifies the address of the code that crated the critical section object.
The Spin_Count field specifies the spin count value for the critical section object.
<schema>ARP_Cache_Object</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The ARPCacheEntryTypeEnum is an enumeration of arp cache entry types.
The static value specifies an IP address/physical address pair that was manually added to the cache table for a device and is kept in the cache on a permanent basis.
The dynamic value specifies an IP address/physical address pair added to the cache automatically as a result of successfully-completed past ARP resolutions.
The ARPCacheObjectType type is intended to characterize entries in a system's address resolution protocol (ARP) cache.
The ARP_Cache_Entry field is intended to characterize a single address resolution protocol (ARP) cache entry.
The ARPCacheEntryType type is intended to characterize a single entry in a system's ARP cache.
The IP_Address field specifies the IP address that is mapped to the physical address in the ARP cache entry.
The Physical_Address field specifies the physical (e.g. MAC-48) address that is mapped to the IP address in the ARP cache entry. Either a colon (':') or a dash ('-') may be used as a separator between the octets.
The Type field specifies the type of ARP cache entry, which typically refers to the way the entry was added to the cache.
The Network_Interface field permits the specification of the network interface to which the ARP cache entry belongs.
The ARPCacheEntryTypeType specifies ARP cache entry types via a union of the ARPCacheEntryTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Network_Subnet_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The NetworkSubnetObjectType type is intended to characterize a generic system network subnet.
The Name field is intended to specify a name for the network subnet.
The Description field is intended to provide a description of the network subnet.
The NumberOfIPAddresses field is intended to specify the number of valid IP addresses within the scope of the network subnet.
The Routes construct is intended to characterize a set of network routes.
The RoutesType is intended to characterize a set network routes.
The Route field is intended to characterize a single network route.
<schema>GUI_Dialogbox_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The GUIDialogboxObjectType type is intended to characterize GUI dialog boxes.
The Box_Caption field specifies the caption associated with the dialog box.
The Box_Text field specifies the text contained inside the dialog box.
<schema>DNS_Query_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The DNSRecordTypeEnum is a non-exhaustive enumeration of DNS Record Type names.
The DNSQueryType is intended to characterize a single DNS query and its components.
The successful field specifies whether or not the DNS Query was successful.
The Transaction_ID field specifies the Transaction ID value of the DNS query message header.
The Question field specifies the DNS question component of the DNS query.
The Answers field specifies any Answers resource records that were returned for the DNS query.
The Authority_Resource_Records field specifies any Authority resource records that were returned for the DNS query.
The Authority_Resource_Records field specifies any Additional resource records that were returned for the DNS query.
The Date_Ran field specifies the date and time that the DNS query was run.
The Service_Used field specifies the service used to run the DNS Query.
The DNSQuestionType specifies the components of a DNS Question, including the domain name queried, type, and class.
The QName field specifies the domain name being queried.
The QType specifies the type of DNS query performed, in terms of the requested DNS record type.
The QClass field specifies the class of resource records being requested.
The DNSAnswersType encompasses one or more resource records returned for a DNS query.
The Answer field specifies a single DNS resource record returned as part of a DNS query.
DNSRecordType specifies DNS record types, via a union of the DNSRecordTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Semaphore_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The SemaphoreObjectType type is intended to characterize generic semaphore objects.
The named field specifies whether the Semaphore is named.
The Current_Count field specifies the current count value for the semaphore.
The Maximum_Count field specifies the maximum count value for the semaphore.
The Name field specifies the name of the semaphore, if applicable.
<schema>Win_Task_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
An enumeration of action types. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380596(v=vs.85).aspx.
This action performs a command-line operation. For example, the action could run a script, launch an executable, or, if the name of a document is provided, find its associated application and launch the application with the document.
This action fires a handler.
This action sends an e-mail.
This action shows a message box.
The TaskPriorityEnum enumeration specifies the priority levels of task scheduler tasks. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383512(v=vs.85).aspx.
A priority class of high (1).
A priority class of normal (4-6).
A priority class of idle (9-10).
A priority class of realtime (0).
A priority class of above normal (2-3).
A priority class of below normal (7-8).
The TriggerFrequencyEnum enumeration defines the frequency types that a trigger may use. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383620(v=vs.85).aspx and http://msdn.microsoft.com/en-us/library/windows/desktop/aa383987(v=vs.85).aspx.
Trigger is set to run the task a single time.
Trigger is set to run the task if the system remains idle for the amount of time specified by the idle wait time of the task.
Trigger is set to run the task at system startup.
Trigger is set to run the task when a user logs on.
Trigger is set to run the task on a daily interval.
Trigger is set to run the work item on specific days of a specific week of a specific month.
Trigger is set to run the task on a specific day(s) of the month.
Trigger is set to run the task on specific days, weeks, and months.
The TriggerFrequencyEnum enumeration defines the types of triggers associated with a task.
Triggers the task when a specific system event occurs.
Triggers the task at a specific date and time.
Triggers the task when the computer enters an idle state.
Triggers the task when the task is registered or updated.
Triggers the task when the system is booted.
Triggers the task when a user logs on.
Triggers the task when a Terminal Server session changes state.
The TaskStatusEnum enumeration specifies the possible statuses of a scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383604(v=vs.85).aspx See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381263(v=vs.85).aspx See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381833(v=vs.85).aspx See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383617(v=vs.85).aspx.
The task is ready to run at its next scheduled time.
The task is currently running.
One or more of the properties that are needed to run this task on a schedule have not been set.
The Task Scheduler service is not running.
The task has been configured with an unsupported combination of account settings and run time options.
The task object version is either unsupported or invalid.
Task Scheduler security services are available only on Windows NT.
Corruption was detected in the Task Scheduler security database; the database has been reset.
Unable to establish existence of the account specified.
No account information could be found in the Task Scheduler security database for the task indicated.
The object is either an invalid task object or is not a task object.
The task object could not be opened.
The Task Scheduler service is not installed on this computer.
There is no running instance of the task.
One or more of the properties required to run this task have not been set.
A task's trigger is not found.
Event triggers do not have set run times.
Either the task has no triggers or the existing triggers are disabled or not set.
The last run of the task was terminated by the user.
There are no more runs scheduled for this task.
The task has not been run. This value is returned whenever the task has not been run, even if the task is ready to be run at the next scheduled time or the task is a recurring task.
The task will not run at the scheduled times because it has been disabled.
The state of the task is unknown.
Instances of the task are queued.
The TaskFlagEnum enumeration specifies the run flags for a task scheduler task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381283(v=vs.85).aspx See Also: http://msdn.microsoft.com/en-us/library/microsoft.office.excel.server.addins.computecluster.taskscheduler.taskflags(v=office.12).aspx.
<p><span>This flag is used when converting Windows NT AT service jobs into work items. The Windows NT AT service job refers to At.exe, the Windows NT command-line utility used for creating jobs for the Windows NT Schedule service. The Task Scheduler service replaces the Schedule service and is backwards compatible with it. The conversion occurs when the Task Scheduler is installed on Windows NT/Windows 2000</span><span>&#8212;</span><span>for example, if you install Internet Explorer 4.0, or upgrade to Windows 2000. During the setup process, the Task Scheduler installation code searches the registry for jobs created for the AT service and creates work items that will accomplish the same operation. For such converted jobs, the interactive flag is set if the work item is intended to be displayed to the user. When this flag is not set, no work items are displayed in the Tasks folder, and no user interface associated with the work item is presented to the user when the work item is executed.</span></p>
<p><span>The work item will be deleted when there are no more scheduled run times.</span></p>
<p><span>The work item is disabled. This is useful to temporarily prevent a work item from running at the scheduled time(s).</span></p>
<p><span>The work item created will be hidden.</span></p>
<p><span>The work item runs only if the user specified in IScheduledWorkItem::SetAccountInformation is logged on interactively. This flag has no effect on the work items that are set to run in the local account.</span></p>
<p><span>The work item begins only if the computer is not in use at the scheduled start time.</span></p>
<p><span>The work item causes the system to be resumed, or awakened, if the system is running on battery power. This flag is supported only on systems that support resume timers.</span></p>
<p><span>The work item terminates if the computer makes an idle to non-idle transition while the work item is running. The computer is not considered idle until the IdleWait triggers' time elapses with no user input. For information regarding idle triggers, see Idle Trigger.</span></p>
<p><span>The work item starts again if the computer makes a non-idle to idle transition before all the work item's task_triggers elapse. (Use this flag in conjunction with TASK_FLAG_KILL_ON_IDLE_END.).</span></p>
<p><span>The work item does not start if its target computer is running on battery power.</span></p>
<p><span>The work item ends, and the associated application quits if the work item's target computer switches to battery power.</span></p>
<p><span>The work item runs only if there is currently a valid Internet connection.</span></p>
The WindowsTaskObjectType type is intended to characterize Windows task scheduler tasks. See Also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381311(v=vs.85).aspx.
The Status field specifies the current status of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381263(v=vs.85).aspx.
The Priority field specifies the priority of the scheduled task. This can either be a free-form string or one the values in the TaskPriorityEnum enumeration. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381876(v=vs.85).aspx.
The Name field specifies the image name for the task.
The Application_Name specifies the application name associated with the task.
The Parameters field specifies the command line parameters used to launch the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381875(v=vs.85).aspx.
The Flags field specifies any flags that modify the behavior of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381248(v=vs.85).aspx.
The Account_Name field specifies the name of the account used to run the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381228(v=vs.85).aspx.
The Account_Run_Level field specifies the permission level of the account that the task will be run at.
The Account_Logon_Type field specifies the security logon method required to run the tasks associated with the account. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383013(v=vs.85).aspx.
The Creator field specifies the name of the creator of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381235(v=vs.85).aspx.
The Creation_Date field specifies the date and time that the task was registered. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa382623(v=vs.85).aspx.
The Most_Recent_Run_Time field specifies the most recent run date/time of this scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381254(v=vs.85).aspx.
The Exit_Code field specifies the last exit code of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381245(v=vs.85).aspx.
The Max_Run_Time field specifies the maximum run time of the scheduled task before terminating, in milliseconds. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381874(v=vs.85).aspx.
The Next_Run_Time field specifies the next run date/time of the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381257(v=vs.85).aspx.
The Action_List field specifies a list of actions to be performed by the scheduled task.
The Trigger_List field specifies a set of triggers used by the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383264(v=vs.85).aspx.
The Comment field specifies a comment for the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381232(v=vs.85).aspx.
The Working_Directory field specifies the working directory for the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381878(v=vs.85).aspx.
The Work_Item_Data field specifies application defined data associated with the scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381271(v=vs.85).aspx.
The TriggerListType type specifies a set of triggers associated with the scheduled task.
A trigger associated with this scheduled task. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381264(v=vs.85).aspx.
The TaskActionListType type specifies a list of task actions.
The work items performed by a task are called actions. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383549(v=vs.85).aspx.
The IComHandlerActionType type characterizes IComHandler actions.
The COM_Data field specifies the data associated with the COM handler. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380613(v=vs.85).aspx.
The COM_Class_ID field specifies the ID of the COM action. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380613(v=vs.85).aspx.
The IExecActionType type characterizes IExec actions.
The Exec_Arguments field specifies the arguments associated with the command-line operation launched by the action. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380715(v=vs.85).aspx.
The Exec_Program_Path field specifies the path to the executable file launched by the action. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380715(v=vs.85).aspx.
The Exec_Working_Directory field specifies the directory that contains either the executable file or the files that are used by the executable file launched by the action. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380715(v=vs.85).aspx.
The Exec_Program_Element specifies the hashes of the executable file launched by the action.
The IShowMessageActionType type characterizes IShowMessage actions.
The Show_Message_Body field specifies the message text that is displayed in the body of the message box by the action. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381302(v=vs.85).aspx.
The Show_Message_Title field specifies the title of the message box shown by the action. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381302(v=vs.85).aspx.
The TaskFlagType type specifies Windows Task flag types via a union of the TaskFlagEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
The TaskPriorityType type specifies Windows Task priority types via a union of the TaskPriorityEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
The TaskStatusType type specifies Windows Task states via a union of the TaskStatusEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
The TaskTriggerFrequencyType type specifies Windows Task trigger frequency types via a union of the TriggerFrequencyEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
The TaskActionType type characterizes scheduled task actions.
The Action_Type field specifies the type of the action. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380596(v=vs.85).aspx.
The Action_ID field specifies the user-defined identifier for the action. This identifier is used by the Task Scheduler for logging purposes. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380590(v=vs.85).aspx.
The IEmail_Action field specifies an action that sends an e-mail, which in this context refers to actual email message sent. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380693(v=vs.85).aspx.
The IComHandlerAction field specifies an action that fires a handler.
The IExecAction field specifies an action that executes a command-line operation. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380715(v=vs.85).aspx.
The IShowMessageAction field specifies an action that shows a message box when a task is activated. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381302(v=vs.85).aspx.
The TriggerType type characterizes task triggers. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383868(v=vs.85).aspx.
The enabled field specifies whether the trigger is enabled.
The Trigger_Begin_Element specifies the date/time that the trigger is activated.
The Trigger_Delay field specifies the delay that takes place between when the task is registered and when the task is started.
The Trigger_End field specifies the date/time that the trigger is deactivated.
The Trigger_Frequency field specifies the frequency at which the trigger repeats.
The maximum amount of time that the task launched by the trigger is allowed to run. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383868(v=vs.85).aspx.
The Trigger_Session_Change_Type field specifies the type of Terminal Server session change that would trigger a task launch. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381298(v=vs.85).aspx.
The Trigger_Type specifies the type of the task trigger.
The TaskActionTypeType characterizes the specific types of task actions.
This attribute is optional and specifies the expected type for the value of the specified property.
The TaskTriggerType type specifies Windows Task trigger types via a union of the TriggerTypeEnum enumeration and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>X509_Certificate_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The X509CertificateObjectType type is intended to characterize X.509 certificates.
Certificate represents the contents of an X.509 certificate, including items such as issuer, subject, and others.
The Raw_Certificate field captures the raw content of an X.509 certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
Certificate Signature contains the signature and signature algorithm of this X.509 certificate.
The X509CertificateContentsType type represents the contents of an X.509 certificate, including items such as issuer, subject, and others.
Version describes the version of the encoded certificate.
The serial number is a unique identifier for each X.509 certificate issued by a specific Certificate Authority.
The signature algorithm is the algorithm used to sign the X.509 certificate.
The issuer is the Certificate Authority who issued the X.509 certificate.
Validity is the time interval during which the issuer warrants that it will maintain information about the status of the certificate.
The subject identifies the entity associated with the public key stored in the subject public key field of the X.509 certificate.
The Subject Public Key is used to carry the public key and identify the algorithm with which the key is used.
The Standard_Extensions field captures standard X509 V3 extensions that may be specified in the certificate.
The Non_Standard_Extensions field captures non-standard X509 extensions that may be specified in the certificate.
The X509CertificateSignatureType contains the signature and signature algorithm of this X.509 certificate.
Signature Algorithm contains the algorithm identifier for the algorithm used by the Certificate Authority to compute the signature.
Signature contains a digital signature computed upon this X.509 certificate.
The SubjectPublicKeyType is used to carry the public key and identify the algorithm with which the key is used.
Public Key Algorithm is the algorithm with which to encrypt data being sent to the subject.
RSA Public Key is the public key contained in this X.509 certificate.
The ValidityType type is the time interval during which the issuer warrants that it will maintain information about the status of the certificate.
Not before is the date on which the certificate validity period begins.
Not after is the date on which the certificate validity period ends.
The RSAPublicKeyType captures details of RSA public keys.
Modulus is the modulus portion of a public key.
Exponent is the exponent portion of a public key.
The X509V3ExtensionsType captures the standard X509 V3 Extensions that may be used in X509 certificates. Based on RFC 3280, "Standard Extensions": http://www.ietf.org/rfc/rfc3280.txt.
The Basic_Constraints field captures a multi-valued extension which indicates whether a certificate is a CA certificate. The first (mandatory) name is CA followed by TRUE or FALSE. If CA is TRUE then an optional pathlen name followed by an non-negative value can be included. Also equivalent to the object ID (OID) value of 2.5.29.19.
The Name_Constraints field captures a name space within which all subject names in subsequent certificates in a certification path MUST be located. Also equivalent to the object ID (OID) value of 2.5.29.30.
The Policy_Constraints field captures any constraints on path validation for certificates issued to CAs. Also equivalent to the object ID (OID) value of 2.5.29.36.
The Key_Usage element field captures a multi-valued extension consisting of a list of names of the permitted key usages. Also equivalent to the object ID (OID) value of 2.5.29.15.
The Extended_Key_Usage field captures a list of usages indicating purposes for which the certificate public key can be used for. Also equivalent to the object ID (OID) value of 2.5.29.37.
The Subject_Key_Identifier field captures the identifier that provides a means of identifying certificates that contain a particular public key. Also equivalent to the object ID (OID) value of 2.5.29.14.
The Authority_Key_Identifier field captures the identifier that provides a means of identifying the public key corresponding to the private key used to sign a certificate. Also equivalent to the object ID (OID) value of 2.5.29.35.
The Subject_Alternative_Name field captures the additional identities to be bound to the subject of the certificate. Also equivalent to the object ID (OID) value of 2.5.29.17.
The Issuer_Alternative_Name field captures the additional identities to be bound to the issuer of the certificate. Also equivalent to the object ID (OID) value of 2.5.29.18.
The Subject_Directory_Attributes field captures the identification attributes (e.g., nationality) of the subject. Also equivalent to the object ID (OID) value of 2.5.29.9.
The CRL_Distribution_Points field captures how CRL information is obtained. Also equivalent to the object ID (OID) value of 2.5.29.31.
The Inhibit_Any_Policy field the number of additional certificates that may appear in the path before anyPolicy is no longer permitted. Also equivalent to the object ID (OID) value of 2.5.29.54.
The Private_Key_Usage_Period field captures the validity period for the private key, if it is different from the validity period of the certificate. Also equivalent to the object ID (OID) value of 2.5.29.16.
The Certificate_Policies field captures a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers. Also equivalent to the object ID (OID) value of 2.5.29.32.
The Policy_Mappings field captures one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates whether the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. Also equivalent to the object ID (OID) value of 2.5.29.33.
The NonStandardX509ExtensionsType captures some non-standard or deprecated X509 extensions that may be useful. Based on the OpenSSL "Deprecated Extensions" documentation: https://www.openssl.org/docs/apps/x509v3_config.html#Deprecated_Extensions. Also based on the Alvestrand certificateExtension reference: http://www.alvestrand.no/objectid/2.5.29.html.
The Netscape_Comment field captures a comment which may be displayed when the certificate is viewed in some browsers.
The Netscape_Certificate_Type field captures a list of flags which indicate the purposes for which a certificate could be used.
The Old_Authority_Key_Identifier captures the old version of the authority key identifier, equivalent to the object ID (OID) value of 2.5.29.1.
The Old_Primary_Key_Attributes field captures the old version of the primary key attributes, equivalent to the object ID (OID) value of 2.5.29.2.
<schema>PDF_File_Object</schema>
<version>1.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The PDFObjectTypeEnum is an enumeration of basic PDF document object types.
The PDFXrefEntryTypeEnum is an enumeration of PDF cross-reference table entry types.
The PDFFileObjectType type is intended to characterize the structural makeup of PDF files.
The Metadata field captures some useful metadata associated with the PDF file.
The Version field specifies the decimal version number portion of the string from the PDF Header that specifies the version of the PDF specification to which the PDF file conforms, e.g. '1.4'.
The Indirect_Objects field captures the indirect objects included in the PDF file, representing the contents of a document.
The Cross_Reference_Tables field captures the cross-reference tables included in the PDF file, used for facilitating random access of indirect PDF objects.
The Trailers field captures the trailers included in the PDF file, used for capturing offsets to the cross-reference table and important objects.
The PDFXrefTableListType captures a list of PDF cross-reference tables.
The Cross_Reference_Table field captures the cross-reference table contained in the PDF file, for the random access of indirect objects contained in the file.
The PDFXRefTableType captures the details of a PDF cross-reference table, which provides a capability for the random access of indirect objects contained in the file.
The Subsections field captures the subsections contained in the cross-reference table.
The Offset field specifies the offset of the cross-reference from the beginning of the file, in bytes.
The Hashes field captures any hashes that were computed for the cross-reference table.
The PDFXrefTableSubsectionListType captures a list of cross-reference table subsections.
The Subsection field captures a single cross-reference table subsection in the list.
The PDFXrefTableSubsectionType captures details of subsections contained within a PDF cross-reference table.
The First_Object_Number field captures the object number of the first object for which there is a corresponding entry in this cross-reference subsection.
The Number_Of_Objects field captures the number of objects for which there are corresponding entries in this cross-reference subsection.
The Cross_Reference_Entries field specifies the cross-reference entries contained in this cross-reference subsection.
The PDFTrailerListType captures a list of PDF trailers.
The Trailer field captures a PDF file trailer contained in the file, used by applications for quickly locating the cross-reference table and certain special objects.
The PDFTrailerType captures the details of a PDF trailer.
The Size field captures the total number of entries in the file's cross-reference table.
The Prev field the byte offset from the beginning of the file to the beginning of the previous cross-reference table. This is only applicable for files that have more than one cross-reference table.
The Root field captures an indirect object reference that points to the catalog dictionary for the PDF document contained in the file.
The Encrypt field captures the PDF document's encryption dictionary, either through an indirect reference or embedded set of key/value pairs.
The Info field captures an indirect object reference that points to the document information dictionary.
The ID field captures an array of two strings that constitutes a file identifier.
The Last_Cross_Reference_Offset field captures the byte offset, relative to the beginning of the file, of the last cross-reference table contained in the file.
The Offset field specifies the offset of the trailer from the beginning of the file, in bytes.
The Hashes field captures any hashes that were computed for the trailer.
The PDFTrailerIDType captures the details of a PDF ID value stored in a trailer.
The ID_String field captures one of the two strings that constitutes the file identifier.
The PDFIndirectObjectListType captures a list of PDF indirect objects.
The Indirect_Object field captures a single PDF indirect object contained in the file.
The PDFObjectType captures the details of a PDF document indirect object, used in constructing and storing data associated with the PDF document.
The type field specifies the basic type of the PDF indirect object.
The ID field specifies the identifier of the PDF indirect object, consisting of an object number and generation number.
The Contents field captures the contents of the PDF indirect object, including non-stream and stream data.
The Offset field specifies the offset of the PDF indirect object from the beginning of the file, in bytes.
The Hashes field captures any hashes that were computed for the PDF indirect object.
The PDFIndirectObjectIDType captures the details of PDF indirect object IDs.
The Object_Number field captures the number portion of the indirect object ID.
The Generation_Number field captures the generation number portion of the indirect object ID.
The PDFIndirectObjectContentsType captures the contents of a PDF indirect object, including both stream and non-stream portions.
The Non_Stream_Contents field captures the raw contents of the PDF indirect object excluding any stream data (i.e. everything after the 'obj' keyword and before the 'endobj' keyword up to but not including anything between the 'stream' and 'endstream' keywords) as a string enclosed in an XML CDATA section.
The Stream_Contents field captures the stream contained within in the PDF indirect object, if applicable.
The PDFStreamType element captures details of PDF document stream objects, which represent arbitrary sequences of bytes.
The Raw_Stream element captures the raw, undecoded stream (i.e., everything between the 'stream' and 'endstream' keywords), as a hex string.
The Raw_Stream_Hashes field captures any hashes of the raw, undecoded stream.
The Decoded_Stream field captures the decoded stream (i.e., after undoing the specified filters in the correct order) as a hex string.
The Decoded_Stream_Hashes field captures any hashes of the decoded stream.
The PDFDocumentInformationDictionaryType captures details of the PDF Document Information Dictionary, used for storing metadata associated with the PDF document.
The Title field captures the title of the PDF document.
The Author field captures the name of the person who created the PDF document.
The Subject field captures the subject of the PDF document.
The Keywords field captures the keywords associated with the PDF document.
The Creator field captures the name of the application that created the original document, for cases where the original document was then converted to PDF.
The Producer field captures the name of the application that converted the document to PDF, for cases where the original document was then converted to PDF.
The CreationDate field captures the date and time that the document was created.
The ModDate field captures the date and time that the document was most recently modified.
The Trapped field captures a name object indicating whether the document has been modified to included trapping information.
The PDFXrefEntryListType captures a list of cross-reference table subsection entries.
The Cross_Reference_Entry field captures a single cross-reference subsection entry in the list.
The PDFXrefEntryType captures details of a cross-reference table subsection entry.
The type field specifies the type of the cross-reference entry.
The Generation_Number field specifies the 5-digit generation number to be used when an object with the same object number is created.
The PDFDictionaryType captures a PDF dictionary as a set of key value pairs, or as a reference to an indirect object that contains.
The PDFFileMetadaType captures some metadata regarding the PDF file object.
The encrypted field specifies whether the PDF file is encrypted.
The optimized field specifies whether the PDF file has been optimized.
The Document_Information_Dictionary field captures the details of the PDF Document Information Dicitonary, which includes properties like the document creation date and producer, if present in the PDF document.
The Number_Of_Indirect_Objects field captures the number of indirect PDF objects contained in the file.
The Number_Of_Trailers field captures the number of trailers contained in the file.
The Number_Of_Cross_Reference_Tables field captures the number of cross-reference tables contained in the file.
The Keyword_Counts field captures the counts of various PDF keyword names in the file.
The PDFKeywordCountsType captures the occurrences of various keywords in a PDF file.
The Page_Count field captures the number of occurrences of the '/Page' keyword in the PDF file, which provides an indication of the number of pages in the PDF document.
The Encrypt_Count field captures the number of occurrences of the '/Encrypt' keyword in the PDF file, which indicates that the PDF uses encryption.
The ObjStm_Count field captures the number of occurrences of the '/ObjStm' keyword in the PDF file.
The JS_Count field captures the number of occurrences of the '/JS' keyword in the PDF file.
The JavaScript_Count field captures the number of occurrences of the '/JavaScript' keyword in the PDF file.
The AA_Count field captures the number of occurrences of the '/AA' keyword in the PDF file.
The OpenAction_Count field captures the number of occurrences of the '/OpenAction' keyword in the PDF file.
The ASCIIHexDecode_Count field captures the number of occurrences of the '/ASCIIHexDecode' keyword in the PDF file.
The ASCII85Decode_Count field captures the number of occurrences of the '/ASCII85Decode' keyword in the PDF file.
The LZWDecode_Count field captures the number of occurrences of the '/LZWDecode' keyword in the PDF file.
The FlateDecode_Count field captures the number of occurrences of the '/FlateDecode' keyword in the PDF file.
The RunLengthDecode_Count field captures the number of occurrences of the '/RunLengthDecode' keyword in the PDF file.
The JBIG2Decode_Count field captures the number of occurrences of the '/JBIG2Decode' keyword in the PDF file.
The DCTDecode_Count field captures the number of occurrences of the '/DCTDecode' keyword in the PDF file.
The RichMedia_Count field captures the number of occurrences of the '/RichMedia' keyword in the PDF file.
The CCITTFaxDecode_Count field captures the number of occurrences of the '/CCITTFaxDecode' keyword in the PDF file.
The Launch_Count field captures the number of occurrences of the '/Launch' keyword in the PDF file.
The XFA_Count field captures the number of occurrences of the '/XFA' keyword in the PDF file.
The PDFKeywordCountType captures the obfuscated and non-obfuscated occurrences of a keyword.
The Non_Obfuscated_Count field captures the number of times the keyword occurred in the PDF file without any obfuscation.
The Obfuscated_Count field captures the number of times the keyword occurred in the PDF file with some form of obfuscation, such as with hexcodes.
The Object_Number field specifies the 10-digit object number of the next free object.
The Byte_Offset field captures the 10-digit number, padded with leading zeros if necessary, that specifies the number of bytes from the beginning of the file to the beginning of the object.
The Object_Reference field captures a reference to an indirect PDF object that contains the dictionary, via its object and generation numbers.
The Raw_Contents field captures the contents of the dictionary as a string enclosed in an XML CDATA section.
<schema>System_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The ProcessorArchEnum type is a (non-exhaustive) enumeration of computer processor architectures.
Specifies the 32-bit x86 architecture.
Specifies the 64-bit x86 architecture.
Specifies the 64-bit IA (Itanium) architecture.
Specifies the PowerPC IA (Itanium) architecture.
Specifies the ARM architecture.
Specifies the Alpha architecture.
Specifies the SPARC architecture.
Specifies the z/architecture, used on IBM mainframes.
Specifies the eSi-RISC architecture.
Specifies the MIPS architecture.
Specifies the Motorola 68k architecture.
Specifies a processor architecture other than those defined in this enumeration.
The BitnessEnum type is an enumeration of word sizes that define classes of operating systems.
Specifies a 32-bit operating system.
Specifies a 64-bit operating system.
The SystemObjectType type is intended to characterize computer systems (as a combination of both software and hardware).
The Available_Physical_Memory field specifies the amount of physical memory available on the system, in bytes.
The BIOS_Info field specifies information about the BIOS on the system.
The Date field specifies the current date on the system.
The Hostname field specifies the hostname of the system.
The Local_Time field specifies the local time on the system.
The Network_Interface_List field specifies the list of network interfaces present on the system.
The OS field specifies information about the operating system installed on the system.
The Processor field specifies the name of the CPU used by the system.
The Processor_Architecture field specifies the specific architecture (e.g. x86) used by the CPU of the system.
The System_Time field specifies the system, or hardware, time on the system.
The Timezone_DST field specifies the time zone used by the system, taking daylight savings time (DST) into account.
The Timezone_Standard field specifies the time zone used by the system, without taking daylight savings time (DST) into account.
The Total_Physical_Memory field specifies the total amount of physical memory present on the system, in bytes.
The Uptime field specifies the duration that represents the current amount of time that the system has been up.
The Username field specifies the name of the user currently logged into the system.
The BIOSInfoType type specifies information about a system's BIOS.
The BIOS_Date field specifies the date of the bios (e.g. the datestamp of the BIOS revision).
The BIOS_Version field specifies the version of the BIOS.
The BIOS_Manufacturer field specifies the manufacturer of the BIOS.
The BIOS_Release_Date field specifies the date the BIOS was released.
The BIOS_Serial_Number field specifies the serial number of the BIOS.
The NetworkInterfaceListType type specifies information about the network interfaces present on the system.
The Network_Interface field specifies information about a network interface, such as its MAC address.
The IPGatewayListType type specifies the IP Addresses of the gateways used by the system.
The IP_Gateway_Address field specifies the IP Address of a gateway used by the system.
The NetworkInterfaceType type specifies information about a network interface, such as its MAC address.
The Adapter field specifies the name of the network adapter used by the network interface.
The Description field specifies the description of the network interface.
The DHCP_Lease_Expires field specifies the date/time that the DHCP lease obtained on the network interface expires.
The DHCP_Lease_Obtained field specifies the date/time that the DHCP lease was obtained on the network interface.
The DHCP_Server_List field specifies the list of DHCP servers used by the network interface.
The IP_Gateway_List field specifies the list of IP Gateways used by the network interface.
The IP_List field specifies the list of IP addresses used by the network interface.
The MAC field specifies the MAC or hardware address of the physical network card. Either a colon (':') or a dash ('-') may be used a separator between the octets.
The IPInfoListType type specifies a list of IP address/subnet mask pairs associated with a network interface.
The IP_Info field specifies an IP Address/Subnet mask entry in the list.
The IP_Info type specifies information about the IP address and its associated subnet mask used by a network interface.
The IP_Address field specifies an IP address.
The Subnet_Mask field specifies a subnet mask.
The DHCPServerListType type specifies a list of DHCP Servers, via their IP addresses.
The DHCP_Server_Address field specifies the IP address of a DHCP server.
The OSType type specifies information about an operating system. It imports and extends the PlatformSpecificationType from the CybOX Common Types.
The Bitness field specifies the bitness of the operating system (i.e. 32 or 64).
Note that this is potentially different from the word size of the underlying hardware or CPU. A 32-bit operating system can be installed on a machine running a 64-bit processor.
The Build_Number field specifies the build number of the operating system.
The EnvironmentVariableList field specifies a list of environment variables present on the operating system.
The Install_Date field specifies the date the operating system was installed.
The Patch_Level field specifies the patch level of the operating system.
This field contains general identifiers for this OS instance..
BitnessType specifies operating system bitness, via a union of the BitnessEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
ProcessorArchType specifies CPU architecture types, via a union of the ProcessorArchEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_Network_Share_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The SharedResourceTypeEnum type is an enumeration of Windows that specifies shared resource types for shared devices. These can be checked via the NetShareCheck function. See http://msdn.microsoft.com/en-us/library/windows/desktop/bb525385(v=vs.85).aspx for more information.
Specifies that the shared device is a disk drive.
Specifies that the shared device is a disk drive with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.
Specifies that the shared device is a disk drive and serves as a temporary share.
Specifies that the shared device is a disk drive with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$) and serves a temporary share. Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.
Specifies that the shared device is a print queue.
Specifies that the shared device is a disk drive with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.
Specifies that the shared device is a print queue and serves as a temporary share.
Specifies that the shared device is a print queue with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$) and serves a temporary share. Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.
Specifies that the shared device is a communications device.
Specifies that the shared device is a communications device with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.
Specifies that the shared device is a communications device and serves as a temporary share.
Specifies that the shared device is a communications device with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$) and serves a temporary share. Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.
Specifies that the shared device is an Interprocess Communication (IPC) device.
Specifies that the shared device is an Interprocess Communication (IPC) device with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.
Specifies that the shared device is an Interprocess Communication (IPC) device and serves as a temporary share.
Specifies that the shared device is an Interprocess Communication (IPC) device with special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$) and serves a temporary share. Can also refer to administrative shares such as C$, D$, E$, and so forth. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/bb525391(v=vs.85).aspx.
The WindowsNetworkShareObjectType type is intended to characterize Windows network shares.
The Current_Uses field specifies the current number of uses of the network share.
The Local_Path field specifies the fully-qualified path on the local system to the network share.
The Max_Uses field specifies the maximum number of concurrent connections to the network share.
The Netname field specifies the network name of the network share.
The Type field specifies the type of the network share.
The accesspermissions group specifies the various permissions for Windows network shares.
The ACCESS_READ field specifies the permission to read data from a resource and, by default, to execute the resource.
The ACCESS_WRITE field specifies the permission to write data to the resource.
The ACCESS_CREATE field specifies the permission to create an instance of the resource (such as a file); data can be written to the resource as the resource is created.
The ACCESS_EXEC field specifies the permission to execute the resource.
The ACCESS_DELETE field specifies the permission to delete the resource.
The ACCESS_ATRIB field specifies the permission to modify the resource's attributes (such as the date and time when a file was last modified).
The ACCESS_PERM field specifies the permission to modify the permissions (read, write, create, execute, and delete) assigned to a resource for a user or application.
The ACCESS_ALL field specifies the permission to read, write, create, execute, and delete resources, and to modify their attributes and permissions.
SharedResourceType specifies Windows shared resource types via a union of the SharedResourceTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>URL_History_Object</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The URLHistoryObject type is intended to characterize the stored URL history for a particular web browser.
The Browser_Information field captures information about the particular Web Browser whose URL history is being captured. It uses the ToolInformationType from the imported CybOX Common schema.
The URL_History_Entry field specifies a single URL history entry stored in the browser's history.
The URLHistoryEntryType captures the properties of a URL history entry for a particular browser.
The URL field specifies the URL that the URL history entry points to. It uses the URIObjectType from the imported CybOX URI Object.
The Hostname field specifies the hostname portion of the URL that the URL history entry points to (captured in the URL field).
The Referrer field specifies the origination point (i.e., URL) of the URL captured in the URL history entry, if applicable. It uses the URIObjectType from the imported CybOX URI Object.
The Page_Title field specifies the title of the web page referred to by the URL captured in the URL field.
The User_Profile_Name captures the name of the web browser user profile for which the URL history entry was created.
The Visit_Count field specifies the number of times the URL referred to by the URL field has been visited.
The Manually_Entered_Count field specifies the number of times the URL referred to by the URL field was manually entered into the browser's address field by the user. This field is only applicable for URL history entries generated by Google's Chrome browser.
The Modification_DateTime field specifies the date/time that the URL history entry was last modified.
The Expiration_DateTime field specifies the date/time that the URL history entry expires.
The First_Visit_DateTime field specifies the date/time that the URL referred to by the URL field was first visited.
The Last_Visit_DateTime field specifies the date/time that the URL referred to by the URL field was last visited.
<schema>Hostname_Object</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The HostnameObjectType object is intended to specify network hostnames.
The is_domain_name field specifies if this is also a valid domain name.
The Hostname_Value construct specifies the actual value of the Hostname.
The Naming_System construct specifies a relevant Naming System for the Hostname (e.g. DNS, NIS, NetBIOS).
<schema>Network_Connection_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The ConnectionStateEnum type is an enumeration of TCP connection states.
Indicates an unknown TCP connection state.
Indicates the closed TCP connection state--i.e. no connection state at all.
Indicates the listening TCP connection state.
Indicates the SYN sent TCP connection state--i.e. wait for a matching connection request after having sent a connection request.
Indicates the SYN received TCP connection state--i.e. waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
Indicates the established TCP connection state--i.e. an open connection in which data received can be delivered to the user.
Indicates the FIN-WAIT-1 TCP connection state--i.e. waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.
Indicates the FIN-WAIT-2 TCP connection state--i.e. waiting for a connection termination request from the remote TCP.
Indicates the CLOSE-WAIT TCP connection state--i.e. waiting for a connection termination request from the local user.
Indicates the CLOSING TCP connection state--i.e. waiting for a connection termination request acknowledgment from the remote TCP.
Indicates the LAST-ACK connection state--i.e. waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).
Indicates the TIME-WAIT connection state--i.e. waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.
Indicates the DELETE-TCB connection state--i.e. the Transmission Control Block (TCB) is being deleted.
Layer3ProtocolEnum is a non-exhaustive enumeration of Layer 3 (network) layer protocols.
Specifies the Internet Protocol, version 4.
Specifies the Internet Protocol, version 6.
Specifies the Internet Control Message Protocol.
Specifies the Internet Group Management Protocol.
Specifies the Interior Gateway Routing Protocol.
Specifies the Connectionless Networking Protocol.
Specifies the Exterior Gateway Protocol.
Specifies the Enhanced Interior Gateway Routing Protocol.
Specifies the Internet Protocol Security suite.
Specifies the Internetwork Packet Exchange protocol.
Specifies the Routed Split Multi-Link Trunking protocol.
Specifies the Signalling Connection Control Part protocol.
Layer7ProtocolEnum is a non-exhaustive enumeration of Layer 7 (application) layer protocols.
Specifies the Hypertext Transfer Protocol.
Specifies the Hypertext Transfer Protocol Secure.
Specifies the File Transfer Protocol.
Specifies the Simple Mail Transfer Protocol.
Specifies the Internet Relay Chat protocol.
Specifies the Identification Protocol, IDENT.
Specifies the Domain Name System protocol.
Specifies the Telnet protocol.
Specifies the Post Office Protocol, version 3.
Specifies the Internet Message Access Protocol.
Specifies the Secure Shell protocol.
Specifies the Microsoft Server Message Block protocol.
Specifies the Advance Direct Connect protocol.
Specifies the Apple Filing Protocol.
Specifies the Building Automation and Control Network protocol.
Specifies the BitTorrent protocol.
Specifies the Bootstrap Protocol.
Specifies the Diameter protocol.
Specifies the Digital Imaging and Communications in Medicine protocol.
Specifies the Dictionary protocol.
Specifies the Digital Storage Media Command and Control protocol.
Specifies the Distributed Social Networking Protocol.
Specifies the Dynamic Host Configuration Protocol.
Specifies the EDonkey2000 protocol.
Specifies the Finger protocol.
Specifies the Gnutella protocol.
Specifies the Gopher protocol.
Specifies the ISDN User Part protocol.
Specifies the Lightweight Directory Access Protocol.
Specifies the Multipurpose Internet Mail Extensions protocol.
Specifies the Microsoft Notification Protocol.
Specifies the Mobile Application Part protocol.
Specifies the Network Basic Input/Output System protocol.
Specifies the Network News Transfer Protocol.
Specifies the Network Time Protocol.
Specifies the National Transportation Communications for Intelligent Transportation System Protocol.
Specifies the Remote Authentication Dial In User Service protocol.
Specifies the Remote Desktop Protocol.
Specifies the rlogin protocol.
Specifies the rsync potocol.
Specifies the Real-time Transport Protocol.
Specifies the Real-time Transport Streaming Protocol.
Specifies the Siebel Internet Session Network API protocol.
Specifies the Session Initiation Protocol.
Specifies the Simple Network Management Protocol.
Specifies the Session Traversal Utilities for NAT protocol.
Specifies the Telephone User Part protocol.
Specifies the Transaction Capabilities Application Part protocol.
Specifies the Trivial File Transfer Protocol.
Specifies the Web Distributed Authoring and Versioning protocol.
Specifies the Extensible Messaging and Presence Protocol.
Specifies the Modbus Protocol.
The NetworkConnectionObjectType is intended as a way of characterizing local or remote (i.e. Internet) network connections.
The tls_used field specifies whether or not Transport Layer Security (TLS) is used in the network connection.
The Creation_Time field specifies the date/time the network connection was created.
The Layer3_Protocol field specifies the particular network (layer 3 in the OSI model) layer protocol used in the connection.
The Layer4_Protocol field specifies the particular transport (layer 4 in the OSI model) layer protocol used in the connection.
The Layer7_Protocol field specifies the particular application (layer 7 in the OSI model) layer protocol used in the connection.
The Source_Socket_Address field specifies the source socket address, consisting of an IP Address and port number, used in the connection.
The Source_TCP_State field specifies the current state of the TCP network connection at the source, if applicable.
The Destination_Socket_Address field specifies the destination socket address, consisting of an IP Address and port number, used in the connection.
The Destination_TCP_State field specifies the current state of the TCP network connection at the destination, if applicable.
The Layer7_Connections field allows for the characterization of any application (layer 7 in the OSI model) layer connections observed as part of the network connection.
The Layer7ConnectionsType specifies the different types of application (layer 7 in the OSI model) connections that may be initiated as part of the network connection.
The HTTP Session field specifies a single HTTP session initiated between source and destination IP addresses/ports, and includes 1-n HTTP Request/Response pairs.
The DNS_Query field specifies a single DNS query/answer pair initiated between source and destination IP addresses/ports.
Layer3ProtocolType specifies Layer 3 protocol types, via a union of the Layer3ProtocolEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
Layer7ProtocolType specifies Layer 7 protocol types, via a union of the Layer7ProtocolEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_Volume_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
This enumeration contains possible drive types, as enumerated by the WINAPI GetDriveType function: http://msdn.microsoft.com/en-us/library/windows/desktop/aa364939(v=vs.85).aspx.
The drive type cannot be determined.
The root path is invalid; for example, there is no volume mounted at the specified path.
The drive has removable media; for example, a floppy drive, thumb drive, or flash card reader.
The drive has fixed media; for example, a hard disk drive or flash drive.
The drive is a remote (network) drive.
The drive is a CD-ROM drive.
The drive is a RAM disk.
This enumeration is a list of attributes that may be returned by the diskpart attributes command: http://technet.microsoft.com/en-us/library/cc766465(v=ws.10).aspx.
Specifies that the volume is read-only.
Specifies that the volume is hidden.
Specifies that the volume does not receive a drive letter by default.
Specifies that the volume is a shadow copy volume.
The WindowsVolumeObjectType type is intended to characterize Windows disk volumes.
Represents the attributes of this windows volume object.
Represents the drive letter of this windows volume object.
Represents the drive type of this windows volume object.
A list of attributes describing this windows volume.
Each attribute field represents a single attribute in the windows volume attribute list.
WindowsDriveType specifies Windows drive types via a union of the WindowsDriveTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
WindowsVolumeAttributeType specifies Windows volume attributes via a union of the WindowsVolumeAttributeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>User_Session_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The UserSessionObjectType type is intended to characterize user sessions.
The Effective_Group field specifies the name of the effective group used in the user session.
The Effective_Group_ID field specifies the effective group ID of the group used in the user session.
The Effective_User field specifies the effective username used in the user session.
The Effective_Group field specifies the effective user ID of the user used in the user session.
The Login_Time field specifies the date/time of the login for the user session.
The Logout_Time field specifies the date/time of the logout for the user session.
<schema>Win_Executable_File_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The SubsystemTypeEnum enumerates the types of subsystems in Windows an executable can be compatible for, according to winnt.h and more specifically, the Subsystem value of the IMAGE_OPTIONAL_HEADER structure. See http://source.winehq.org/source/include/winnt.h and http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx for more information.
Specifies an unknown subsystem.
Specifies that no subsystem is required to run the image (i.e. only device drivers and native system processes are needed).
Specifies the Windows Graphical user interface (GUI) subsystem.
Specifies the Windows character-mode user interface (CUI) subsystem.
Specifies the OS/2 CUI subsystem.
Specifies the POSIX CUI subsystem.
Specifies the Native Windows 9x drivers. This is denoted by the value IMAGE_SUBSYSTEM_NATIVE_WINDOWS or 0x8.
Specifies the Windows CE system with a GUI.
Specifies the Extensible Firmware Interface (EFI) application.
Specifies the Extensible Firmware Interface (EFI) driver with boot services.
Specifies the Extensible Firmware Interface (EFI) driver with run-time services.
Specifies the Extensible Firmware Interface (EFI) image.
Specifies the XBOX system.
Specifies the Windows Boot application.
The PETypeEnum enumerates the characteristics flags for the executable file in question. These are detailed in winnt.h.
Specifies an executable image (not an OBJ or LIB).
Specifies a dynamic link library, not a program.
Specifies an invalid executable file (i.e. not one of the listed types).
The PEResourceTypeEnum is a non-exhaustive enumeration of PE resource types.
Specifies a resource that is a cursor or animated cursor defined by naming it and specifying the name of the file that contains it. (To use a particular cursor, the application requests it by name.).
Specifies a resource that is a bitmap defined by naming it and specifying the name of the file that contains it. (To use a particular cursor, the application requests it by name.).
Specifies a resource that is an icon or animated icon by naming it and specifying the name of the file that contains it. (To use a particular icon, the application requests it by name.).
Specifies a resource that captures the appearance and function of a menu. Does not define help or regular identifiers, nor uses the MFT_* type and MFS_* state flags.
Specifies a resource that captures the appearance and function of a menu, which can also utilize help or regular identifiers, as well as the MFT_* type and MFS_* state flags.
Specifies a resource that captures a menu item that can contain menu items and submenus.
Specifies a resource that captures a template that an application can use to create dialog boxes. This type is considered obsolete in Windows and newer applications use the DIALOGEX resource.
Specifies a resource that captures a template that newer applications can use to create dialog boxes.
Specifies a resource that is a string.
Specifies a resource that captures string tables. String resources are Unicode or ASCII strings that can be loaded from the executable file.
Specifies a resource that is a font directory.
Specifies a resource that captures the name of a file that contains a font.
Specifies a resource that captures menu accelerator keys.
Specifies a resource that captures data resources. Data resources let you include binary data in the executable file.
Specifies a resource that captures a message table by naming it and specifying the name of the file that contains it. The file is a binary resource file generated by the message compiler.
Specifies a resource that is a group cursor.
Specifies a resource that is a group icon.
Specifies a resource that captures version-information. Contains information such as the version number, intended operating system, and so on.
Specifies a resource that is a dialog include.
This resource is obsolete and included for completeness.
This is a special resource that is interpreted by Visual C++. For more information see http://go.microsoft.com/FWLink/?LinkId=83951.
This is a special resource that is used with /TLBID and /TLBOUT linker options. For more information see http://go.microsoft.com/FWLink/?LinkId=83960 (for /TLBID) and http://go.microsoft.com/FWLink/?LinkId=83947 (for /TLBOUT).
This resource is obsolete and included for completeness.
Specifies a resource that is an animated cursor.
Specifies a resource that is an animated icon.
Specifies a resource that captures an HTML file.
Specifies a resource that captures a manifest file.
Specifies a resource that captures a message table entry.
The WindowsExecutableFileObjectType type is intended to characterize Windows PE (Portable Executable) files.
The Build_Information field specifies some information on the tools used to build the PE binary.
The Digital_Signature field specifies the information about the digital signature used to sign the PE binary.
The Exports field characterizes the PE Export table of the PE Binary.
The Extraneous_Bytes field specifies the number of extraneous bytes contained in the PE binary.
The Headers field contains fields for characterizing aspects the various types of PE headers.
The Imports field characterizes the PE Import Table of the binary.
The PE_Checksum field specifies the checksum of the PE file.
The Resources field characterizes the PE Resources of the binary.
The Sections field characterizes the PE Sections of the binary.
The Type specifies the particular type of the PE binary, e.g. Executable.
The PECheckSumType records the checksum of the PE file, both as found in the file and computed.
PE_Computed_API specifies a checksum computed by an external algorithm.
PE_File_API specified the checksum computed by IMAGHELP.DLL.
PE_File_Raw specifies the checksum found in the PE file (in the Optional Header).
The PEExportsType specifies the PE File exports data section. The exports data section contains information about symbols exported by the PE File (a DLL) which can be dynamically loaded by other executables. This type abstracts, and its components, abstract the Windows structures.
The Name field specifies the actual name of the PE module, as used by the PE loader when it is imported by another executable.
A list of the exported functions in this section.
The date and time the export data was created.
The number of addresses in the export data section's address table.
The number of names in the export data section's name table.
The Number_Of_Functions field specifies the total number of functions that are exported by the PE file.
The PEExportedFunctionsType specifies a list of PE exported functions.
Specifies a single field in the list of exported functions.
The PESectionListType captures a list of sections that appear in the PE file.
Specifies an field of a list of PE file sections.
The EntropyType captures the result of an entropy computation.
Specifies the computed entropy value.
Specifies the smallest possible value for the entropy computation.
Specifies the largest possible value for the entropy computation (e.g., this would be 8 if the entropy computations is based on bits of information).
The PEImportType type is intended as container for the properties relevant to PE binary imports.
The delay_load field is a boolean value that is intended to describe whether a PE binary import is delay-load or not.
The initially_visible field refers to whether the import is initially visible, with regards to being initially visible or hidden in relation to PE binary packing. A packed binary will typically have few initially visible imports, and thus it is necessary to make the distinction between those that are visible initially or only after the binary is unpacked.
The File_Name field specifies the name of the library (file) that the PE binary imports.
The Imported_Functions field is used to enumerate any functions imported from a particular library.
The Virtual_Address field specifies the relative virtual address (RVA) of the PE binary library import.
The PEImportedFunctionsType captures a list of functions imported by the PE file.
Specifies a single field in a list of imported functions.
The PEExportType specifies the type describing exported functions.
The Function_Name field specifies the name of the function exported by the PE binary.
The Entry_Point field specifies the entry point of the function exported by the PE binary.
The Ordinal field specifies the ordinal value (index) of the function exported by the PE binary.
The PEResourceListType specifies a list of resources found in the PE file.
Specifies an field of a list of resources.
The PEImportedFunctionType specifies the type describing imported functions.
The Function_Name field specifies the name of the function from the specified library that the PE binary imports.
The Hint field specifies the index into the export table of the library that the function is found in.
The Ordinal field specifies the ordinal value (index) of the function in the library that is found in.
The Bound field specifies the precomputed address if the imported function is bound.
The Virtual_Address field specifies the relative virtual address (RVA) of the PE binary library imported function.
The PEImportListType specifies a list of functions in an import data section.
Specifies a single field in a list of imported functions.
The PESectionType type is intended as container for the properties relevant to PE binary sections. A PE Section consists of a header and data. The PESectionType contains properties that describe the Section Header and metadata computed about the section (e.g., hashes, entropy).
The Section_Header field contains characteristics of the section's section header structure.
The Data_Hashes field is used to include any hash values computed using the data contained in the specified PE binary section as input.
The Entropy field specifies the calculated entropy of the PE binary section.
The Header_Hashes field is used to include any hash values computed using the header of the specified PE binary section as input.
The PEDataDirectoryStruct type is intended as container for the properties relevant to a PE binary's data directory structure.
The Virtual_Address field specifies the relative virtual address (RVA) of the data structure.
The size field specifies the size of the data structure, in bytes.
The PESectionHeaderStruct type is intended as container for the properties relevant to a PE binary's section header structure.
The Name field specifies the name of the PE binary section.
The Virtual_Size field is the total size of the PE binary section when loaded into memory. It is valid only for executables and should be 0 for object files.
The Virtual_Address field specifies the relative virtual address (RVA) of the PE binary section.
The Size_Of_Raw_Data field specifies the size of the data contained in the PE binary section.
The Pointer_To_Raw_Data field specifies the file offset of the beginning of the PE binary section.
The Pointer_To_Relocations field specifies the offset of the PE binary section relocations, if applicable.
Specifies the beginning of line-number entries for the section. Should be 0.
The Number_Of_Relocations field specifies the number of relocations defined for the specified PE binary section.
Specifies the number of line number entries for the section. Should be 0.
The Characteristics field specifies any flags defined for the specified PE binary section.
The DOSHeaderType type is a container for the characteristics of the _IMAGE_DOS_HEADER structure, which can be found in Winnt.h and pe.h. See http://www.csn.ul.ie/~caolan/pub/winresdump/winresdump/doc/pefile.html for more information about the winnt.h file, and http://www.tavi.co.uk/phobos/exeformat.html for even more clarification.
Specifies the magic number, specifically the Windows OS signature value, which can either take on MZ for DOS (which is, for all intensive purposes, MOST Windows executables), NE for OS2, LE for OS2 LE, or PE00 for NT.
Specifies the number of bytes actually used in the last page, with the special case of a full page being represented by a value of zero (since the last page is never empty). For example, assuming a page size of 512 bytes, this value would be 0x0000 for a 1024 byte file, and 0x0001 for a 1025 byte file (since it only contains one valid byte).
Specifies the number of pages required to hold the file. For example, if the file contains 1024 bytes, and we assume the file has pages of a size of 512 bytes, this word would contain 0x0002; if the file contains 1025 bytes, this word would contain 0x0003.
Specifies the number of relocation items, i.e. the number of entries that exist in the relocation pointer table. If there are no relocation entries, this value is zero.
Specifies the size of the executable header in terms of paragraphs (16 byte chunks). It indicates the offset of the program's compiled/assembled and linked image (the load module) within the executable file. The size of the load module can be deduced by subtracting this value (converted to bytes) from the overall file size derived from combining the e_cp (number of file pages) and e_cblp (number of bytes in last page) values. The header always spans an even number of paragraphs.
Specifies the minimum number of extra paragraphs needed to be allocated to begin execution. This is IN ADDITION to the memory required to hold the load module. This value normally represents the total size of any uninitialised data and/or stack segments that are linked at the end of a program. This space is not directly included in the load module, since there are no particular initializing values and it would simply waste disk space.
Specifies the maximum number of extra paragraphs needed to be allocated by the program before it begins execution. This indicates ADDITIONAL memory over and above that required by the load module and the value specified by MINALLOC. If the request cannot be satisfied, the program is allocated as much memory as is available.
Specifies the initial SS value, which is the paragraph address of the stack segment relative to the start of the load module. At load time, this value is relocated by adding the address of the start segment of the program to it, and the resulting value is placed in the SS register before the program is started. In DOS, the start segment of the program is the first segment boundary in memory after the PSP.
Specifies the initial SP value, which is the absolute value that must be loaded into the SP register before the program is given control. Since the actual stack segment is determined by the loader, and this is merely a value within that segment, it does not need to be relocated.
Specifies the checksum of the contents of the executable file. It is used to ensure the integrity of the data within the file. For full details on how this checksum is calculated, see http://www.tavi.co.uk/phobos/exeformat.html#checksum.
Specifies the initial IP value, which is the absolute value that should be loaded into the IP register in order to transfer control to the program. Since the actual code segment is determined by the loader, and this is merely a value within that segment, it does not need to be relocated.
Specifies the pre-relocated initial CS value, relative to the start of the load module, that should be placed in the CS register in order to transfer control to the program. At load time, this value is relocated by adding the address of the start segment of the program to it, and the resulting value is placed in the CS register when control is transferred.
Specifies the file address of the relocation table, or more specifically, the offset from the start of the file to the relocation pointer table. This value must be used to locate the relocation pointer table (rather than assuming a fixed location) because variable-length information pertaining to program overlays can occur before this table, causing its position to vary. A value of 0x40 in this field generally indicates a different kind of executable file, not a DOS 'MZ' type.
Specifies the overlay number, which is normally set to 0x0000, because few programs actually have overlays. It changes only in files containing programs that use overlays. See http://www.tavi.co.uk/phobos/exeformat.html#overlaynote for more information about overlays.
Specifies reserved words for the program (known in winnt.h as e_res[4]), usually set to zero by the linker. In this case, just use a single reserved1 set to zero; if not zero create four reserved1 with the correct value.
Specifies the identifier for the OEM for e_oeminfo.
Specifies the OEM information for a specific value of e_oeminfo.
Specifies reserved words for the program (known in winnt.h as e_res[10]), usually set to zero by the linker. In this case, just use a single reserved1 set to zero; if not zero create ten reserved1 with the correct value.
Specifies the file address of the of the new exe header. In particular, it is a 4-byte offset into the file where the PE file header is located. It is necessary to use this offset to locate the PE header in the file.
The Hashes field is used to include any hash values computed using the specified PE binary MS-DOS header as input.
The PEHeadersType specifies the headers found in PE and COFF files.
The DOS_Header field refers to the MS-DOS PE header and its associated characteristics.
The Signature field specifies the 4-bytes sugnature that identifies the file as a PE file.
The File_Header field refers to the PE file header (sometimes referred to as the COFF header) and its associated characteristics.
The Optional_Header field refers to the PE optional header and its associated characteristics. The Optional Header is required for executable (PE) files, but optional for object (COFF) files.
The Entropy field specifies the calculated entropy of the PE file header.
The Hashes field is used to include any hash values computed using the specified PE binary file header as input.
The PEFileHeaderType type refers to the PE file header (sometimes referred to as the COFF header) and its associated characteristics.
Specifies the type of target machine.
Specifies the number of sections in the file.
Specifies the time when the file was created (the low 32 bits of the number of seconds since epoch).
Specifies the file offset of the COFF symbol table (should be 0).
Specifies the number of entries in the symbol table. Should be 0.
Specifies the size of the optional header. Should be 0 for object files and non-zero for executables.
Specifies the flags that indicate the file's characteristics.
Any hashes computed for the Optional Header.
The PEOptionalHeaderType type describes the PE Optional Header structure. Additional computed metadata, e.g., hashes of the header, are also included.
Specifies the unsigned integer that indicates the type of executable file.
Specifies the linker major version number.
Specifies the linker minor version number.
Specifies the size of the code (text) section. If there are multiple sections, size is the sum of the sizes if each.
Specifies the size of the initialized data section. If there are multiple sections, size is the sum of the sizes if each.
Specifies the size of the uninitialized (bss) data section. If there are multiple sections, size is the sum of the sizes if each.
Specifies the address of the entry point relative to the image base when the executable is loaded into memory. When there is no entry point (e.g., optional for DLLs), the value should be 0.
Specifies the address that is relative to the image base of the beginning-of-code section when it is loaded into memory.
Specifies the address that is relative to the image base of the beginning-of-data section when it is loaded into memory.
Specifies the preferred address of the first byte of image when loaded into memory; must be a multiple of 64 K.
Specifies the alignment (in bytes) of sections when they are loaded into memory.
Specifies the factor (in bytes) that is used to align the raw data of sections in the image file.
Specifies the major version number of the required operating system.
Specifies the minor version number of the required operating system.
Specifies the major version number of the image.
Specifies the minor version number of the image.
Specifies the major version number of the subsystem.
Specifies the minor version number of the subsystem.
Reserved; must be 0.
Specifies the size (in bytes) of the image, including all headers, as the image is loaded in memory.
Specifies the combined size of the MS DOS header, PE header, and section headers rounded up to a multiple of FileAlignment.
Specifies the checksum of the PE file.
Specifies the subsystem (e.g., GUI, device driver) that is required to run this image.
Specifies flags that characterize the PE file.
Specifies the size of the stack to reserve.
Specifies the size of the stack to commit.
Specifies the size of the local heap space to reserve.
Specifies the size of the local heap space to commit.
Reserved; must be 0.
Specifies the number of data-directory entries in the remainder of the optional header.
Specifies the data directories in the remainder in the optional header. This field will be repeated for each data directory.
The Hashes field is used to include any hash values computed using the specified PE binary optional header as input.
The DataDirectoryType specifies the data directories that can appear in the PE file's optional header. The data directories, except the Certificate Table, are loaded into memory so they can be used at runtime.
Specifies the export table data directory.
Specifies the import table data directory.
Specifies the resource table data directory.
Specifies the exception table data directory.
Specifies the certificate table data directory. The table of certificates is in a file which the data directory points to.
Specifies the base relocation table data directory.
Specifies the debug data directory.
Reserved, must be 0.
Specifies the RVA of the value to be stored in the global pointer register.
Specifies the thread local storage (TLS) table data directory.
Specifies the load configuration table data directory.
Specifies the bound import table data directory.
Specifies the import address table (IAT) data directory.
Specifies the delay import descriptor data directory.
Specifies the Common Language Runtime (CLR) header data directory.
Reserved; must be 0.
The PEBuildInformationType captures information about the tools used to build the PE binary, including the compiler and linker.
The Linker_Name field specifies the name of the linker used to link the PE binary.
The Linker_Version field specifies the version of the linker used to link the PE binary.
The Compiler_Name field specifies the name of the compiler used to compile the binary.
The Compiler_Version field specifies the version of the compiler used to compile the binary.
The Resource field characterizes an abstract PE file resource.
The VersionInfoResource field characterizes a Version resource that uses the VERSIONINFO resource.
The SubsystemType specifies subsystem types via a union of the SubsystemTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
The PEType specifies PE file types via a union of the PETypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
The PEResourceType type is intended as container for the properties relevant to PE binary resources.
This field refers to the type of data referred to by this resource.
The Name field specifies the name of the resource used by the PE binary.
The Size field specifies the size of the resource, in bytes.
The Virtual_Address field specifies the relative virtual address (RVA) of the resource data.
The Language field specifies the name of the language (LANG) defined for the resource, if applicable.
The Sub_Language field specifies the name of the sub language (SUBLANG) defined for the resource, if applicable.
The Hashes field is used to include any hash values computed using the specified PE binary resource as input.
The Data field captures the actual data contained in the resource, most commonly as a base64-encoded string encapsulated in a CDATA () section.
The PEVersionInfoResourceType characterizes the special VERSIONINFO resource type. For more information please see: http://msdn.microsoft.com/en-us/library/windows/desktop/aa381058(v=vs.85).aspx.
The Comments field captures any additional information that should be displayed for diagnostic purposes.
The CompanyName field captures the company that produced the file - for example, "Microsoft Corporation" or "Standard Microsystems Corporation, Inc.".
The FileDescription field captures the file description to be presented to users. This string may be displayed in a list box when the user is choosing files to install - for example, "Keyboard Driver for AT-Style Keyboards".
The FileVersion field captures the version number of the file - for example, "3.10" or "5.00.RC2".
The InternalName field captures the internal name of the file, if one exists - for example, a module name if the file is a dynamic-link library. If the file has no internal name, this string should be the original filename, without extension.
The LangID field captures the localization language identifier specified in the version-information resource.
The LegalCopyright field captures the copyright notices that apply to the file. This should include the full text of all notices, legal symbols, copyright dates, and so on.
The LegalTrademarks field captures the trademarks and registered trademarks that apply to the file. This should include the full text of all notices, legal symbols, trademark numbers, and so on.
The OriginalFilename field captures the original name of the file, not including a path. This information enables an application to determine whether a file has been renamed by a user. The format of the name depends on the file system for which the file was created.
The PrivateBuild field captures the information about a private version of the file - for example, "Built by TESTER1 on \TESTBED". This string should be present only if VS_FF_PRIVATEBUILD is specified in the fileflags parameter of the root block.
The ProductName field captures the name of the product with which the file is distributed. This string is required.
The ProductVersion field captures the version of the product with which the file is distributed - for example, "3.10" or "5.00.RC2".
The SpecialBuild field captures the text that indicates how this version of the file differs from the standard version - for example, "Private build for TESTER1 solving mouse problems on M250 and M250E computers". This string should be present only if VS_FF_SPECIALBUILD is specified in the fileflags parameter of the root block.
The PEResourceContentType specifies PE resource types via a union of the PEResourceTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Email_Message_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The EmailMessageObjectType type is intended to characterize an individual email message.
The Header field specifies a variety of common headers that may be included in the email message.
The Email_Server field is optional and specifies the relevant email server.
The Raw_Body field specifies the complete (raw) body of the email message.
The Raw_Header field specifies the complete (raw) headers of the email message.
The Attachments field specifies any files that were attached to the email message. It imports and uses the CybOX FileObjectType from the File_Object to do so.
The Links field specifies any URL links contained within the email message. It imports and uses the CybOX LinkObjectType from the Link_Object to do so.
The AttachmenstType captures a list of attachments for an email message.
The File field specifies a file that was attached to the email message, via a reference to an Object included elsewhere in the document.
The EmailHeaderType captures a representation of a standard email header.
The Received_Lines field specifies one or more 'Received' lines that may be included in the email header.
The To field specifies the email addresses of the recipients of the email message.
The CC field specifies the email addresses of any recipients that were included in the carbon copy header of the email message.
The BCC field specifies the email addresses of any recipients that were included in the blind carbon copy header of the email message.
The From field specifies the email address of the sender of the email message.
The Subject field specifies the subject (a brief summary of the message topic) of the email message.
The In_Reply_To field specifies the message ID of the message that this email is a reply to.
The Date field specifies the date/time that the email message was sent.
The Message_ID field specifies the automatically generated ID of the email message.
The Sender field specifies the email address of the sender who is acting on behalf of the author listed in the From: field.
The Reply_To field specifies the email address that should be used when replying to the email message.
The Errors_To field specifies the entry in the (deprecated) errors_to header of the email message.
The Boundary field specifies a boundary tag that may be included in a MIME multipart message. This boundary tag is used to indicate the parts of a multipart message.
The Content-Type field specifies the internet media, or MIME, type of the email message content.
The MIME-Version field specifies the version of the MIME formatting used in the email message.
The Precedence field specifies the (non-standard) priority value of the message, which can influence transmission speed and delivery. Use of this field is typically discouraged, as per IETF RFC2076 (http://www.faqs.org/rfcs/rfc2076.html).
The User-Agent field specifies the identity of the email user agent software that may have been used to send the email message.
The X-Mailer field specifies the software used to send the email message. This field is non-standard.
The X-Originating-IP field specifies the originating IP Address of the email sender, in terms of their connection to the mail server used to send the email message. This field is non-standard.
The X-Priority field specifies the numerical priority of the email message. This is a non-standard field, but typically a value of '1' is considered the highest priority, '3' is normal, and '5' is the lowest priority.
The EmailRecipientsType captures a list of recipients for an email message.
The Recipient field represents a single recipient for an email message.
The LinksType captures a list of URIs, representing the links contained in the message.
The Link field specifies a single URL link contained within the email message, via a reference to an Object included elsewhere in the document.
The EmailReceivedLineType captures a single 'Received' line in an email message header.
The From field captures the 'from' portion of the Received line, if applicable.
The By field captures the 'by' portion of the Received line, if applicable.
The Via field captures the 'via' portion of the Received line, if applicable.
The With field captures the 'with' portion of the Received line, if applicable.
The For field captures the 'for' portion of the Received line, if applicable.
The ID field captures the 'id' portion of the Received line, if applicable.
The Timestamp field captures the timestamp portion of the Received line, if applicable.
The EmailReceivedLineListType captures a list of 'Received' lines in an email message header.
The Received field captures a single Received line in the list.
The AttachmentReferenceType specifies a reference to an Object defined elsewhere in the document which characterizes an attachment included in the email message.
The object_reference field specifies a reference to an file-oriented (i.e., the File Object or one its derivations such as the Windows File Object) Object defined elsewhere in the document, via its id.
The LinkReferenceType specifies a reference to a URI Object defined elsewhere in the document which characterizes a hyperlink embedded in the body of the email message.
The object_reference field specifies a reference to a URI Object defined elsewhere in the document, via its id.
<schema>Network_Packet_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
ARPOpTypeEnum contains the various ARP Operation Types.
Indicates the ARP request operation, or value 1 in the OPER field of an ARP packet.
Indicates the ARP reply operation, or value 2 in the OPER field of an ARP packet.
Indicates the RARP request operation, or value 3 in the OPER field of an ARP packet.
Indicates the RARP reply operation, or value 4 in the OPER field of an ARP packet.
This type enumerates the meaning of the Do Not Fragment bit used in IPv4 flags.
Indicates that the router or other device should fragment the packet if necessary, especially if the packet size is bigger than the MTU of an outgoing interface.
Indicates that the router or other device should NOT fragment the packet in any circumstance.
This type enumerates the meaning of the More Fragments bit used in IPv4 flags.
Indicates that the last fragment has been received. In other words, the "more fragments" flag is set to 0.
Indicates that more fragments need to be received. In other words, the "more fragments" flag is set.
The copy flag indicates whether the option is copied into all fragments on fragmentation (0=not copied; 1=copied). This information is also captured in the IPv4OptionsTypeEnum which lists all options, which incorporates copy and class numbers.
Indicates that the options need NOT be copied into all fragments of a fragmented packet.
Indicates that the options need to be copied into all fragments of a fragmented packet.
The option class is represented by 2 bits. The explicit meanings are captured here in an enumerated list. This information is also captured in the IPv4OptionsTypeEnum which lists all options, which incorporates copy and class numbers.
Indicates the "control" options.
Indicates a reserved value.
Indicates the debugging and measurement options.
Indicates a reserved value.
The Internet Protocol (IP) has provision for optional header fields identified by an option type field. Options 0 and 1 are exactly one octet which is their type field. All other options have their one octet type field, followed by a one octet length field, followed by length-2 octets of option data. The option type field is sub-divided into a one bit copied flag, a two bit class field, and a five bit option number. These taken together form an eight bit value for the option type field. IP options are commonly referred to by this value. The IPv4OptionsEnum enumerates the options numbers that can be applied in IP. See http://www.iana.org/assignments/ip-parameters for more information.
Indicates the End of Options List option, or EOOL.
Indicates the No Operation option, or NOP.
Indicates the Security option, or SEC.
Indicates the Loose Source Route option, or LSR.
Indicates the Time Stamp option, or TS.
Indicates the Extended Security option, or E-SEC.
Indicates the Commercial Security option, or CIPSO.
Indicates the Record Route option, or RR.
Indicates the Stream ID option, or SID.
Indicates the Strict Source Route option, or SSR.
Indicates the Experimental Measurement option, or ZSU.
Indicates the MTU probe option, or MTUP.
Indicates the MTU reply option, or MTUR.
Indicates the Experimental Flow Control option, or FINN.
Indicates the Experimental Access Control option, or FINN.
Indicates the IMI Traffic Descriptor option, or IMITD.
Indicates the Extended Internet Protocol option, or EIP.
Indicates the Trace Route option, or TR.
Indicates the Address Extension option, or ADDEXT.
Indicates a Router Alert option, or RTRALT.
Indicates a Selective Directed Broadcast option, or SDB.
Indicates the Dynamic Packet State option, or DPS.
Indicates the Upstream Multicast Packet option, or UMP.
Indicates the Quick-Start option, or QS.
Indicates the RFC3692-style Experiment option, or EXP.
Enumerates possible actions when an option is not recognized.
Indicates that the option should be skipped and the header should continue to be processed. See RFC 2460.
Indicates that the packet should be discarded. See RFC 2460.
Indicates that the packet should be discarded and regardless of whether or not the packet's Destination Address was a multicast address, send an ICMP Parameter Problem, Code 2, message to the packet's Source Address, pointing to the unrecognized Option Type. See RFC 2460.
Indicates that the packet should be discarded and only if the packet's Destination Address was not a multicast address, send an ICMP Parameter Problem, Code 2, message to the packet's Source Address, pointing to the unrecognized Option Type. See RFC 2460.
Enumerated list that specifies whether or not the Option Data of an option can change en-route to the packet's final destination.
Indicates that the packet does not change en-route. See RFC 2460.
Indicates that the packet may change en-route. See RFC 2460.
Enumerates the different Internet Protocol versions. IPv4(4) and IPv6(6) are the most common.
Indicates IP Version 4.
Indicates the IP version designating ST Datagram Mode.
Indicates IP Version 6.
Indicates the IP version designating TP/IX: The Next Internet.
Indicates the IP version designating PIP: The P Internet Protocol.
Indicates the IP version designating TUBA (TCP and UDP with Bigger Addresses, i.e. RFC 1347).
This enumerated type specifies Address Resolution Protocol (ARP) parameters. http://www.iana.org/assignments/arp-parameters/arp-parameters.xml.
Indicates Ethernet hardware.
Indicates IEEE 802 compliant hardware for networks carrying variable-size packets.
Indicates the ARCNET LAN protocol.
Indicates the Frame Relay WAN technology.
Indicates the ATM (Asynchronous Transfer Mode) networking standard.
Indicates the HDLC (High-Level Data Link Control) protocol.
Indicates the FibreChannel technology.
Indicates the ATM (Asynchronous Transfer Mode) networking standard.
Indicates the Serial Line protocol, or SLIP.
http://cavebear.com/archive/cavebear/Ethernet/type.html http://www.iana.org/assignments/ethernet-numbers http://standards.ieee.org/develop/regauth/ethertype/eth.txt http://en.wikipedia.org/wiki/EtherType.
Indicates the IPv4 Ethernet type is specified.
Indicates the ARP Ethernet type is specified.
Indicates the RARP Ethernet type is specified.
Indicates the IPX Ethernet type is specified.
Indicates the SNMP Ethernet type is specified.
Indicates the IPv6 Ethernet type is specified.
Assigned Internet Protocol Numbers http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml List of protocol numbers used in the Protocol fields of the IPv4 header and the Next Header of the IPv6 header.
Indicates the IPv6 Hop-By-Hop option protocol (HOPOPT).
Indicates the Internet Control Message protocol (HOPOPT).
Indicates the Internet Control Message protocol (HOPOPT).
Indicates the Gateway-to-Gateway protocol (HOPOPT).
Indicates the IPv4 Encapsulation protocol (IPv4).
Indicates the Stream protocol (HOPOPT).
Indicates the TCP protocol.
Indicates the EGP (Exterior Gateway) protocol.
Indicates the IGP/IGRP (Cisco) protocol.
Indicates the Network-Voice protocol.
Indicates the PUP protocol.
Indicates the ARGUS protocol.
Indicates the EMCON protocol.
Indicates the Cross Net Debugger protocol.
Indicates the UDP protocol.
Indicates the IPv6 protocol.
Indicates the Source Demand Routing protocol.
Indicates the routing header for IPv6.
Indicates the fragment header for IPv6.
Indicates the Reservation Protocol.
Indicates the General Routing Encapsulation protocol number.
Indicates the Encapsulated Security Payload protocol number.
Indicates the Authentication Header protocol number.
Indicates the ICMP for v6 protocol number.
Indicates the No Next Header for IPv6 protocol number.
Indicates the Destination Options for IPv6 protocol number.
Indicates the Mobility Header protocol number.
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml.
Indicates the port for ftpdata.
Indicates the port for ftp.
Indicates the port for ssh.
Indicates the port for telnet.
Indicates the port for smtp.
Indicates the domain port.
Indicates the port for tftp.
Indicates the port for http.
Indicates the port for ldap.
Indicates the port for https.
Used by the IPv6 Fragment Header to indicate whether or not there are more fragments.
Fragment is the last fragment.
There are more fragments (current is not the last).
The NetworkPacketObjectType's definition of a network packet is based on the TCP/IP model/Internet protocol suite. In the TCP/IP stack, "packet" is generally defined as IP header plus payload, but we also include the LinkLayer from the OSI model, which defines the physical network interfaces and routing protocols. Protocol fields are provided but requirements are not enforced/captured; all fields are optional.
A link layer protocol is a hardware interface protocol, such as Ethernet, or a logical link routing protocol, such as ARP.
Multiple interface types exist - only most common (Ethernet) included now. Others will be added later as needed.
Ethernet sends network packets from the sending host to one or more receiving hosts. (REF: IEEE 802.3; http://wiki.wireshark.org/Ethernet).
Logical Protocols characterizes the logical protocol of a link layer connection. One example of a logical protocol is ARP.
Ethernet sends network packets from the sending host to one or more receiving hosts. (REF: IEEE 802.3; http://wiki.wireshark.org/Ethernet).
The ethernet header includes information such as source MAC address, destination MAC address, and more.
Ethernet header characterizes and ethernet header and includes information such as source MAC address, destination MAC address, and more.
Destination MAC Addr characterizes the destination MAC Address of the ethernet frame.
Source MAC Addr characterizes the source MAC Address of the ethernet frame.
Type or Length characterizes either the length of the ethernet frame or the protocol type of the network layer.
Checksum characterizes the Frame Check sequence of an ethernet frame.
0-1500 then it is a length field. Otherwise, it defines the protocol type of the Internet layer.
The Address Resolution Protocol is a request and reply protocol that runs encapsulated by the line protocol. It is communicated within the boundaries of a single network, never routed across internetwork nodes. This property places ARP into the Link Layer. It is encapsulated. REF: http://www.comptechdoc.org/independent/networking/guide/netarp.html.
Characterizes the type of hardware address specified in an ARP message.
ProtoAddrType characterizes the type of protocol address being mapped. For IPv4 addresses, value = 0x0800.
Harware_Addr_Size represents the byte size of the hardware address. For Ethernet or other IEEE 802 MAC addresses, the value is 6.
Proto_Addr_Size represents the byte size of the protocol address. IPv4 addresses = 4.
Op_Type characterizes the type of operation. 1 = ARP request, 2=ARP reply, 3=RARP request, 4=RARP reply.
Sender_Hardware_Addr characterizes the sender's hardware address (e.g., MAC address).
Sender_Protocol_Addr characterizes the sender's IP address.
Recip_Sender_Hardware Addr characterizes the recipients' hardware address (e.g., MAC address).
Recip Protocol Addr characterizes the recipient's IP address.
ARPOpType specifies types of ARP operations, via a union of the ARPOpTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
NDP Type characterizes NDP (Neighbor Discover Protocol) IPv6 packets. NDP defines five ICMPv6 packet types. RFC 2461: http://tools.ietf.org/html/rfc4861.
ICMPv6 Header characterizes an ICMPv6 header.
Hosts send Router Solicitations in order to prompt routers to generate Router Advertisements quickly.(type=133; code=0).
Router Solicitation messages include zero or more options, some of which may appear multiple times in the same message.
Neighbor Discovery messages include zero or more options, some of which may appear multiple times in the same message.
Src Link Addr characterizes the Source Link-Layer Address option.
Routers send out Router Advertisement messages periodically, or in response to Router Solicitations. (type=134; code=0).
1-bit "Managed address configuration" flag. When set, it indicates that addresses are available via Dynamic Host Configuration Protocol. If the M flag is set, the O flag is redundant and can be ignored because DHCPv6 will return all available configuration information.
1-bit "Other configuration" flag. When set, it indicates that other configuration information is available via DHCPv6. Examples of such information are DNS-related information or information on other servers within the network.
8-bit unsigned integer. The default value that should be placed in the Hop Count field of the IP header for outgoing IP packets. A value of zero means unspecified (by this router).
16-bit unsigned integer. The lifetime associated with the default router in units of seconds. The field can contain values up to 65535 and receivers should handle any value, while the sending rules in Section 6 limit the lifetime to 9000 seconds.
32-bit unsigned integer. The time, in milliseconds, between retransmitted Neighbor Solicitation messages. Used by address resolution and the Neighbor Unreachability Detection algorithm. A value of zero means unspecified (by this router).
32-bit unsigned integer. The time, in milliseconds, between retransmitted Neighbor Solicitation messages. Used by address resolution and the Neighbor Unreachability Detection algorithm. A value of zero means unspecified (by this router).
Neighbor Discovery messages include zero or more options, some of which may appear multiple times in the same message.
Router Advertisement messages include zero or more options, some of which may appear multiple times in the same message.
Nodes send Neighbor Solicitations to request the link-layer address of a target node while also providing their own link-layer address to the target. Neighbor Solicitations are multicast when the node needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor. (type=135; code=0).
The IP address of the target of the solicitation.
Neighbor Solicitation messages include zero or more options, some of which may appear multiple times in the same message.
Neighbor Solicitation messages include zero or more options, some of which may appear multiple times in the same message.
Src Link Addr characterizes the Source Link-Layer Address option.
A node sends Neighbor Advertisements in response to Neighbor Solicitations and sends unsolicited Neighbor Advertisements in order to (unreliably) propagate new information quickly. (type=136; code=0).
Router flag. When set, the R-bit indicates that the sender is a router. The R-bit is used by Neighbor Unreachability Detection to detect a router that changes to a host.
Solicited flag. When set, the S-bit indicates that the advertisement was sent in response to a Neighbor Solicitation from the Destination address. The S-bit is used as a reachability confirmation for Neighbor Unreachability Detection.
Override flag. When set, the O-bit indicates that the advertisement should override an existing cache entry and update the cached link-layer address.
The IP address of the target of the advertisement.
Neighbor Advertisement messages include zero or more options, some of which may appear multiple times in the same message.
Neighbor Advertisement messages include zero or more options, some of which may appear multiple times in the same message.
Target Link Addr characterizes the Target Link-Layer Address option.
Routers send Redirect packets to inform a host of a better first-hop node on the path to a destination. Hosts can be redirected to a better first-hop router but can also be informed by a redirect that the destination is in fact a neighbor. The latter is accomplished by setting the ICMP Target Address equal to the ICMP Destination Address. (type=137; code=0).
An IP address that is a better first hop to use for the ICMP Destination Address.
The IP address of the destination that is redirected to the target.
Redirect messages include zero or more options, some of which may appear multiple times in the same message.
Redirect messages include zero or more options, some of which may appear multiple times in the same message.
NDPLinkAddrType characterizes the Link-Layer Address option.
The length of the option (including the type and length fields) in units of 8 octets.
The variable length link-layer address. The content and format of this field (including byte and bit ordering) is expected to be specified in specific documents that describe how IPv6 operates over different link layers.
Prefix Info characterizes Prefix Information for Router Advertisement Options. It provides hosts with on-link prefixes and prefixes for Address Autoconfiguration. (type=3). RFC 4861.
1-bit on-link flag. When set, indicates that this prefix can be used for on-link determintation. When not set the advertisement makes no statement about on-link or off-link properties of the prefix.
1-bit autonomous address-configuration flag. When set indicates that this prefix can be usd for stateless address configuration.
Length characterizes the length of the option (the number of valid leading bits in the prefix), and is represented as a 32-bit integer.
8-bit unsigned integer. The number of leading bits in the Prefix that are valid. The value ranges from 0 to 128. The prefix length field provides necessary information for on-link determination (when combined with the L flag in the prefix information option).
32-bit unsigned integer. The length of time in seconds (relative to the time the packet is sent) that the prefix is valid for the purpose of on-link determination. A value of all one bits (0xffffffff) represents infinity.
32-bit unsigned integer. The length of time in seconds (relative to the time the packet is sent) that addresses generated from the prefix via stateless address autoconfiguration remain preferred.
The Prefix is an IP address or a prefix of an IP address.
The redirected header option is used in redirect messages and contains all or part of the packet that is being redirected. (type=4).
The length of the option (including the type and length fields) in units of 8 octets.
As much as possible of the IP packet that triggered the sending of the redirect without making redirect packet larger than MTU.
The MTU option is used in Router Advertisement messages to ensure that all nodes on a link use the same MTU value in those cases where the link MTU is not well known. (type=5).
The length of the MTU option type: length=1.
The recommended MTU for the link. 32-bit unsigned integer.
The Internet layer is the group of methods, protocols, and specifications that are used to transport packets from the originating host across network boundaries. Not all protocols are currently defined, just those most commonly used: IPv4, ICMPv4, IPv6, ICMPv6. Other protocols will be added as needed. (http://en.wikipedia.org/wiki/Internet_layer).
Internet Protocol version 4 (IPv4) is a connectionless protocol for use on packet-switched link layer networks (e.g., Ethernet).
ICMP is chiefly used the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached (http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol; REF: http://www.networksorcery.com/enp/protocol/icmp.htm).
Internet Protocol version 6 (IPv6) is intended to succeed IPv4, and like IPv4 it is a connectionless protocol for use on packet-switched link layer networks.
ICMPv6 is the implementation of the ICMP for IPv6. ICMPv6 performs error reporting and diagnostic functions.
Internet Protocol version 4 (IPv4) is a connectionless protocol for use on packet-switched link layer networks (e.g., Ethernet). REF: RFC 791; http://en.wikipedia.org/wiki/IPv4.
The IPv4 header provides addressing, and internet modules use fields in the header to fragment and reassemble internet datagrams when necessary for transmission through small packet networks.
The data portion of an IP packet is interpreted based on the value of the Protocol header field. Actual field values will probably be specified in the elements of the different network layers, but we provide a field here to capture any data as necessary.
The IPv4 header provides addressing, and internet modules use fields in the header to fragment and reassemble internet datagrams when necessary for transmission through small packet networks. REF: RFC 791.
The version field indicates the format of the internet header. For IP v4, the version is 4.
The Internet Header Length specifies the length of IP packet header in 32 bit words. Min value = 5.
Originally defined as the Type of Service field, the Differentiated Services Code Point (DSCP) field is now defined by RFC 2474 for Differentiated services (DiffServ). New technologies are emerging that require real-time data streaming and therefore make use of the DSCP field. An example is Voice over IP (VoIP), which is used for interactive data voice exchange (http://en.wikipedia.org/wiki/IPv4).
Explicit Congestion Notification: This field is defined in RFC 3168 and allows end-to-end notification of network congestion without dropping packets. ECN is an optional feature that is only used when both endpoints support it and are willing to use it. It is only effective when supported by the underlying network. (http://en.wikipedia.org/wiki/IPv4).
This 16-bit field defines the entire datagram size, including header and data, in bytes.
The Identification field is primarily used for uniquely identifying fragments of an original IP datagram. (http://en.wikipedia.org/wiki/IPv4).
This is a three-bit field used to control or identify fragments. An field has been defined for each bit with associated enumerated types.
The fragment offset field is 13 bits long and specifies the offset of a particular fragment relative to the beginning of the original unfragmented IP datagram. http://en.wikipedia.org/wiki/IPv4.
This 8-bit field helps prevent datagrams from persisting on an internet (it limits a datagram's lifetime).
This field defines the protocol used in the data portion of the IP datagram. The type of this field is an enumerated list of IP protocol numbers as maintained by the Internet Assigned Numbers Authority.
This field is a 16-bit checksum used for error-checking of the header.
This field is the IPv4 address of the sender of the packet.
This field is the IPv4 address of the receiver of the packet.
The IPv4 option field is variable in length with zero or more options. It is not often used. http://en.wikipedia.org/wiki/IPv4.
These flag types are used to control or identify fragments in an IP packet. It is a three-bit field, each of the three bits are defined by a field with a string value that indicates the meaning of whether or not the bit is set.
Bit 0: This bit value (0) is reserved and must be zero.
Bit 1: This is the "don't fragment" bit. Values are specified in the DoNotFragmentType.
Bit 2: This is the "more fragments" bit. Values are specified in the MoreFragmentsType.
DoNotFragmentType specifies fragmenting options, via a union of the DoNotFragmentTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
MoreFragmentsType specifies whether there are more fragments, via a union of the MoreFragmentsTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
The IPv4 option field is variable in length with zero or more options.
The copied flag indicates that this option is copied into all fragments on fragmentation. 1 bit. They are represented in this field by a string which specifies their value.
The option class is represented by 2 bits where 0 = control; 1 = reserved for future use; 2 = debugging and measurement; 3 = reserved for future use. These enumerated values are defined for this field.
The Internet Protocol has provision for optional header fields identified by an option type. These types are enumerated in the IPv4OptionsType.
IPv4CopyFlagType specifies value of IPv4 copy flag, via a union of the IPv4CopyFlagTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
IPv4ClassType specifies IPv4 class type, via a union of the IPv4ClassTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
IPv4OptionsType specifies IPv4 options, via a union of the IPv4OptionsTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
Internet Protocol version 6 (IPv6) is intended to succeed IPv4, and like IPv4 it is a connectionless protocol for use on packet-switched link layer networks. RFC 3513, RFC 2460, http://en.wikipedia.org/wiki/IPv6.
IPv6 headers is a simplification of the IPv4 header.
In IPv6, optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. http://tools.ietf.org/html/rfc2460.
The data portion of an IP packet. Actual field values will probably be specified in the elements of the different network layers, but we provide a field here to capture any data as necessary.
The IPv6 header is a simplification of the IPv4 header.
4-bit Internet Protocol version number =6.
8-bit traffic class field. Available for use by originating nodes and/or forwarding routers to identify and distinguish between different classes or priorities of IPv6 packets. http://tools.ietf.org/html/rfc2460#section-7.
20-bit flow label. Used by a source to label sequences of packets for which it requests special handling by the IPv6 routers, such as non-default quality of service. http://tools.ietf.org/html/rfc2460#section-6.
16-bit unsigned integer. Length of the IPv6 payload (the rest of the packet following the IPv6 header) in octets. Any extension headers are considered part of the payload.
8-bit selector. Identifies the type of header immediately following the IPv6 header. Uses the same values as the IPv4 protocol field.
TTL/hop limit specifies how many times a packet can be forwarded. 8-bit unsigned integer.
128-bit address of the originator of the packet.
128-bit address of the intended recipient of the packet.
In IPv6, optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. An IPv6 packet may carry zero, one, or more extension headers, each identified by the Next Header field of the preceding header. http://tools.ietf.org/html/rfc2460.
IPv6DoNotRecogActionType specifies possible actions when option is not recognized, via a union of the IPv6DoNotRecogActionTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
IPV6PacketChangeType specifies whether a packet has changed, via a union of the IPv6PacketChangeTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
Specifies the meaning of each bit of the 8-bit IPv6OptionType type.
Action to be taken if the processing IPv6 nodes does not recognize the Option Type. This information is internally encoded in the Option Type identifier (highest-order two bits) such that their highest-order two bits specify the action that must be taken if the processing IPv6 node does not recognize the Option type. These possible actions are enumerated via IPv6DoNotRecogActionType.
The third highest order bit of the Option Data specifies whether or not the Option Data of that option can change en-route to the packet's final destination.
This field may be used to specify the actual Option Type byte, with no explicit meaning attached. Meaning/interpretation provided by the Do_Not_Recogn_Action and Packet_Change fields.
IPVersionType specifies IP versions, via a union of the IPVersionTypeEnum type and the atomic xs:string type. See http://www.iana.org/assignments/version-numbers/version-numbers.xml for a complete list. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
only UDP and TCP defined to begin. Other protocols will be defined as necessary.
TCP provides reliable, ordered delivery of a stream of bytes from a program on one computer to another program on another computer. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
The TCP header contains 10 mandatory fields and an optional extension field. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
Options have up to three fields: Option-Kind (1 byte), Option-Length (1 byte), Option-Data (variable). This field will be further defined when required.
The Data field specifies the data payload of the TCP packet.
UDP uses a simple transmission model without implicit handshaking dialogues for providing reliability, ordering, or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated, or go missing without notice. http://en.wikipedia.org/wiki/User_Datagram_Protocol.
The UDP header consists of four fields, which are defined here.
The Data field specifies the data payload of the UDP packet.
The TCP header contains 10 mandatory fields and an optional extension field. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
Identifies the sending port.
Identifies the receiving port.
The Sequence number (32-bits) has a dual role: If the SYN flag is set, then this is the initial sequence numbers. If the SYN flag is clear (see Control Bits element), then this is the accumulated sequence number of the first data byte of this packet for the current session. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
If the ACK flag (see Control Bits element) is set then the value of this field is the next sequence number that the receiver is expecting.
Specifies the size of the TCP header in 32-bit words.
these 3 bits are reserved for future use and should be set to zero.
The TCP header contains 9 flags (aka Control Bits).
The size of the receive window, which specifies the number of bytes (beyond the sequence number in the acknowledgment field) that the sender of this segment is currently willing to receive. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
The 16-bit checksum field is used for error-checking of the header and data. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
If the URG flag is set, then this 16-bit field is an offset from the sequence number indicating the last urgent data byte. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
Defines the 9 different flags in the TCP header.
ECN-nonce concealment protection.
Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
ECN-Echo indicates: if the SYN flag is set, that the TCP peer is ECN capable; if the SYN flag is clear, that a packet with Congestion Experienced flag in IP header set is received during normal transmission. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
Indicates that the Urgent point field is significant.
indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
Push functions. asks to push the buffered dtata to the receiving application. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
Reset the connection.
Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
If this flag is set, it means there is no more data from sender.
The UDP header type defines the four fields in the UDP header.
Identifies the sender's port.
Identifies the receiver's port.
Specifies the length in bytes of the entire datagram (header and data).
The checksum is used for error-checking of the header and data.
IANAHardwareType specifies the type of hardware, via a union of the IANAHardwareTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
EtherObjectType specifies "type" field of Ethernets, via a union of the IANAEtherTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
IANAAssignedIPNumbersType specifies Internet Protocol numbers, via a union of the IANAAssignedIPNumbersTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
IANAPortNumberRegistryType specifies port numbers, via a union of the IANAPortNumberRegistryTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
ICMP is used to send error messages (e.g., a datagram cannot reach its destination), informational messages ( e.g., timestamp information), or a traceroute message. REF: http://www.networksorcery.com/enp/protocol/icmp.htm.
Actual header bytes are captured here. The message content of each type/code pair is also defined as part of the larger, complex "ICMPv4PacketType" type as either an error message, an informational message, or a traceroute message. The meaning of the type and code bytes is made explicit in the elements corresponding to each message type.
Actual ICMP header bytes are defined, corresponding to the ICMP type, ICMP code, and to the checksum.
ICMP Type byte specifies the format of the ICMP message.
ICMP Code byte further qualifies the ICMP message.
ICMP Checksum (16 bits) covers the ICMP message.
ICMP error messages include destination unreachable messages, source quench messages, redirect messages, and time exceeded messages.
Message content common to all ICMP error messages are defined here. Fields that are specific to individual messages are defined separately under each message type.
Elements associated with ICMPv4 error messages (as opposed to ICMP informational messages or ICMP traceroute message).
IP header from the original datagram.
First 8 bytes of the original datagram's data.
ICMP informational messages include echo request/reply, timestamp request/reply, and address mask request/reply.
Fields that are common to all ICMP informational messages are defined here. Fields that are specific to individual messages are defined separately under each message type.
Elements associated with ICMPv4 informational messages (as opposed to ICMP error messages or ICMP traceroute message).
16-bit identifier. Combined with the sequence number, called the "quench" for echo reply and echo request.
16-bit sequence number. The identifier and sequence number can be used by the client to match the reply with the request that caused the reply.
Elements associated with ICMPv4 traceroute message (as opposed to ICMP error messages or ICMP informational messages); corresponds to ICMP type =30. (http://www.networksorcery.com/enp/protocol/icmp/msg30.htm).
16 bits. The ID number as copied from the ICMP traceroute option of the packet which caused this traceroute message to be sent (not related to the ID number in the IP header). (http://www.networksorcery.com/enp/protocol/icmp/msg30.htm).
16 bits. Outbound hop count as copied from the IP traceroute option of the packet which caused this traceroute message to be sent (http://www.networksorcery.com/enp/protocol/icmp/msg30.htm).
16 bits. Return hop count as copied from the IP traceroute options of the packet which caused this traceroute message to be sent. (http://www.networksorcery.com/enp/protocol/icmp/msg30.htm).
32 bits. The speed in bytes per second of the link over which the Outbound/Return Packet will be sent. If this value cannot be determined, the field should be set to zero. (http://www.networksorcery.com/enp/protocol/icmp/msg30.htm).
32 bits. The MTU in bytes of the link over which the Outbound/Return Packet will be sent. MTU refers to the data portion (includes IP header; excludes datalink header/trailer) of the packet. If this value cannot be determined, this field should be set to zero. (http://www.networksorcery.com/enp/protocol/icmp/msg30.htm).
ICMP is used to send error messages (e.g., a datagram cannot reach its destination), informational messages ( e.g., ping). Only the message types defined in RFC 4443 (ICMP v6) are included; additional message types will be defined as needed. REF: http://tools.ietf.org/html/rfc4443 and http://www.networksorcery.com/enp/protocol/icmpv6.htm and http://en.wikipedia.org/wiki/ICMPv6.
Actual ICMP v6 header bytes are defined, corresponding to the ICMP type, ICMP code, and to the checksum.
For ICMP v6 error messages, boolean values are used in this field to explicitly interpret the type and code bytes appearing in the ICMP header. Additional fields and message content are also defined here. The type value indicates whether an ICMP message is an error message (type is 0 to 127) or an information message (type is 128 to 255).
For ICMP v6 informational messages, boolean values are used in this field to explicitly interpret the type and code bytes appearing in the ICMP header. Additional fields and message content are also defined here. The type value indicates whether an ICMP message is an error message (type is 0 to 127) or an information message (type is 128 to 255).
Actual ICMP header bytes are defined, corresponding to the ICMP type, ICMP code, and to the checksum. Translation of each type and code byte are defined in text by using boolean values associated with corresponding elements in the informational and error message type elements.
The ICMP v6 type byte specifies the type of the message. Values range from 0 to 127 (high order bit is 0) indicate an error messages; values from 128 to 255 (high order bit is 1) indicate an informational message.
The code byte value depends on the message type and provides an additional level of message granularity.
Checksum characterizes the checksum information of an ICMPv6 header.
ICMP v6 error messages include destination unreachable messages, packet too big messages, and time exceeded messages, and parameter problem messages, as defined in RFC 2463. Type values of ICMP v6 error messages range from 1 to 127.
as much of invoking packet as possible without the ICMPv6 packet exceeding the minimum IPc6 MTU.
ICMP v6 informational messages include echo request/reply; other informational message types will be added in the future as they are more commonly used (only echo request/reply are defined in RFC 4443).
Fields that are common to all ICMP v6 informational messages are defined here. Fields that are specific to individual messages are defined separately under each message type.
Elements associated with ICMPv6 informational messages (as opposed to ICMP v6 error messages).
16-bit identifier. Combined with the sequence number, called the "quench" for echo reply and echo request.
16-bit sequence number. The identifier and sequence number can be used by the client to match the reply with the request that caused the reply.
Echo reply v4 informational message (used to ping); ICMP type=0.
Echo reply is the only subtype (code=0).
This data is optional and is used for the different kind of answers given with an ICMP Echo Reply message. Can be arbitrary length (but less than the MTU of the network).
Destination Unreachable error message; ICMP type=3.
This further specifies an ICMP destination unreachable (type=3) message of code=4 (fragmentation required) message by providing a Next-Hop MTU field.
Indicates that the subtype of the destination unreachable ICMP message is "fragmentation required".
The Next-Hop MTU field contains the MTU of the next-hop network is a code 4 error (fragmentation required) occurs.
Source Quench (congestion control) error message; ICMP type=4.
Source quench is the only subtype (code=0).
Redirect Message error message; ICMP type=5.
The IP address is the 32-bit address of the gateway to which the redirection should be sent.
Echo Request informational message (used to ping); ICMP type=8.
Echo request is the only subtype (code=0).
This data is optional and is used for the different kind of answers given with an ICMP Echo Request message. Can be arbitrary length (but less than the MTU of the network).
Time Exceeded error message; ICMP type=11.
Time Stamp Request informational message; ICMP type=13.
This is the only subtype of a timestamp request message (code=0).
32-bits; number of ms since midnight UT. The originate timestamp is the time the sender last touched the message before sending it. If the time is not available in milliseconds or cannot be provided with respect to midnight UT, then any time can be inserted in a timestamp provided the high order bit of the timestamp is also set to indicate this non-standard value.
Time Stamp Reply informational message; ICMP type=14.
This is the only subtype of a timestamp reply message (code=0).
The originate timestamp is the time the sender last touched the message before sending it. If the time is not available in milliseconds or cannot be provided with respect to midnight UT, then any time can be inserted in a timestamp provided the high order bit of the timestamp is also set to indicate this non-standard value.
The receive timestamp is the time the echoer first touched the message on receipt. If the time is not available in milliseconds or cannot be provided with respect to midnight UT, then any time can be inserted in a timestamp provided the high order bit of the timestamp is also set to indicate this non-standard value.
The transmit timestamp is the time the echoer last touched the message on sending it. If the time is not available in milliseconds or cannot be provided with respect to midnight UT, then any time can be inserted in a timestamp provided the high order bit of the timestamp is also set to indicate this non-standard value.
Address Mask Request informational message; ICMP type=17.
This is the only possible subtype of an address mask request message (code=0).
The address mask can be set to 0 in an address mask request message (as opposed to an address mask reply message, in which case it should be set to the subnet mask).
Address Mask informational message; ICMP type=18.
This is the only possible subtype of an address mask reply message (code=0).
This address mask field should be set to the subnet mask.
Destination unreachable error message; ICMP v6 type=1.
Packet too big error message; ICMP v6 type=2.
Only one code value is defined and is set to 0 (zero) by the originator and ignored by the receiver.
Maximum Transmission Unit describes the size limit for any given physical network.
Time exceeded error message; ICMP v6 type=3.
Parameter problem error message; ICMP v6 type=4.
identifies octet offset within invoking packet where error was detected.
Echo request informational ICMP v6 message; type=128.
Every node must implement an ICMP v6 Echo responder function that receives Echo Requests (ICMP v6 code=0).
Zero or more octets of arbitrary data.
Echo reply informational ICMP v6 message; type=129.
Every node must implement an ICMP v6 Echo responder function that originates corresponding Echo Replies(ICMP v6 code=0).
This is the data from the invoking echo request message.
Provides an IP address or a prefix of an IP address for NDP for IPv6.
Defines fields for the IPv6 Hop-by-Hop Options header which is used to carry optional information that must be examined by every node along a packet's delivery path.
Identifies the type of header immediately following the Hop-by-Hop Options header. Uses the same values as the IPv4 Protocol field.
Length of the Hop-by-Hop Options header in 8-octet units, not including the first 8 octets.
Variable-length field, of length such that the complete Hop-by-Hop Options header is an integer multiple of 8 octets long. Contains one or more type-length-value (TLV)-encoded options.
Defines the variable-length fields associated with IPv6 extension headers (the Hop-by-Hop Options header and the Destination Options header). Contains one or more type-length-value (TLV)-encoded options.
Identifies the type of option. This 8-bit Option Type identifier is internally encoded such that different bits have different meanings. These meanings are further specified in the IPv6OptionType type.
Length of the Option Data field of this option, in octets.
Specifies the fields of the Routing header, which is used by an IPv6 source to list one or more intermediate nodes to be "visited" on the way to a packet's destination. http://tools.ietf.org/html/rfc2460.
Identifies the type of header immediately following the Routing header. Uses the same values as the IPv4 Protocol field.
length of the Routing header in 8-octet units, not including the first 8 octets.
8-bit identifiers of a particular Routing header variant. Further definition will be added as required.
Number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination. http://tools.ietf.org/html/rfc2460.
Variable length field, of format determined by the Routing Type.
Specifies the fields of the Fragment header, which is used by an IPv6 source to send a packet larger than would fit in the path MTU. http://tools.ietf.org/html/rfc2460.
Each fragment has a header containing next header information, the offset of the fragment, an M flag specifying whether or not it is the last fragment, and an identification value.
The fragment of the packet that corresponds to the fragment header. The length of the fragment must fit with the MTU of the path to the packets' destination.
Defines fields for the IPv6 Destination Options header which is used to carry optional information that needs to be examined only by a packet's destination node(s).
Identifies the type of header immediately following the Destination_Options options header. Uses the same values as the IPv4 Protocol field.
Length of the Destination Options header in 8-octet units, not including the first 8 octets.
Variable-length field, of length such that the complete Destinations Options header is an integer multiple of 8 octets long. Contains one or more type-length-value (TLV)-encoded options.
The IP Authentication Header is used to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replays. http://www.ietf.org/rfc/rfc2402.txt.
Identifies the type of header immediately following the Authentication header. Uses the same values as the IPv4 Protocol field.
An 8-bit field specifying the length of the AH in 32-bit words.
The SPI is an arbitrary 32-bit value that, in combination with the destination IP address and security protocol (AH), uniquely identifies the Security Association for this datagram. The set of SPI values in the range 1 through 255 are reserved by the Internet Assigned Numbers Authority (IANA) for future use. http://www.ietf.org/rfc/rfc2402.txt.
This unsigned 32-bit field contains a monotonically increasing counter value (sequence number).
This is a variable-length field that contains the Integrity Check Value (ICV) for this packet. The field must be an integer multiple of 32 bits in length.
ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. http://www.ietf.org/rfc/rfc2406.txt.
The SPI is an arbitrary 32-bit value that, in combination with the destination IP address and security protocol (ESP), uniquely identifies the Security Association for this datagram. http://www.ietf.org/rfc/rfc2406.txt.
This unsigned 32-bit field contains a monotonically increasing counter value (sequence number).
Payload Data is a variable-length field containing data described by the Next Header field.
The padding field can be used for various reasons, such as to fill in the plaintext as required by an encryption algorithm or to conceal the actual length of the payload.
The pad length indicates the number of pad bytes immediately preceding it. Range is 0-255, where a value of zero indicates that no padding bytes are present. http://www.ietf.org/rfc/rfc2406.txt.
Identifies the type data contained in the payload data field. Uses the same values as the IPv4 Protocol field.
The Authentication Data is a variable-length field containing an Integrity Check Value (ICV) computed over the ESP packet minus the Authentication Data. http://www.ietf.org/rfc/rfc2406.txt.
The Pad1 type specifies how one octet of padding is inserted into the Options area of a header. The Pad1 option type does not have length and value fields.
The fixed 00 value specifies that the Pad1 option is used and also serves as the single octet of padding.
The PadN type specifies how two or more octets of padding are inserted into the Options area of a header.
Specifies the PandN option.
Length of the padding. For N octets of padding, the Option_Data_Length fields contains the value N-2.
Actual padding; consists of N-2 zero-valued octets.
Each fragment has a header containing next header information, the offset of the fragment, an M flag specifying whether or not it is the last fragment, and an identification value.
Identifies the type of header immediately following the Fragment header. Uses the same values as the IPv4 Protocol field.
13-bit unsigned integer. The offset, in 8-octet units, of the data following this header, relative to the start of the Fragmentable Part or the original packet.
Indicates whether this is the last fragment or whether there are more fragments.
For every packet that is to be fragmented, the source node generates a 32-bit Identification value.
MFlagType specifies whether there are more fragments, via a union of the MFlagTypeEnum type and the atomic xs:string type. Its base type is the BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
Internet layer characterizes information about the network layer of this Network Packet. The network layer is one layer from the 7-layer OSI Model.
The Link Layer is the lowest layer of the TCP/IP network stack and is comprised of physical and logical protocols that operate between adjacent nodes of a network segment or a WAN connection.
Transport layer characterizes information about the transport layer of this Network Packet. The transport layer is one layer from the 7-layer OSI Model.
Logical Protocols characterizes the logical protocol of a link layer connection. One example of a logical protocol is ARP.
Physical Interface characterizes one hardware interface of a link layer connection.
TCP provides reliable, ordered delivery of a stream of bytes from a program on one computer to another program on another computer. http://en.wikipedia.org/wiki/Transmission_Control_Protocol.
UDP uses a simple transmission model without implicit handshaking dialogues for providing reliability, ordering, or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated, or go missing without notice. http://en.wikipedia.org/wiki/User_Datagram_Protocol.
ARP is a logical protocol used for resolution of network layer addresses (e.g., IP addresses) into link layer addresses (e.g., MAC addresses). RARP is a logical protocol used by a host computer to request its network layer address when it has its link layer address.
Neighbor Discovery Protocol (NDP) is used with IPv6 to determine the link-layer addresses for neighbors. Corresponds to combination of IPv4 protocols: ARP, ICMP Router Discovery, and ICMP Redirect.
two-octet field in an Ethernet frame. specifies protocol encapsulated in the payload of ethernet frame.
Length characterizes the length of the ethernet frame.
32-bit unsigned integer. The recommended MTU for the link.
Prefix Info characterizes Prefix Information for Router Advertisement Options.
Src Link Addr characterizes the Source Link-Layer Address option.
As much as possible of the IP packet that triggered the sending of the Redirect message without making the redirect packet exceed the minimum MTU specified in the IPv6 protocol.
The link-layer address for the target.
Follows RFC2402. The IP Authentication Header is used to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replays. http://www.ietf.org/rfc/rfc2402.txt.
The Destination Options header is used to carry optional information that needs to be examined only by a packet's destination node(s).
Follows RFC2406. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.
The Fragment header is used by an IPv6 source to send a packet larger than would fit in the path MTU. A fragment packet begins with an unfragmentable part consisting of the IPv6 header plus all extension headers up to and including the routing header. We don't include it for this field because the data is already stored in other elements. We provide the elements necessary for the Fragmentable Part. http://tools.ietf.org/html/rfc2460.
The Hop-by-Hop Options header is used to carry optional information that must be examined by every node along a packet's delivery path. It carries a variable number of type-length-value (TLV) encoded options.
The Routing header is used by an IPv6 source to list one or more intermediate nodes to be "visited" on the way to a packet's destination. http://tools.ietf.org/html/rfc2460.
For ICMP informational messages, boolean values are used in this field to explicitly interpret the type and code bytes appearing in the ICMP header. Additional fields and message content are also defined here.
For ICMP traceroute messages (type = 30), specifies related fields and ICMP code value. A boolean value is used to explicitly interpret the code byte appearing in the ICMP header. Additional fields and message content are also defined here.
For ICMP error messages, boolean values are used in this field to explicitly interpret the type and code bytes appearing in the ICMP header. Additional fields and message content are also defined here.
A redirect message is used to send data packets on an alternative route. This ICMP redirect message informs a host to update its routing information.
A source quench message is an ICMP message that requests that the sender decrease the rate of messages sent to a router or host. This message may be generated if a router or host does not have sufficient buffer space to process the request or may occur if the router or host buffer is approaching its limit (http://en.wikipedia.org/wiki/ICMP_Source_Quench).
An ICMP time exceeded message is generated by a gateway to inform the source of a datagram that the datagram has been discarded due to the time to live field reaching zero. A time exceeded message may also be sent by a host if it fails to reassemble a fragmented datagram within its time limit (http://en.wikipedia.org/wiki/ICMP_Time_Exceeded).
A destination unreachable message is an ICMP message which is generated by the host or its inbound gateway to inform the client that the destination is unreachable for some reason (http://en.wikipedia.org/wiki/ICMP_Destination_Unreachable).
A timestamp reply is an informational ICMP message which replies to a timestamp request message.
A timestamp request is an ICMP informational message used for time synchronization.
An address mask reply is an ICMP informational message, used to reply to an address mask request message with an appropriate subnet mask (type=18).
An address mask request is an ICMP informational message (query message) normally sent by a host to a router in order to obtain an appropriate subnet mask (type=17).
Echo reply/request messages are also known as "ping". The Info_Message_Content field contains an identifier and sequence number which together form the "quench" for echo reply and echo request. Fields specific to an echo reply message are given as elements to this echo reply field (type=0).
Echo reply/request messages are also known as "ping". The Info_Message_Content field contains an identifier and sequence number which together form the "quench" for echo reply and echo request. Fields specific to an echo request message are given as elements to this echo request field (type=8).
One of two possible subtypes for an ICMP traceroute message. This subtype means that the outbound packet was successfully forwarded (code=0).
One of two possible subtypes for an ICMP traceroute message. This one means that there is no route for the outbound packet and the packet was discarded (code=1).
For ICMP informational messages, boolean values are used in this field to explicitly interpret the type and code bytes appearing in the ICMP header. Additional fields and message content are also defined here.
For ICMP error messages, boolean values are used in this field to explicitly interpret the type and code bytes appearing in the ICMP header. Additional fields and message content are also defined here.
A packet too big message must be sent by a router in response to a packet that it cannot forward because the packet is larger than the MTU of the outgoing link.
If an IPv6 node processing a packet finds a problem with a field in the IPv6 header or extension headers and it cannot complete processing of the packet, it should send an ICMPv6 Parameter Problem message to the packet's source (http://tools.ietf.org/html/rfc4443).
A time exceeded message is send if either the hop limit is exceeded (hop limit = 0) or if fragment reassembly has timed out.
A destination unreachable message should be generated by a router, or by the IPv6 later in the originating node, in response to a packet that cannot be delivered to its destination address for reasons other than congestion. (http://tools.ietf.org/html/rfc4443).
Echo request and reply messages are used for diagnostic purposes.
Echo request and reply messages are used for diagnostic purposes.
One of 16 different subtypes of a destination unreachable ICMP message; communication administratively prohibited (code=13).
One of 16 different subtypes of a destination unreachable ICMP message; destination host unknown (code=7).
One of 16 different subtypes of a destination unreachable ICMP message; destination host unreachable (code=1).
One of 16 different subtypes of a destination unreachable ICMP message; destination network unknown (code=6).
One of 16 different subtypes of a destination unreachable ICMP message; destination network unreachable (code=0).
One of 16 different subtypes of a destination unreachable ICMP message; destination port unreachable (code=3).
One of 16 different subtypes of a destination unreachable ICMP message; destination protocol unreachable (code=2).
One of 16 different subtypes of a destination unreachable ICMP message; fragmentation required (code=4). This field has an additional field (Next-Hop MTU), as well as a boolean value indicating this subtype.
One of 16 different subtypes of a destination unreachable ICMP message; host administratively prohibited (code=10).
One of 16 different subtypes of a destination unreachable ICMP message; host precedence violation (code=14).
One of 16 different subtypes of a destination unreachable ICMP message; host unreachable for TOS (code=12).
One of 16 different subtypes of a destination unreachable ICMP message; host administratively prohibited (code=9).
One of 16 different subtypes of a destination unreachable ICMP message; network unreachable for TOS (code=11).
One of 16 different subtypes of a destination unreachable ICMP message; precedence cutoff in effect (code=15).
One of 16 different subtypes of a destination unreachable ICMP message; source host isolated (code=8).
One of 16 different subtypes of a destination unreachable ICMP message; source route failed (code=5).
One of 4 different subtypes of a redirect ICMP message; redirect datagram for the network (code=0).
One of 4 different subtypes of a redirect ICMP message; redirect datagram for the TOS and host (code=3).
One of 4 different subtypes of a redirect ICMP message; redirect datagram for the TOS and network (code=2).
One of 4 different subtypes of a redirect ICMP message; redirect datagram for the host (code=1).
specifies that the fragment reassembly time was exceeded (code=1).
specifies that the time-to-live was exceeded in transit (code=0).
The initial bits of an IPv6 address (these are identical for all hosts in a network) form the network's prefix. http://ipv6.com/articles/general/IPv6-Addressing.htm.
IPv6 address.
The Pad1 option is used to insert one octet of padding into the Options area of a header. The Pad1 option does not have length and value fields.
The PadN option is used to insert two or more octets of paddings into the Options area of a header.
<schema>Win_Network_Route_Entry_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The NLRouteOriginEnum type is a enumeration of network route origination points, as detailed in the NL_ROUTE_ORIGIN enumeration in the MIB_IPFORWARD_ROW2 structure. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa814494(v=vs.85).aspx for the MIB_IPFORWARD_ROW2 structure and http://msdn.microsoft.com/en-us/library/windows/hardware/ff568764(v=vs.85).aspx for the NL_ROUTE_ORIGIN enumeration.
Specifies that the origin was determined as a result of manual configuration.
Specifies that the route is well-known.
Specifies that the origin was determined as a result of DHCP configuration.
Specifies that the origin was determined as a result of router advertisement.
Specifies that the origin was determined as a result of 6to4 tunneling.
The NLRouteProtocolEnum type is a enumeration of network routing protocols, as detailed in the NL_ROUTE_PROTOCOL enumeration in the MIB_IPFORWARD_ROW2 structure. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa814494(v=vs.85).aspx for the MIB_IPFORWARD_ROW2 structure.
Specifies that the routing mechanism was not specified.
Specifies a local interface.
Specifies a static route. This value is used to identify route information for IP routing set through network management such as the Dynamic Host Configuration Protocol (DCHP), the Simple Network Management Protocol (SNMP), or by calls to the CreateIpForwardEntry2, DeleteIpForwardEntry2, or SetIpForwardEntry2 functions.
Specifies the result of an ICMP redirect.
Specifies the Exterior Gateway Protocol (EGP), a dynamic routing protocol.
Specifies the Gateway-to-Gateway Protocol (GGP), a dynamic routing protocol.
Specifies the hellospeak protocol, a dynamic routing protocol. This is a historical entry no longer in use and was an early routing protocol used by the original ARPANET routers that ran special software called the Fuzzball routing protocol, sometimes called Hellospeak, as described in RFC 891 and RFC 1305. For more information, see http://www.ietf.org/rfc/rfc891.txt and http://www.ietf.org/rfc/rfc1305.txt.
Specifies the Berkeley Routing Information Protocol (RIP) or RIP-II, a dynamic routing protocol.
Specifies the Intermediate System-to-Intermediate System (IS-IS) protocol, a dynamic routing protocol. The IS-IS protocol was developed for use in the Open Systems Interconnection (OSI) protocol suite.
Specifies the End System-to-Intermediate System (ES-IS) protocol, a dynamic routing protocol. The ES-IS protocol was developed for use in the Open Systems Interconnection (OSI) protocol suite.
Specifies the Cisco Interior Gateway Routing Protocol (IGRP), a dynamic routing protocol.
Specifies the Bolt, Beranek, and Newman (BBN) Interior Gateway Protocol (IGP) that used the Shortest Path First (SPF) algorithm. This was an early dynamic routing protocol.
Specifies the Open Shortest Path First (OSPF) protocol, a dynamic routing protocol.
Specifies the Border Gateway Protocol (BGP), a dynamic routing protocol.
Specifies a Windows specific entry added originally by a routing protocol, but which is now static.
Specifies a Windows specific entry added as a static route from the routing user interface or a routing command.
Specifies a Windows specific entry added as an static route from the routing user interface or a routing command, except these routes do not cause Dial On Demand (DOD).
The WindowsNetworkRouteEntryObjectType type is intended to characterize Windows network routing table entries.
The NL_ROUTE_PROTOCOL element captures the routing protocol specified for the network route, as detailed in the NL_ROUTE_PROTOCOL enumeration. For more information please see: http://msdn.microsoft.com/en-us/library/windows/desktop/aa814494(v=vs.85).aspx.
The NL_ROUTE_ORIGIN element specifies a network route origination point, as detailed in the NL_ROUTE_ORIGIN enumeration in the MIB_IPFORWARD_ROW2 structure. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa814494(v=vs.85).aspx for the MIB_IPFORWARD_ROW2 structure and http://msdn.microsoft.com/en-us/library/windows/hardware/ff568764(v=vs.85).aspx for the NL_ROUTE_ORIGIN enumeration.
NLRouteOriginType specifies Windows-centric network route origination values via a union of the RouteOriginEnum type and the atomic xs:string type. Its base type is the CybOX BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
NLRouteProtocolType specifies Windows-centric network routing protocol values via a union of the NLRouteProtocolEnum type and the atomic xs:string type. Its base type is the CybOX BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Link_Object</schema>
<version>1.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The Link Object is intended to characterize links, such as those on a webpage or in an e-mail message.
The URL_Label field specifies the label of the link.
<schema>Artifact_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML.</short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The ArtifactTypeEnum is a (non-exhaustive) enumeration of cyber raw artifact types.
The File value specifies that the artifact is a file.
The Memory Region value specifies that the artifact is a block of data from a region of memory.
The File System Fragment value specifies that the artifact is a block of data from a file system.
The Network Traffic value specifies that the artifact is a block of network traffic data such as PCAP.
The Generic Data Region value specifies that the artifact is a block of data from an unknown source.
The ArtifactObjectType type is intended to encapsulate and convey the content of a Raw Artifact.
The type field specifies the general type of the artifact contained in this Defined Object.
The content_type field is optional and specifies the Internet Media Type of the artifact contained in this Defined Object.
The content_type_version field is optional and specifies the content type version of the artifact contained in this Defined Object.
The suspected_malicious field is optional and conveys whether the content of the Raw_Artifact is believed to be malicious.
The Hashes field is optional and specifies hashes for the Raw_Artifact content.
The Packaging field is optional and characterizes packaging layers (e.g. compression, encryption, encoding) applied to the original content to generate the content of the Raw_Artifact field of this Object. The ordering of entries in this sequence implicitly denotes the ordering of packaging layer operations applied.
The PackagingType captures any packaging layers applied to an artifact.
The is_encrypted field is optional and specifies whether the Raw_Artifact content is protected/encrypted.
The is_compressed field is optional and specifies whether the Raw_Artifact content is compressed.
The CompressionType captures any compression packaging details for an artifact.
The compression_mechanism field is optional and specifies the compression algorithm utilized to protect the Raw_Artifact content.
The compression_mechanism_ref field is optional and conveys a reference to a description of the compression algorithm utilized to protect the Raw_Artifact content.
The EncryptionType captures any encryption packaging details for an artifact.
The encryption_mechanism field is optional and specifies the protection/encryption algorithm utilized to protect the Raw_Artifact content.
The encryption_mechanism_ref field is optional and conveys a reference to a description of the protection/encryption algorithm utilized to protect the Raw_Artifact content.
The encryption_key field is optional and locally specifies the password for unprotecting/decrypting the Raw_Artifact content.
The encryption_key_ref field is optional and specifies a reference to a remote specification of the password for unlocking/decrypting the Raw_Artifact content.
The EncodingType captures any encoding packaging details for an artifact.
The algorithm field is optional and specifies the encoding algorithm utilized to encode the Raw_Artifact.
The character_set field is optional and specifies the character set utilized in the Raw_Artifact content encoding.
The custom_character_set_ref field is optional and conveys a reference to a specification of the custom character set used to encode the Raw_Artifact.
The RawArtifactType is intended to convey, with minimal characterization, the content of the Raw Artifact itself.
The byte_order field specifies the endianness of the unpacked (e.g., unencrypted, base64-decoded, decompressed, etc.) Raw Artifact data.
The Raw_Artifact field contains the raw content of a cyber artifact (rather than simply analysis of that artifact). It is conveyed within a string-based field and should be further enclosed in a CDATA section within the string-based field.
The Raw_Artifact_Reference field contains a reference to an external instance of the raw content of a cyber artifact (rather than simply analysis of that artifact).
The Compression field is optional and specifies details for a compression layer applied to the content of the Raw_Artifact.
The Encoding field is optional and specifies details for an encoding layer applied to the content of the Raw_Artifact.
The Encryption field is optional and specifies details for an encryption layer applied to the content of the Raw_Artifact.
<schema>Pipe_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The PipeObjectType type is intended to characterize generic system pipes.
The named field specifies whether the pipe is named.
The Name field specifies the name of the pipe, if applicable.
<schema>Win_Thread_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
Thread running status enumerates the various states that a thread may be in before, during, or after execution. See http://msdn.microsoft.com/en-us/library/system.diagnostics.threadstate(v=vs.110).aspx.
A state that indicates the thread has been initialized, but has not yet started.
A state that indicates the thread is waiting to use a processor because no processor is free. The thread is prepared to run on the next available processor.
A state that indicates the thread is currently using a processor.
A state that indicates the thread is about to use a processor. Only one thread can be in this state at a time.
A state that indicates the thread has finished executing and has exited.
A state that indicates the thread is not ready to use the processor because it is waiting for a peripheral operation to complete or a resource to become free. When the thread is ready, it will be rescheduled.
A state that indicates the thread is waiting for a resource, other than the processor, before it can execute.
The thread of the thread is unknown.
The Windows_ThreadObjectType is intended to characterize Windows process threads. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms684852(v=vs.85).aspx.
Represents the identifier of this thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms683183(v=vs.85).aspx.
Handle represents the handle of a specific thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682453(v=vs.85).aspx.
Running Status represents the running state that the thread is in.
The Context field specifies the thread context structure, which contains processor-specific register data.
Represents the priority of the thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms685100(v=vs.85).aspx.
The Creation flags field represents the creation flags that a thread may be launched with. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms684863(v=vs.85).aspx.
Creation time represents the creation time of the thread.
Start address represents the start address of this thread, representing the memory address where this thread should start. See Also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682453(v=vs.85).aspx.
Security attributes represents the security attributes for the thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa379560(v=vs.85).aspx.
Represents the stack size of the thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686774(v=vs.85).aspx.
ThreadRunningStatusType specifies Windows thread running states via a union of the ThreadRunningStatusEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Archive_File_Object</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The ArchiveFileFormatEnum type is a non-exhaustive enumeration of common archive file formats.
<p><span>Specifies the open source 7-zip file format (.7z)</span></p>
<p><span>Specifies the Android application package format (.apk)</span></p>
<p><span>Specifies the Microsoft native archive format (.cab)</span></p>
<p><span>Specifies the Apple disk image format (.dmg)</span></p>
<p><span>Specifies the Java archive format (.jar)</span></p>
<p><span>Specifies the RAR file format (.rar)</span></p>
<p><span>Specifies the StuffIt file format (.sit, .sitx)</span></p>
<p><span>Specifies the compressed TAR file format (.tar.gz, .tgz, .tar.Z, .tar.bz2)</span></p>
<p><span>Specifies the PKZip file format (.zip, .zipx)</span></p>
The ArchiveFileObjectType type is intended to characterize archive files.
The Archive Format specifies the format of the archive file.
The Version field specifies the archive type used to create archive file.
The File_Count field specifies the number of files contained within the archive.
The Encryption_Algorithm field specifies the algorithm used to encrypt an archive file. Note: For individual files within an archive that are themselves encrypted, the specifics of that encryption are found in the FileObject definition for that file.
The Decryption_Key field specifies the key used to decrypt the file.
The Comment field specifies the comment information associated with archive file.
The Archived_File field specifies the FileObject definitions for the individual files contained within the archive.
The ArchiveFileFormatType specifies archive file formats via a union of the ArchiveFileFormatEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
<schema>Win_Event_Object</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WinHookTypeEnum type is an enumeration of Windows hook procedure types.
Specifies a hook procedure that monitors messages before the system sends them to the destination window procedure.
Specifies a hook procedure that monitors messages after they have been processed by the destination window procedure.
Specifies a hook procedure that receives notifications useful to a CBT application.
Specifies a hook procedure useful for debugging other hook procedures.
Specifies a hook procedure that will be called when the application's foreground thread is about to become idle.
Specifies a hook procedure that monitors messages posted to a message queue.
Specifies a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure.
Specifies a hook procedure that records input messages posted to the system message queue.
Specifies a hook procedure that monitors keystroke messages.
Specifies a hook procedure that monitors low-level keyboard input events.
Specifies a hook procedure that monitors mouse messages.
Specifies a hook procedure that monitors low-level mouse input events.
Specifies a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar.
Specifies a hook procedure that receives notifications useful to shell applications.
Specifies a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar.
The WindowsHookObjectType type is intended to characterize Windows hook procedure objects.
For more information please see http://msdn.microsoft.com/en-us/library/windows/desktop/ms644990(v=vs.85).aspx.
The Type field specifies the type (i.e. WH_) of the Windows hook procedure, which refers to the type of event that the hook will intercept.
The Handle field specifies the handle associated with the Windows hook procedure. It uses the WindowsHandleObjectType type from the imported CybOX Windows Handle object.
The Hooking_Function_Name field specifies the name of the hooking function used by the Windows hook procedure.
The Hooking_Module field specifies the properties of the module that contains the hooking function used in the Windows hook procedure that is specified in the Hooking_Function_Name field. It uses the LibraryObjectType from the imported CybOX Library Object.
The Thread_ID field specifies the ID of the thread associated with the Windows procedure, if applicable.
WinHookType specifies Windows hook procedure types, via a union of the WinHookTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
<schema>DNS_Cache_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The DNSCacheObjectType type is intended to characterize entries in a system's DNS cache.
The DNS_Cache_Entry field is intended to characterize a single domain name system cache entry.
The DNSCacheEntryType type is intended to characterize a single entry in a system's DNS cache.
The DNS_Entry field specifies the relevant DNS entry (including Domain Name and IP Address) for this DNS Cache Entry.
The TTL field specifies the time-to-live value for the DNS cache entry, or in other words the number of seconds before the entry expires.
<schema>Port_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The PortObjectType type is intended to characterize networking ports.
The required Port_Value field specifies the actual value of the port.
The Layer4_Protocol field specifies the Layer 4 Protocol (OSI Model) associated with the port.
<schema>SMS_Message_Object</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
The SMSMessageObjectType is intended to characterize Short Message Service (SMS) messages.
The is_premium field specifies whether the SMS message is a premium (i.e. fee-collecting) message.
The Sender_Phone_Number field specifies the phone number of the sender of the SMS message.
The Recipient_Phone_Number field specifies the phone number of the recipient of the SMS message.
The Sent_DateTime field specifies the date/time at which the SMS message was sent.
The Body field specifies the body of the SMS message.
The Length field specifies the length of the SMS message, in characters.
The Size field specifies the size of the SMS message, in bytes.
The Encoding field specifies the name of the character encoding (sometimes referred to as the Alphabet) used in the SMS message.
The Bits_Per_Character field specifies the number of bits used to express each character in the SMS message.
The User_Data_Header field specifies the user data header included at the start of the SMS message, as a hexadecimal string.
<schema>Network_Socket_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The AddressFamilyTypeEnum is an enumeration of address family (AF_*) types.
Specifies an unspecified address family.
Specifies sockets using for the Internet when using Berkeley sockets.
Specifies the IPX (Novell Internet Protocol) address family.
Specifies the APPLETALK DDP address family.
Specifies the NETBIOS address family.
Specifies the IP version 6 address family.
Specifies IRDA sockets.
Specifies BTH sockets.
The DomainTypeEnum is an enumeration of communication domain (PF_*) types.
Specifies the communication domain from local to host.
Specifies the communication domain from UNIX to host.
Specifies the communication domain from file to host.
Specifies the IP protocol family.
Specifies the Amateur Radio AX.25 family.
Specifies the Novell Internet Protocol family.
Specifies the IP version 6 protocol family.
Specifies the Appletalk DDP protocol family.
Specifies the Amateur radio NetROM protocol family.
Specifies the Multiprotocol bridge protocol family.
Specifies the ATM PVCs protocol family.
Specifies the protocol family reserved for the X.25 project.
Specifies the PF_KEY key management API family.
Specifies the protocol family reserved for the DECnet project.
Specifies the protocol family reserved for the 802.2LLC project.
Specifies the Security callback pseudo AF protocol family.
Specifies the PF_KEY key management API protocol family.
Specifies the netlink routing API family.
Specifies the PF_ROUTE routing API family.
Specifies the packet family.
Specifies the Ash family.
Specifies the Acorn Econet family.
Specifies the ATM SVCs protocol family.
Specifies the Linux SNA Project protocol family.
Specifies IRDA sockets.
Specifies PPPoX sockets.
Specifies Wanpipe API sockets.
Specifies Bluetooth sockets.
The SocketTypeEnum is an enumeration of socket (SOCK_*) types.
Specifies a pipe-like socket which operates over a connection with a particular remote socket, and transmits data reliably as a stream of bytes.
Specifies a socket in which individually-addressed packets are sent (datagram).
Specifies raw sockets which allow new IP protocls to be implemented in user space. A raw socket receives or sends the raw datagram not including link level headers.
Specifies a socket indicating a reliably-delivered message..
Specifies a datagram congestion control Protocol socket.
The ProtocolTypeEnum is an enumeration of protocol types.
Indicates the ICMP protocol.
Indicates the IGMP protocol.
Indicates the Bluetooth protocol.
Indicates the TCP protocol.
Indicates the UDP protocol.
Indicates the ICMP v6 protocol.
Indicates the Reliable Multicasting protocol.
The NetworkSocketObjectType is intended to characterize network sockets.
The is_blocking field specifies whether or not the socket is in blocking mode.
The is_listening field specifies whether or not the socket is in listening mode.
The Address_Family field specifies the address family (AF_*) that the socket is configured for.
The Domain field specifies the communication domain (PF_*) of the socket.
The Local_Address field specifies the IP address and port for the socket on the local machine.
The Options field specifies any particular options used by the socket.
The Protocol field specifies the type of IP layer protocol used by the socket.
The Remote_Address field specifies the IP address and port for the socket on the remote machine.
The Type field specifies the type of socket being characterized.
The Socket_Descriptor field specifies the socket file descriptor value associated with the socket. Negative values are not allowed.
The SocketOptionsType specifies any particular options used by the socket. If an options is supported only by specific address families or socket types, that's indicated in parentheses.
Set the interface over which outgoing multicast datagrams should be sent (AF_INET / SOCK_DGRAM or SOCK_RAW).
Set the interface over which outgoing multicast datagrams should be sent (AF_INET6 / SOCK_DGRAM or SOCK_RAW) .
Specify that the sending host receives a copy of an outgoing multicast datagram (AF_INET / SOCK_DGRAM or SOCK_RAW).
Set Type of Service (TOS) and Precedence in the IP header (AF_INET).
Enable the socket for issuing messages to a broadcast address (AF_INET / SOCK_DGRAM or SOCK_RAW). (.
Allows an application to decide whether or not to accept an incoming connection on a listening socket (Windows only).
Keep the connection up by sending periodic transmissions (AF_INET or AF_INET6 / SOCK_STREAM).
Bypass normal routing mechanisms (AF_INET or AF_INET6 ).
Specifies if the system attempts delivery of or discards any buffered data when a close() is issued.
Complement of SO_LINGER.
Indicates whether out-of-band data is received inline with normal data (AF_INET or AF_INET6).
Set size of the receive buffer.
Sets the relative priority for the socket in its group (Windows only).
Indicates if the local socket address can be reused (AF_INET or AF_INET6 / SOCK_DGRAM or SOCK_RAW).
Indicates if low-level debugging is active.
Set the receive timeout value.
Set size of the send buffer.
Set the send timeout value.
Updates the properties of the socket which are inherited from the listening socket (Windows only).
Set the socket timeout.
When set, TCP will send data immediately instead of using the Nagle delay algorithm (AF_INET or AF_INET6 / SOCK_STREAM). (.
AddressFamilyType specifies address family types, via a union of the AddressFamilyTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
DomainFamilyType specifies domain family types, via a union of the DomainTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
ProtocolType specifies protocol types, via a union of the ProtocolTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
SocketType specifies socket types, via a union of the SocketTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_System_Restore_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The change types found in a Restore Point changelog>.
Represents a changelog entry descriptor for updating an ACL. (0x00000001).
Represents a changelog entry descriptor for updating attributes. (0x00000002).
Represents a changelog entry descriptor for deleting a file. (0x00000004).
Represents a changelog entry descriptor for creating a file. (0x00000010).
Represents a changelog entry descriptor for renaming a file. (0x00000020).
Represents a changelog entry descriptor for creating a directory. (0x00000040).
Represents a changelog entry descriptor for renaming a directory. (0x00000080).
Represents a changelog entry descriptor for deleting a directory. (0x00000100).
Related to filesystem attachment points. (0x00000200).
The WindowsSystemRestoreObjectType is intended to characterize Windows system restore points.
The description of this restore point.
The full path to the restore point.
The name associated with this restore point.
The type of restore point. (ex: "Checkpoint").
The SID associated with a restore point change log event. This usually appears when the event flag includes "ACL Info".
The username associated with a restore point change log event. It usually appears when the event flag includes "ACL Info".
The backup file name associated with a particular restore point change log event.
The change event associated with this restore point object (ex: "System Checkpoint", "Software Installation", etc.).
The flags associated with a restore point change log entry (ex: "ACL Info, "Short Name", etc.).
The change log sequence number associated with this restore point object.
The changelog entry type associated with this restore point object.
The changelog file associated with the restore point.
The created date of the system restore point.
Attributes of the file associated with this restore point object (ex: "Directory").
The new filename of the file associated with this restore point object.
The original filename associated with this restore point change log event.
The original Short filename (SFN) of the file associated with this restore point object.
The process name associated with this restore point object.
The registry hives associated with this restore point.
HiveListType is intended to characterize a group of keys, subkeys, and values in the Windows registry that has a set of supporting files containing backups of its data and is associated with a system restore point.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx.
The Hive element specifies the Windows registry hive associated with the system restore point.
ChangeLogEntryTypeType types, via a union of the ChangeLogEntryTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_Event_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WinEventTypeEnum type is an enumeration of Windows synchronization event types. These are described in detail in http://msdn.microsoft.com/en-us/library/windows/desktop/ms682655(v=vs.85).aspx.
Indicates an event object whose state remains signaled until it is explicitly reset to nonsignaled by the ResetEvent function. While it is signaled, any number of waiting threads, or threads that subsequently specify the same event object in one of the wait functions, can be released.
Indicates an event object whose state remains signaled until a single waiting thread is released, at which time the system automatically sets the state to nonsignaled. If no threads are waiting, the event object's state remains signaled. If more than one thread is waiting, a waiting thread is selected. Do not assume a first-in, first-out (FIFO) order. External events such as kernel-mode APCs can change the wait order.
The WindowsEventObjectType type is intended to characterize Windows event (synchronization) objects.
The Handle field specifies the handle to the Windows event object. It imports and uses the WindowsHandleObjectType type from the CybOX Windows Handle object.
The Name field specifies the name of the Windows event object.
The Type field specifies the type of the Windows event.
WinEventType specifies Windows event types, via a union of the WinEventTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_Semaphore_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsSemaphoreObjectType is intended to characterize Windows semaphore (synchronization) objects.
The Handle field specifies the open Windows handle to the semaphore. It imports and uses the WindowsHandleObjectType from the CybOX Windows Handle Object.
The Security_Attributes field specifies the Windows security attributes for the semaphore.
<schema>Win_Handle_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsHandleType is a non-exhaustive enumeration of Windows handle types.
Specifies an access token handle.
Specifies an event handle.
Specifies a file handle.
Specifies a file mapping handle.
Specifies a job handle.
Specifies an IO completion port handle.
Specifies a mailslot handle.
Specifies a mutex handle.
Specifies a named pipe handle.
Specifies a pipe handle.
Specifies a process handle.
Specifies a semaphore handle.
Specifies a thread handle.
Specifies a transaction handle.
Specifies a waitable timer handle.
Specifies a registry key handle.
Specifies a window handle.
Specifies a service control manager handle.
Specifies a communications device handle.
Specifies a console input handle.
Specifies a console screen buffer handle.
Specifies a memory resource notification handle.
Specifies a directory handle.
Specifies a symbolic link handle.
Specifies a token handle.
Specifies a profile handle.
Specifies a window station handle.
Specifies a port handle.
Specifies a waitable port handle.
Specifies a controller handle.
Specifies a driver handle.
Specifies a desktop handle.
Specifies an adapter handle.
Specifies a bitmap handle.
Specifies a brush handle.
Specifies a color space handle.
Specifies a cursor handle.
Specifies a device context handle.
Specifies an enhanced metafile handle.
Specifies a font handle.
Specifies a GDI object handle.
Specifies a hook handle.
Specifies an icon handle.
Specifies a module instance handle.
Specifies a menu handle.
Specifies a metafile handle.
Specifies a display monitor handle.
Specifies a palette handle.
Specifies a pen handle.
Specifies a region handle.
Specifies a resource handle.
The WindowsHandleObjectType type is intended to characterize Windows handles.
The ID field refers to the unique number used to identify the handle.
The Name field specifies the name of the handle.
The Type field specifies the handle type, which is equivalent to the type of Windows object that the handle refers to.
The Object_Address field specifies the address of the Windows object that the handle refers to.
The Access_Mask field specifies the access bitmask of the handle.
The Pointer_Count field specifies the count of pointer references to the Windows object that the handle refers to.
The WindowsHandleListType type specifies a list of Windows handles, for re-use in other objects.
The Handle field characterizes a single Windows handle.
HandleType specifies Windows handle types via a union of the HandleTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_Event_Log_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsEventLogObjectType type is intended to characterize entries in the Windows event log.
The EID field specifies the ID of the event for which the event log entry was created.
The event type associated with the entry in the event log, e.g., warning, information, error.
The name of the log.
The rendered message string for the event.
The event entry's category number, as defined by the source.
The text associated with Category_Num.
The Generation_Time field specifies the date/time the event was generated.
What logged the event, typically the name of an application or sub-component.
The name of the computer on which the event log entry was generated.
The name of the user (the security ID) responsible for the event.
The event data as a binary blob.
A globally unique identifier that identifies the current activity.
A globally unique identifier that identifies the activity to which control was transferred to.
The Execution_Process_ID field specifies the Process ID (PID) of the process which created the event.
The Execution_Thread_ID field specifies the Thread ID (TID) of the thread which created the event.
The index of the event entry in the log.
A DWORD value that is always set to ELF_LOG_SIGNATURE (the value 0x654c664c), which is ASCII for eLfL.
List of unformatted messages in the event log entry.
The Write_Time field specifies the date/time that the entry was written into the event log.
The UnformattedMessageListType type is a list of unformatted messages in the event log entry.
A single unformatted message in the event log entry.
<schema>AS Object</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The ASObjectType type is intended to characterize an autonomous system (AS).
The Number field specifies the number assigned to the autonomous system (AS). Such assignments are typically performed by a regional internet registry (RIR).
The Name field specifies the name of the autonomous system (AS).
The Handle field specifies the handle for the autonomous system (AS), which is typically the AS number prepended with the string 'AS'.
The Regional_Internet_Registry field specifies the name of the regional internet registry (RIR) that assigned the number to the autonomous system (AS).
<schema>GUI_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The GUIObjectType type is intended to characterize generic GUI objects.
The Height field specifies the height of the GUI object.
The Width field specifies the width of the GUI object.
<schema>Unix_Network_Route_Entry_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The UnixNetworkRouteEntryObjectType type is intended to characterize entries in the network routing table of a Unix system.
The Flags field specifies any flags used for the network route, such as G (use gateway).
The MSS field specifies the maximum segment size for TCP connections over this network route, in bytes.
The Ref field specifies the number of references to this network route.
The Use field specifies the number of lookups that were performed for this network route.
The Window field specifies the default window size for TCP connections over this network route, in bytes.
<schema>Domain_Name_Object</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The DomainTypeEnum is an enumeration of types of Domain names.
Specifies a fully qualified domain name (FQDN), e.g. "www.abcd.com".
Specifies a top-level domain (TLD) name, e.g. ".com" or ".org".
The DomainNameObjectType type is intended to characterize network domain names.
The type field specifies the type of Domain name that is being defined.
The Value field specifies the value of the Domain name.
<schema>Library_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The LibraryTypeEnum type is an enumeration of library types.
Indicates a dynamic library.
Indicates a static library.
Indicates a remote library.
Indicates a shared library.
Indicates a different type of library than those listed above.
The LibraryObjectType type is intended to characterize software libraries.
The Name field specifies the full file name of the library. Example: abcd.dll.
The Path field specifies the fully-qualified path to the library.
The Size field specifies the size of the library, in bytes.
The Type field specifies the type of library being characterized.
The Version field specifies the library version.
The Base_Address field specifies the default virtual address into which the library is loaded.
A description of features extracted from this file.
LibraryType specifies library types, via a union of the LibraryTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_Kernel_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsKernelObjectType type is intended to characterize Windows Kernel structures.
The IDT field characterizes the Windows Interrupt Descriptor Table (IDT).
The SSDT field characterizes the Windows System Service Descriptor Table (SSDT). The SSDT is a structure that kernel uses to dispatch functions. KeServiceDescriptorTable is a table exported by the kernel that contains pointers to four SSDTs, one for the native API, one for user/GDI support, one of IIS SPUD (in Windows 2000), and one unused.See http://www.honeynet.org/node/438; Sven Boris Schreiber, Undocumented Windows 2000 Secrets (http://undocumented.rawol.com/sbs-w2k-2-the-windows-2000-native-api.pdf); Greg Hoglund and James Butler, Rootkits: Subverting the WIndows kernel.
The SSDTEntryListType type specifies a listing of the entries in the System Service Descriptor Table (SSDT).
Specifies an entry in the System Service Descriptor Table.
The SSDTEntryType type specifies a single entry in the System Service Descriptor Table (SSDT).
The hooked attribute specifies whether the SSDT entry is hooked.
Pointer to the system service dispatch table, an array of function addresses which is indexed by the system call number.
Pointer to an array of usage counters.
Number of entries in the system service dispatch table.
Pointer to an array of bytes, which indicate the number of bytes used by the function's arguments.
The IDTEntryListType type specifies a listing of the entries in the Interrupt Descriptor Table (IDT). The IDT is specific to the I386 architecture, indicating where the Protected mode Interrupt Service Routines (ISR) are located. See http://wiki.osdev.org/Interrupt_Descriptor_Table.
Specifies an entry in the Interrupt Descriptor Table.
The IDTEntryType type specifies a single entry in the Interrupt Descriptor Table (IDT). Entries can be interrupt gates, task gates, and trap gates.
A byte that encodes the gate type and interrupt attributes (e.g., the Descriptor Privilege Level).
Higher part of the interrupt function's offset address bits 16-31 in 32-bit, bits 32-63 in 64-bit).
Lower part of the interrupt function's offset address (bits 0-15).
In 64-bit architectures, middle part of the interrupt function's offset address (bits 16-31).
A 16-bit value that points to a code segment selector in the Global Descriptot Table.
<schema>Win_Waitable_Timer_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WaitableTimerTypeEnum type is an enumeration of Windows waitable timer types.
A timer whose state remains signaled until SetWaitableTimer is called to establish a new due time. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms687012(v=vs.85).aspx.
A timer whose state remains signaled until a thread completes a wait operation on the timer object. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms687012(v=vs.85).aspx.
A timer that is reactivated each time the specified period expires, until the timer is reset or canceled. A periodic timer is either a periodic manual-reset timer or a periodic synchronization timer. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms687012(v=vs.85).aspx.
The WindowsWaitableTimerObjectType is intended to characterize Windows waitable timer (synchronization) objects.
The Handle field specifies the handle to the Windows waitable timer object. It imports and uses the WindowsHandleObjectType type from the CybOX Windows Handle object.
The Name field specifies the name of the Windows waitable timer object.
The Security_Attributes field specifies the security attributes for the Windows waitable timer object.
The Type field specifies the type of the windows waitable timer object.
WaitableTimerType specifies Windows waitable timer types via a union of the WaitableTimerTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Network_Route_Entry_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The RouteTypeEnum type is an enumeration of network route types.
Indicates a route that is invalid.
Indicates routing from one machine directly to another, where both machines reside on the same physical network.
Indicates routing that is not direct and must be set to a gateway.
The NetworkRouteEntryObjectType type is intended to characterize generic system network routing table entries.
The is_ipv6 field specifies whether the route uses IPv6 addresses.
The is_autoconfigure_address field specifies whether the destination IP address for the route is automatically configured.
The is_immortal field specifies whether the lifetimes for the route prefixes are infinite.
The is_loopback field specifies whether the route is the default for all packets sent to local network addresses.
The is_publish field specifies whether the route is published.
The Destination_Address field specifies the destination IP address of the network route. It imports and uses the AddressObjectType from the CybOX Address object.
The Origin field specifies the origin address of the network route. It imports and uses the AddressObjectType from the CybOX Address object.
The Netmask field specifies the netmask for the destination network.
The Gateway_Address field specifies the IP address of the gateway through which all packets using this route will be gatewayed. It imports and uses the AddressObjectType from the CybOX Address object.
The Metric field specifies the distance to the target, in terms of hops.
The Type field specifies the type of network route being characterized.
The Protocol field specifies the name of the routing protocol that the route was added with.
The Interface field specifies the name of the network interface to which all packets for the route will be sent.
The Preferred_Lifetime field specifies the preferred lifetime of the route, in seconds.
The Valid_Lifetime field specifies the lifetime for which the route is valid, in seconds.
The Route_Age field specifies the number of seconds since the route was added or modified in the routing table.
The Network_Route_Entry object is intended to characterize generic system network routing table entries.
RouteType specifies route types, via a union of the RouteTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Win_Mutex_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsMutexObjectType type is intended to characterize Windows mutual exclusion (mutex) objects.
The Handle field specifies the open Windows handle to the mutex. It imports and uses the WindowsHandleObjectType from the CybOX Windows Handle Object.
The Security_Attributes field specifies the Windows security attributes for the mutex.
<schema>Win_Filemapping_Object</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The PageProtectionValueEnum is an enumeration of Windows file mapping page protection value types.
Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, or execute access.
Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, read/write, or execute access.
Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, or execute access. This value is equivalent to PAGE_EXECUTE_READ.
Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only or copy-on-write access.
Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only, copy-on-write, or read/write access.
Specifies that the mapped view of the file represented by the file mapping can be mapped for read-only or copy-on-write access. This value is equivalent to PAGE_READONLY.
The PageProtectionAttributeEnum is an enumeration of Windows file mapping page protection attribute types.
Specifies that if the file mapping is backed by the operating system paging file, that when a view of the file is mapped into a process address space, the entire range of pages is committed rather than reserved.
Specifies that the file mapped by the file mapping is an executable image file.
Specifies that the file mapped by the file mapping is an executable image file that will not be executed and the loaded image file will have no forced integrity checks run.
Enables large pages to be used for file mapping objects that are backed by the operating system paging file.
Sets all pages to be non-cachable.
Specifies that when a view of the file is mapped into a process address space, the entire range of pages is reserved for later use by the process rather than committed. Only valid if the file mapping is backed by the operating system paging file.
Sets all pages to be write-combined.
The WindowsFilemappingObjectType type is intended to characterize Windows file mapping objects.
The Name field specifies the name of the file mapping.
The File_Handle field specifies the Windows handle to the file from which the file mapping was created. It uses the WindowsHandleObjectType from the imported CybOX Windows Handle Object.
The Handle field specifies the Windows handle to the file mapping. It uses the WindowsHandleObjectType from the imported CybOX Windows Handle Object.
The Page_Protection field specifies the page protection value (i.e. PAGE_) specified for the file mapping.
The Page_Protection_Attribute field specifies a page protection attribute (i.e. SEC_) to be used in combination with the page protection value captured in the Page_Protection_Value field. One or more such attributes can be specified using this field.
The Maximum_Size field specifies the maximum allowed size for the file mapping, in bytes. This value is typically initialized upon creation of the file mapping.
The Actual_Size field captures the actual size of the file mapping, in bytes.
The Security_Attributes field specifies the Windows security attributes for the file mapping.
The PageProtectionValueType specifies the optional Windows file mapping page protection attribute types (i.e. SEC_) via a union of the PageProtectionAttributeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
The PageProtectionValueType specifies Windows file mapping page protection value types (i.e. PAGE_) via a union of the PageProtectionValueEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
<schema>Linux_Package_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The LinuxPackageObjectType type is intended to characterize Linux packages.
The Architecture field specifies the architecture for which the package was built. Examples include "i386", "armhf", "ppc", "sparc", "x86_64", "mips", "noarch", etc.
The Category field specifies the categories under which a package may be displayed.
The Description field specifies an in-depth description of a package.
The Epoch field specifies the epoch number of the package.
The EVR field specifies the epoch, version, and release fields of the package as a single version string.
The Name field specifies the name of the package.
The Release field specifies the release number of the package build.
The Vendor field specifies the vendor that holds the software copyright of the package.
The Version field specifies the version number of the package build.
<schema>User_Account_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The UserAccountObjectType type is intended to characterize generic user accounts.
The password_required field specifies whether a password is required for this user account.
The Full_Name field specifies the full name of the user for which this account was created.
The Group_List field specifies the list of groups to which the user account belongs to.
The Home_Directory field specifies the fully-qualified path to the home directory of the user account.
The Last_Login field specifies the date/time that the user account was last logged into.
The Privilege_List field specifies the privileges that the user account has.
The Script_Path field specifies the fully-qualified path to the directory where the logon script for the user account resides.
The Username field specifies the particular username of the user account.
The User_Password_Age field specifies the current age of the user account's password.
The PrivilegeListType type specifies the list of privileges that the user account has.
The Privilege field specifies a specific privilege that a user has. This is an abstract type since user privileges are operating-system specific, and is extended as needed in the derived CybOX object schemas.
The PrivilegeType type specifies a specific privilege that a user has. This is an abstract type since user privileges are operating-system specific, and is extended as needed in the derived CybOX object schemas.
The GroupListType type specifies the groups that the user account belongs to.
The Group field specifies a group that a user account belongs to. This is an abstract type since group IDs are operating-system specific, and is extended as needed in the derived CybOX object schemas.
The GroupType type specifies a group that a user account belongs to. This is an abstract type since group IDs are operating-system specific, and is extended as needed in the derived CybOX object schemas.
<schema>Image_File_Object</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The ImageFileFormatEnum type is a non-exhaustive enumeration of common image file formats.
<p><span>Specifies the Joint Photographic Experts Group (JPEG) JPEG File Interchange Format (JFIF).</span></p>
<p><span>Specifies the Joint Photographic Experts Group (JPEG) 2000 format.</span></p>
<p><span>Specifies the Exchangeable image file format (Exif).</span></p>
<p><span>Specifies the Tagged Image File Format (TIFF).</span></p>
<p><span>Specifies the Digital Negative (DNG) image file format.</span></p>
<p><span>Specifies the Graphics Interchange Format (GIF).</span></p>
<p><span>Specifies the Windows bitmap (BMP) image file format.</span></p>
<p><span>Specifies the Portable Network Graphics (PNG) image file format.</span></p>
The ImageFileObjectType type is intended to characterize image files.
The image_is_compressed field specifies whether the image in the image file is compressed.
The Image_File_Format field specifies the name of the file format used in the image file. It is strongly recommended that the values provided in the ImageFileFormatEnum are used for describing common image formats, but other formats may also be specified as a custom string.
The Image_Height field specifies the height of the image in the image file, in pixels.
The Image_Width field specifies the width of the image in the image file, in pixels.
The Bits_Per_Pixel field specifies the sum of bits used for each color channel in the image in the image file, and thus the total number of pixels used for expressing the color depth of the image.
The Compression_Algorithm field specifies the name of the compression algorithm used to compress the image, if applicable. Note that for many popular image formats, such as JPEG, the compression algorithm is inherent to the file format and so does need to be captured here as long as the format itself is identified in the Image_File_Format field.
The ImageFileFormatType specifies image file formats via a union of the ImageFileFormatEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
<schema>Win_Computer_Account_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WinComputerAccountObject type is intended to characterize Windows computer accounts.
The Fully_Qualified_Name field refers to the fully qualified name(s) of the Windows computer account.
The Kerberos field specifies the Kerberos authentication protocol specific Object properties for the Windows computer account.
The Security_ID field specifies the Security ID (SID) value assigned to the Windows computer account.
The Security_Type field specifies the type of Security ID (SID) assigned to the Windows computer account.
The Type field specifies the type of the Windows computer account.
The FullyQualifiedNameType type refers to the fully qualified name(s) of the Windows computer account.
The NetBEUI_Name field specifies the NETBEUI name of the Windows computer account.
The Full_Name field specifies the full name of the Windows computer account.
The KerberosType type specifies the Kerberos authentication protocol specific Object properties for the Windows computer account.
The Delegation field specifies the Kerberos delegation used for the Windows computer account.
The Ticket field specifies the ID of the Kerberos ticket assigned to the Windows computer account.
The Delegation field specifies the Kerberos delegation used for the Windows computer account.
The Bitmask field specifies the bitmask used in the Kerberos delegation for the Windows computer account.
The Service field specifies the properties of the Kerberos delegation service for the Windows computer account.
The KerberosServiceType specifies the properties of the Kerberos delegation service for the Windows computer account.
The Computer field specifies the computer name for the Kerberos service.
The Name field specifies the name of the Kerberos service.
The Port field specifies the port for the Kerberos service.
The User field specifies the username for the Kerberos service.
<schema>Device_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The DeviceObjectType type is intended to characterize a specific Device.
The Description field is intended for use in providing a brief description of the Device.
The Device_Type field specifies the type of the device.
The Manufacturer field specifies the manufacturer of the device.
The Model field specifies the model identifier of the device.
The Serial_Number field specifies the serial number of the Device.
The Firmware_Version field specifies the version of the firmware running on the device.
The System_Details field captures the details of the system that may be present on the device. It uses the abstract ObjectPropertiesType which permits the specification of any Object; however, it is strongly recommended that the System Object or one of its subtypes be used in this context.
<schema>Whois_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WhoisStatusEnum enumeration lists all valid statuses for a domain within a whois entry.
The 5-day Add Grace Period after the initial registration of a domain. If the domain is deleted by the registrar during this period, the registry provides a credit to the registrar for the cost of the registration.
The 5-day period after a domain registration period is explicitly extended (renewed) by the registrar. If the domain is deleted by the registrar during this period, the registry provides a credit to the registrar for the cost of the renewal.
The 45-day period after a domain registration period expires and is extended (renewed) automatically by the registry. If the domain is deleted by the registrar during this period, the registry provides a credit to the registrar for the cost of the renewal.
The 5-day period after the successful transfer of domain name registration sponsorship from one registrar to another registrar. If the domain is deleted by the new sponsoring registrar during this period, the registry provides a credit to the registrar for the cost of the transfer.
The 30-day period after a registrar has submitted a delete command to delete a domain from the registry. All Internet services associated with the domain are disabled. During this period, a registrar can submit a request to Restore the domain.
The 5-day period following the PENDING DELETE RESTORABLE period. During this period, all Internet services associated with the domain will remain disabled and domain cannot be Restored.
The registrar has submitted a Restore request for a domain that was previously in the status of PENDING DELETE RESTORABLE and the registry is awaiting a Restore Report from the registrar.
This is the normal status for a domain that has no pending operations or prohibitions.
The domain has no associated nameservers. A minimum of 2 nameservers must be associated with the domain before it can be published to the zone.
Registrar does not allow the transfer of a domain.
Registrar does not allow the renewal of a domain.
Registrar does not allow the deletion of a domain.
Registrar does not allow the update or modification of a domain.
Registrar will not allow the domain to be published to the zone.
Registry does not allow the transfer of a domain.
Registry does not allow the renewal of a domain.
Registry does not allow the deletion of a domain.
Registry does not allow all the update or modification of a domain.
Registry will not allow the domain to be published to the zone.
The WhoisDNSSECTypeEnum defines an enumeration of acceptable values for the DNSSEC field in a Whois entry.
The Signed value signifies that the domain name associated with the Whois entry is digitally signed.
The Unsigned value signifies that the domain name associated with the Whois entry is not digitally signed.
The RegistrarContactTypeEnum defines the types of registrar contacts listed in a whois entry.
The contact is an administrator.
The contact is for billing.
The contact is for technical assistance.
The WhoisObjectType type is intended to characterize Whois information for a domain.
The Lookup_Date field specifies the date and time that the Whois record was queried.
The Domain_Name field specifies the corresponding domain name for this whois entry.
The Domain_ID field specifies the domain id for the domain associated with this Whois entry.
The Server_Name field specifies the corresponding server name for this whois entry. This usually corresponds to a nameserver lookup.
The IP_Address field specifies the corresponding ip address for this whois entry. The usually corresponds to a nameserver lookup.
The DNSSEC element corresponds to the DNSSEC field associated with a Whois entry. Acceptable values are: "Signed" or "Unsigned".
The Nameservers element represents a list of nameserver entries for a Whois entry.
The Status element represents a list of statuses for a given Whois entry.
The Updated_Date field specifies the date in which the registered domain information was last updated.
The Creation_Date field specifies the date in which the registered domain was created.
The Expiration_Date field specifies the date in which the registered domain will expire.
The Regional_Internet_Registry field specifies the name of the Regional Internet Registry (RIR) which allocated the IP address contained in this WHOIS entry.
The Sponsoring_Registrar field holds the name of the sponsoring registrar for the domain.
The Registrar_Info element represents registrar info that would be returned from a registrar lookup.
The Registrants element represents the registrant information associated with a domain lookup.
The Contact_Info element represents contact info that would be returned from a contact lookup.
The Remarks field specifies any remarks associated with this Whois entry.
The Registrar_ID corresponds to the Registrar ID field of a Whois entry.
The Registrar_GUID corresponds to the Registrar GUID field of a Whois entry.
The Name field holds the name of the registrar organization.
The Address field holds the address (location) of the registrar organization.
The main email address for the registrar.
The Phone_Number field holds the phone number of the registrar organization.
The Whois_Server field specifies the corresponding whois server for this registrar.
The Referral_URL field specifies the corresponding referral URL for registrar.
A list of registrar contacts.
The WhoisContactsType represents a list of contacts (usually registrar or registrant) found in a Whois entry.
A contact found in a Whois entry.
The contact_type field specifies what type of contact this is. Only values from WhoisObj:RegistrarContactTypeEnum can be used.
The Contact_ID corresponds to an ID for the contact. This can be presented as Contact ID, Billing ID, Admin ID, Tech ID, etc.
The name of the contact.
The email address of the contact.
The phone number of the contact.
The fax number of the contact.
The address of the contact.
The name of the organization this contact works for or is assoicated with.
The WhoisStatusesType defines a list of WhoisStatusType objecst.
The WhoisNameserversType defines a list of nameservers associated with a Whois entry.
The Nameserver field specifies a nameserver of the domain for this whois entry.
The Registrant_ID specifies the registrant id for a given registrant.
The WhoisRegistrantsType represents a list of registrant information for a given Whois entry.
The WhoisStatusType specifies a status for a domain as listed in its Whois entry. Only statuses defined by WhoisStatusTypeEnum can be used.
<schema>Socket_Address_Object</schema>
<version>1.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The SocketAddressObjectType specifies an identifier for a network host (IP address or Hostname) and port number pair.
The Port field specifies the port number component of the socket connection.
<schema>Win_Service_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
Change to This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The ServiceModeEnum type is an enumeration of service modes. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450(v=vs.85).aspx.
<p><span>A service started automatically by the service control manager during system startup.</span></p>
<p><span>A device driver started by the system loader. This value is valid only for driver services.</span></p>
<p><span>A service started by the service control manager when a process calls the StartService function.</span></p>
<p><span>A service that cannot be started. Attempts to start the service result in the error code ERROR_SERVICE_DISABLED.</span></p>
<p><span>A device driver started by the IoInitSystem function. This value is valid only for driver services.</span></p>
The ServiceStatusEnum type is an enumeration of potential service states. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms685996(v=vs.85).aspx.
<p><span>The service continue is pending.</span></p>
<p><span>The service pause is pending.</span></p>
<p><span>The service is paused.</span></p>
<p><span>The service is running.</span></p>
<p><span>The service is starting.</span></p>
<p><span>The service is stopping.</span></p>
<p><span>The service is not running.</span></p>
The ServiceTypeEnum type is an enumeration of service types. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms685996(v=vs.85).aspx.
<p><span>The service is a device driver.</span></p>
<p><span>The service is a file system driver.</span></p>
<p><span>The service runs in its own process.</span></p>
<p><span>The service shares a process with other services.</span></p>
The WindowsServiceObjectType type is intended to characterize Windows services.
Indicates whether or not the DLL is signed.
Indicates whether or not the DLL's signature was verified.
A list of description items for this service.
The Display_Name field specifies the displayed name of the service in Windows GUI controls. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms683228(v=vs.85).aspx.
The Group_Name field specifies the name of the load ordering group of which this service is a member.
The Name field specifies the name of the service. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms683229(v=vs.85).aspx.
The Service_DLL field specifies name of the DLL instantiated in the service.
The Certificate Authority (CA) that issued the certificate used to sign the service DLL.
The subject of the certifcate (the entity being authenticated).
Hashes for the Service DLL file.
The Service_DLL_Signature_Description field provides a description of the digital signature for the service DLL.
The Startup_Command_Line field specifies the full command line used to start the service.
Service start options. See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450(v=vs.85).aspx.
Status information for a service. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms685996(v=vs.85).aspx.
The Type field specifies the type of the service.
The Started_As field specifies the name of the account under which the service was started.
A collection of service descriptions.
A description of the service. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms685156(v=vs.85).aspx.
ServiceModeType specifies Windows service modes via a union of the ServiceModeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
ServiceModeType specifies Windows service states via a union of the ServiceStatusEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
ServiceType specifies Windows service types via a union of the ServiceTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>Process_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The ProcessObjectType type is intended to characterize system processes.
The is_hidden field specifies whether the process is hidden or not.
The PID field specifies the Process ID, or PID, of the process.
The Name field specifies the name of the process.
The Creation_Time field specifies the local date/time at which the process was created.
The Parent_PID field specifies the process ID (PID) of the parent process (i.e. the process that spawned this one), if applicable.
NOTE: this field will be deprecated in the next major version of this object, at which point the parent process of this process should be specified using a Related_Object with the "Child_Of" Relationship value.
The Child_PID_List field specifies any children spawned by the process being characterized, by way of a list of PIDs.
NOTE: this field will be deprecated in the next major version of this object, at which point child processes of this process should be specified using a Related_Object with the "Parent_Of" Relationship value.
The Image_Info field specifies information about the image associated with the process, such as its file name and path.
The Argument_List field is optional and specifies a list of arguments utilized in initiating the process.
The Environment_Variable_List field specifies any environment variables associated with the process. This field imports and uses the EnvironmentVariableListType from the CybOX Common Types.
The Kernel_Time field specifies the duration of time that the process has executed in kernel mode.
The Port_List field is optional and specifies a list of ports owned by the process.
The Network_Connection_List field specifies information about any network connections opened or initiated by the process.
The Start_Time field specifies the local date/time at which the process was started.
The Status field specifies the current status of the process. Since this is an operating system specific Object property, this is defined here as an abstract type which is then used as a base type in any OS-specific extensions.
The Username field specifies the name of the user that created the process.
The User_Time field specifies the duration of time that the process has executed in user mode.
A description of features extracted from the memory image of this process.
The NetworkConnectionListType type is a list of network connections.
The Network_Connection field specifies information about a single network connection opened or initiated by the process.
The ImageInfoType type captures information about the process image.
The File_Name field specifies the name of the binary file which represents the process image.
The Command_Line field specifies the complete command used to execute the process image.
The Current_Directory field specifies the current directory of the process image.
The Path field specifies the fully qualified path to the image file, including the file name.
The ProcessStatusType is used for specifying the status of a running or terminated process. Since this property is platform-specific, it is created here as an abstract type and then used in the platform-specific process CybOX objects.
The ChildPIDListType type captures the PID's of the children of the process in a list format.
The Child_PID field specifies the process ID of a single child process.
The ArgumentListType is intended to specify a list of arguments utilized in initiating the process.
The Argument field is optional and specifies a single argument utilized in initiating the process.
The PortListType is intended to specify a list of network ports.
The Port field is optional and specifies a single network port.
<schema>Custom_Object</schema>
<version>1.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The CustomObjectType is intended to characterize objects that are not described by other defined CybOX Object schemas. Objects of this type have no pre-defined properties but instead all properties are provided by the author using the inherited Custom_Properties field.
The custom_name field specifies a name for this for this type of Custom Object. The custom_name field should use the same namespace as used in the Object and Observable id fields for this author. Two Objects should only have the same custom_name value if they are written by the same author (i.e., their namespace is the same) and they are characterizing the same type of Object. Note that this does not necessarily mean that two such Object instances will both have identical properties in every case.
A description of the intent of this Custom object.
<schema>Win_Prefetch_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The WindowsPrefetchObjectType type is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML.
Name of the executable of the prefetch file.
An eight character hash of the location from which the application was run.
The number of times the prefetch application has executed.
Timestamp of when the prefetch application was first run.
Timestamp of when the prefetch application was last run.
The volume from which the prefetch application was run. If the applicatin was run from multiple volumes, there will be a separate prefetch file for each.
Files (e.g., DLLs and other support files) used by the application during startup.
Directories accessed by the prefetch application during startup.
The AccessedFileListType specifies a list of files accessed by a prefetch application.
Specifies the filename of the accessed file.
The AccessedDirectoryListType specifies a list of directories accessed by a prefetch application.
Specifies the pathname of the accessed directory.
VolumeType characterizes the volume information in the Windows prefetch file.
The volume that the prefetch application was run from. The only item in the prefecth file is the volume name.
The device that the prefetch application was run from. The only item in the prefetch file is the device serial number.
<schema>Unix_File_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The UnixFileTypeEnum type is an enumeration of file types used by the Unix family of operating systems. These file types can be determined via the output of the ls and stat commands.
Specifies a regular file, denoted in UNIX by the first dash (-) in a file with permissions -rw-r--r--.
Specifies a directory, denoted in UNIX by the d in a file with permissions drw-r--r--.
Specifies a socket, denoted in UNIX by the s in a file with permissions srw-r--r--.
Specifies a symbolic link, denoted in UNIX by the l in a file with permissions lrw-r--r--.
Specifies a block device, such as /dev/sda, denoted in UNIX by the b in a file with permissions brw-rw----.
Specifies a character device, such as /dev/null, denoted in UNIX by the c in a file with permissions crw-------.
The UnixFileObjectType type is intended to characterize Unix files.
The Group_Owner field specifies the name of the group which owns the file.
The INode field specifies the inode, or index node, value of the file.
Specifies file type using the UnixFileTypeEnum enumeration.
The UnixFilePermissionsType type specifies the specific permissions used by the Unix family of operating systems.
The suid field specifies whether or not the file may be exectued with the privileges of the file's owner.
The sgid field specifies whether or not the file may be executed with the privileges of the file's group owner.
The uread field specifies whether or not the owner of the file can read its contents.
The uwrite field specifies whether or not the owner of the file can write to it.
The uexec field specifies whether or not the owner of the file can execute it.
The gread field specifies whether or not the group owner of the file can read its contents.
The gwrite field specifies whether or not the group owner of the file can write to it.
The gexec field specifies whether or not the group owner of the file can execute it.
The oread field specifies whether or not all other users can read the contents of the file.
The owrite field specifies whether or not all other users can write to the file.
The oexec field specifies whether or not all other users can execute the file.
UnixFileType specifies Unix file types, via a union of the UnixFileTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
<schema>API_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The APIObjectType type is intended to characterize a specific Application Programming Interface.
The Description field is intended for use in providing a brief description of the API.
The function_name field contains the exact name of the API function called, e.g. CreateFileEx.
The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.
The Platform field specifies the relevant platform for this API.
The Address field contains the address of the API call in the binary.
<schema>Volume_Object</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. </short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The FileSystemFlagEnum type is an enumeration of flags used by file systems on volumes, especially those on Windows Operating Systems. See http://msdn.microsoft.com/en-us/library/windows/desktop/aa364993(v=vs.85).aspx and http://msdn.microsoft.com/en-us/library/cc232101(v=prot.13).aspx for more information.
<p><span>Indicates that the specified volume supports case-sensitive file names. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00000001.</span></p>
<p><span>Indicates that the specified volume supports preserved case of file names when it places a name on disk. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00000002.</span></p>
<p><span>Indicates that the specified volume supports preserved case of file names when it places a name on disk. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00000004.</span></p>
<p><span>Indicates that the specified volume preserves and enforces access control lists (ACL). For example, the NTFS file system preserves and enforces ACLs, and the FAT file system does not. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00000008.</span></p>
<p><span>Indicates that the specified volume supports file-based compression. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00000010.</span></p>
<p><span>Indicates that the specified volume supports disk quotas. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00000020.</span></p>
<p><span>Indicates that the specified volume supports sparse files. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00000040</span></p>
<p><span>Indicates that the specified volume supports re-parse points. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00000080.</span></p>
<p><span>Indicates that the specified volume supports remote storage. This is not listed with a lpFileSystemFlags value in documentation, but corresponds to the FileSystemAttributes value 0x00000100.</span></p>
<p><span>Indicates that the specified volume is a compressed volume, for example, a DoubleSpace volume. This flag is incompatible with the FILE_FILE_COMPRESSION flag. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00008000.</span></p>
<p><span>Indicates that the specified volume supports object identifiers. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00010000.</span></p>
<p><span>Indicates that the specified volume supports encryption. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00020000.</span></p>
<p><span>Indicates that the specified volume supports named streams. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00040000.</span></p>
<p><span>Indicates that the specified volume is read-only. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00080000.</span></p>
<p><span>ndicates that the specified volume supports a single sequential write. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00100000.</span></p>
<p><span>Indicates that the specified volume supports transactions. For more information about transactions, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa365993(v=vs.85).aspx. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00200000.</span></p>
<p><span>Indicates that the specified volume supports hard links. For more information about hard links, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa365006(v=vs.85).aspx. Note that hard links are DIFFERENT from symbolic links. This value is ONLY supported for Windows Server 2008 R2 and Windows 7 and later. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00400000.</span></p>
<p><span>Indicates that the specified volume supports extended attributes. An extended attribute is a piece of application-specific metadata that an application can associate with a file and is not part of the file's data. This value is ONLY supported for Windows Server 2008 R2 and Windows 7 and later. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x00800000.</span></p>
<p><span>Indicates that the specified volume supports open by FileID. For more information about open by FileID, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa364226(v=vs.85).aspx. This value is ONLY supported for Windows Server 2008 R2 and Windows 7 and later. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x01000000.</span></p>
<p><span>Indicates that the specified volume supports unique service number (USN) journals. For more information about USN journals, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa363803(v=vs.85).aspx. This value is ONLY supported for Windows Server 2008 R2 and Windows 7 and later. This corresponds to the lpFileSystemFlags and FileSystemAttributes value 0x02000000.</span></p>
<p><span>Indicates that the specified volume supports integrity streams. Currently, this value is ONLY available for ReFS and Windows 8 Beta. This corresponds to the FileSystemAttributes value 0x04000000.</span></p>
The VolumeObjectType type is intended to characterize generic drive volumes.
The is_mounted field specifies whether the volume is mounted.
The Name field specifies the name of the volume.
The Device_Path specifies the full path to the volume, including the device on which it resides.
The File_System_Type field specifies the name of the file system which is used on the volume.
The Total_Allocation_Units field specifies the total number of allocation units available on the volume.
The Sectors_Per_Allocation_Unit field specifies the number of disk sectors used for each allocation unit on the volume.
The Bytes_Per_Sector field specifies the number of bytes allocated for each sector of the volume.
The Actual_Available_Allocation_Units field specifies the number of allocation units, or clusters, available on the volume.
The Creation_Time field specifies the date/time that the volume was created.
The File_System_Flag_List field specifies the particular flags set for the volume by the file system which is used on the volume.
The Serial_Number field specifies the serial number of the volume.
The VolumeOptionsType type specifies the particular options set for the volume. This is an abstract type since volume options are OS-specific, and is extended by the related OS-specific CybOX volume objects.
The FileSystemFlagListType is a listing of the flags specified for the volume by the file system.
The File_System_Flag field specifies a particular flag used on the volume by the file system.
VolumeFileSystemFlagType specifies file system flags, via a union of the VolumeFileSystemFlagEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
Specification Name: OASIS CIQ TC - extensible Address Language (xAL)
Description: Defines the W3C schema for representing addresses
(Using XML Schema based standard code list/enumeration mechanism - OPTION 1 AND DEFAULT)
Produced by: OASIS Customer Information Quality Technical Committee
URL: http://www.oasis-open.org/committees/ciq
Version: 3.0
Status: Committee Specification CS02
Copyright: 2007-09, OASIS, http://www.oasis-open.org
Last Modified: 20 September 2008
Last Modified by: Ram Kumar, Chair, OASIS CIQ TC
NOTE: Do not modify this schema as it will break specifications compatibility
Please note: These schemas have been modified by the STIX team to support remote validation. The only change made is to the schemaLocation attribute(s).
Complex type that defines the structure of an address with geocode details for reuse
Defines the type of address. An address type can be" Primary Address, Secondary Address, Rural Address, Military Address, etc.
A unique address identifier such as postal delivery idetifier assigned to the address by local postal authority, e.g. DPID in Australia.
Type of address ID used. e.g. DPID, etc
A globally unique identifier assigned to the address
The purpose the address is used for. E.g. Postal, residential, business, exchange, update, create, delete, etc
Mode of delivery of address. For example: rural route, normal delivery, post office box, etc.
Status of the entity. e.g. Old, Current, Inactive, Active, etc
A primary key to reference Address.
A foreign key to reference attribute Key of Address.
Container for free text address elements where address elements are not parsed
Country details
Details of the top-level area division in the country, such as state, district, province, island, region, etc. Note that some countries do not have this
Details of Locality which is a named densely populated area (a place) such as town, village, suburb, etc. A locality composes of many individual addresses. Many localities exist in an administrative area or a sub adminisrative area. A locality can also have sub localities. For example, a municipality locality can have many villages associated with it which are sub localities. Example: Tamil Nadu State, Erode District, Bhavani Taluk, Paruvachi Village is a valid address in India. Tamil Nadu is the Administrative Area, Erode is the sub admin area, Bhavani is the locality, and Paruvachi is the sub locality
Details of the Access route along which buildings/lot/land are located, such as street, road, channel, crescent, avenue, etc. This also includes canals/banks on which houses/boat houses are located where people live
Details of the Premises (could be building(s), site, loaction, property, premise, place) which is a landmark place which has a main address such as large mail user (e.g. Airport, Hospital, University) or could be a building (e.g. apartment, house) or a building or complex of buildings (e.g. an apartment complex or shopping centre) or even a vacant land (e.g. LOT). A premises can have many sub-addresses such as apartments in a building having its own addresses or buildings within an airport having its own addresses including its own thoroughfares
A container for a single free text or structured postcode. Note that not all countries have post codes
A container for postal-specific delivery identifier for remote communities. Note that not all countries have RuralDelivery
Final mail delivery point where the mail is dropped off for recipients to pick them up directly. E.g. POBox, Private Bag, pigeon hole, free mail numbers, etc.
A delivery point/installation where all mails are delivered and the post man/delivery service picks up the mails and delivers it to the recipients through a delivery mode. Examples are a rural post office where post is delivered, a post office containing post office boxes/personal mail boxes. Note that not all countries have PostOffice. Can be used to represent overseas military addresses also along with PostalDeliveryPoint element
GeoRSS GML from Open Geospatial Consortium (www.opengeospatial.net) is a formal GML Application Profile, and supports a greater range of features than Simple, notably coordinate reference systems other than WGS84 latitude/longitude. It is designed for use with Atom 1.0, RSS 2.0 and RSS 1.0, although it can be used just as easily in non-RSS XML encodings.
Simple Geo-coordinates of the address/location
Free format address representation. An address can have more than one line. The order of the AddressLine elements must be preserved.
What does the address line describe? e.g. Street details, suburb details, post code details, whole address, etc
Type of administrative area. e.g. state, city, town, etc
Data associated with the Administrative Area. e.g. Full name of administrative area or part of it. eg. MI in USA, NSW in Australia, reference location to the administrative area
The next level down division of the area. E.g. state / county, province / reservation. Note that not all countries have a subadministrative area
semantics of data associated with name
Name of administrative area represented as a code. e.g. "COL" for COLORADO
Type of code used to represent name as a code
Type of sub administrative area
Data associated with the SubAdministrative Area. e.g. Full name of sub administrative area or part of it.
semantics of data associated with name
Name of administrative area represented as a code. e.g. "COL" for COLORADO
Type of code used to represent name as a code
Type of locality. e.g. suburb, area, zone, village, etc
Data associated with the locality. e.g. Full name of the locality or part of it, reference location to the locality
A locality that is smaller and is contained within the boundaries of its parent locality. Note that not all localities have sub locality. For example, many areas within a locality where each area is a sub locality
semantics of data associated with name
name of locality represented as a code
type of code used to represent name as a code
Type of sub locality
Data associated with the sub locality. e.g. Full name of the locality or part of it, reference location to the locality
semantics of data associated with name
name of locality represented as a code
type of code used to represent name as a code
Another thoroughfare that is required to uniquely identify the location, such as an access route, intersection, corner, adjacent, boundary, etc
Type of code use for Premises Type attribute
Examples of sub-premises are apartments and suites in buildings, shops in malls, etc. or sub-addresses in a land mark place such as airports, military bases, hospitals, etc. Some countries have blocks within blocks
Type of code used for sub premises type attribute
The postcode is formatted according to country-specific rules. Example: SW3 0A8-1A, 600074, 2067. This element can also be used to define the semantics of what each code in the post code means
Type of rural delivery. For some addresses, delivery to rural areas happens via water, air or road
Free text or structured description of rural delivery route. e.g. RD 6,
Free text or structured description of a postal delivery point.
Indicates the type of postal delivery office from where the mail will be distributed to the final delivery point by a delivery mode. Example: Post Office, Mail Collection Centre, Letter Carrier Depot, Station, etc.
Name or number of the post office in free text or structured form.
Could be GeoRSS Simple or GeoRSS GML versions. Refer to http://georss.org/ and http://georss.org/gml for further documentation
The collection of the coordinate numeric values for latitude amd longtitude depends on the agreed position of the meridian. Declaration of the meridian is necessary as it cannot be assumed in the data
Type of code used. e.g. EPSG Code
The collection of the coordinate numeric values depends on the agreed datum within which the measurement was taken. Declaration of the datum is necessary as it cannot be assumed in the data
Type of code used. e.g. EPSG Code, WGS-84
Coordinates have limited utility and application depending on the projection required for visualisation in a map. Declaration of projection is necessary as it cannot be assumed in data
Type of code used. e.g. EPSG Code
Latitude details
Longitude details
Measure of the latitude in degrees
Measure of the latitude in minutes
Measure of the latitude in seconds
The direction of latitude measurement offset from the equator
Measure of the longitude in degrees
Measure of the longitude in minutes
Measure of the longitude in seconds
The direction of longitude measurement offset from the equator
Enumeration of values for the type attribute
Complex type that defines the name of the country and is reused in other CIQ specs
Data associated with the name of the country in whatever form available, e.g. full, abbreviation, common use, code of the country, etc.
Semantics of data associated with name.
Name of the country represented as a code
Type of code used to represent name of country, e.g. iso-3166
Complex type for internal reuse
Indicates which part of number or identifier this element contains. Some "numbers" are as simple as 42 and some "numbers" are more like complex aplhanumberic identifiers as Postcodes in UK or Canada, e.g. M2H 2S5. It may be necessary to separate the "number" into sub-elements and indicate what type of information each of them contains.
Complex type for internal reuse
Data associated with the name of the Premises. e.g. Full name of premises or part of the name. E.g. Westfield shopping center, reference data to support the premises location, street in the premises
Data associated with the number of the premises. E.g.House 15, number range, number suffix
Describes the type / part of name this element contains.
Complex type for internal reuse
Type of thoroughfare. eg. primary road, secondary road, road branch (e.g. Lane 14), road sub branch (e.g. Alley 21), adjourning street, cross street, closest street, etc
Type of code use for thoroughfare
Data associated with the thoroughfare details. e.g. Full thoroughfare name or part of it, type of thoroughfare, old name, new name, reference data in support of the thoroughfare
Data associated with the number of the thoroughfare. E.g. 39 in 39 Baker Street, street range, street suffix
Describes the type / part of name this element contains.
Top level element for address with geocode details
Specification Name: OASIS CIQ TC - extensible Name Language Types (xNL-types)
Description: Defines the W3C schema that provides enumeration lists to support xNL v3.0
(Using XML Schema based standard code list/enumeration mechanism - OPTION 1 AND DEFAULT)
Produced by: OASIS Customer Information Quality Technical Committee
URL: http://www.oasis-open.org/committees/ciq
Version: 3.0
Status: Committee Specification CS02
Copyright: 2007-09, OASIS, http://www.oasis-open.org
Last Modified: 20 September 2008
Last Modified by: Ram Kumar, Chair, OASIS CIQ TC
NOTE: This is the schema that users can customise the enumeration lists to meet their
exchange requirements. The enumeration values provided are ONLY SAMPLES and
is not complete. It is upto the application to decide what the values should be. To achieve
interoperability between applications using this specification, it is recommended that an
SLA/agreement is in place as to what the enumeration values will be used in this file
Please note: These schemas have been modified by the STIX team to support remote validation. The only change made is to the schemaLocation attribute(s).
A list of person name element types, e.g. First Name, Last Name, Title, etc.
His Excellency, Honorable, etc.
A title signifies some sort of status, such as Mr, Miss, Ms (marriage status), or education such as Professor, PhD, Dr, etc.
The most important name element by which this particular individual is identified in the group. E.g. John, Sam, Brian for Anglo-Saxon cultures.
Name elements related to additional identification of the individual, such as names are parents or places.
Name element that identifies the group the individual belongs to and is identified by, such as Last Name, Surname, Family Name, etc.
Any other additional names that are not directly used to identify or call the individual, such as names of ancestors, saints, etc.
A simple nick name that is commonly used as part of the name. E.g. a fancy kick-boxer can be commonly known as Bill "Storm" Bababoons, where "Storm" is obviously an alias.
Junior, Senior, The Second, IV, etc.
A list of organisation name element types, e.g. Name, propriety type, liability type, etc.
"Sakthisoft" in "Sakthisoft Pty. Ltd". "Pty.Ltd" is the legal entity for the organisation name "Sakthisoft"
"Pty. Ltd" in Sakthisoft Pty.Ltd, where "Sakthisoft" is the name of the organisation.
""Inc" in ABC Inc, where "ABC" is organisation name
Full Name of the organisation. e.g. Sakthisoft Pty. Ltd
A list of common types for person names
Name of an individual before marriage.
Former name of the person
Name that is commonly used by others, e.g. a simplified form of the official name.
A name given to an individual at birth, but later changed (common in some cultures)
Indicates that the party prefers to be called by this name
An official name of the person, e.g. as in the passport. incorporation certificate, etc.
A list of common types for organisation names
Former name of the organisation
unknown
A list of common types for subdivisions
A list of possible values for joint name connector
A list of possible values for types of name lines
A list of all types of Party Name IDs
A list of usage types of party name
A list of usage types of person name
A list of all types of person name IDs
A list of all types of organisation name IDs
A list of usage types for organisation name
Specification Name: OASIS CIQ TC - extensible Name and Address Language Types (xNAL-types)
Description: Defines the W3C schema that provides enumeration lists to support xNAL v3.0
(Using XML Schema based standard code list/enumeration mechanism - OPTION 1 AND DEFAULT)
Produced by: OASIS Customer Information Quality Technical Committee
URL: http://www.oasis-open.org/committees/ciq
Version: 3.0
Status: Committee Specification CS02
Copyright: 2007-09, OASIS, http://www.oasis-open.org
Last Modified: 20 September 2008
Last Modified by: Ram Kumar, Chair, OASIS CIQ TC
NOTE: This is the schema that users can customise the enumeration lists to meet their
exchange requirements. The enumeration values provided are ONLY SAMPLES and
is not complete. It is upto the application to decide what the values should be. To achieve
interoperability between applications using this specification, it is recommended that an
SLA/agreement is in place as to what the enumeration values will be used in this file
Please note: These schemas have been modified by the STIX team to support remote validation. The only change made is to the schemaLocation attribute(s).
A list of possible values for dependency name type
A list of all types of Record IDs
Specification Name: OASIS CIQ TC - extensible Party Information Language Types (xPIL-types)
Description: Defines the W3C schema that provides enumeration lists to support
xPIL.
(Using XML Schema based standard code list/enumeration mechanism - OPTION 1 AND DEFAULT)
Produced by: OASIS Customer Information Quality Technical Committee
URL: http://www.oasis-open.org/committees/ciq
Version: 3.0
Status: Committee Specification CS02
Copyright: 2007-09, OASIS, http://www.oasis-open.org
Last Modified: 20 September 2008
Last Modified by: Ram Kumar, Chair, OASIS CIQ TC
NOTE: This is the schema that users can customise the enumeration lists to meet their
exchange requirements. The enumeration values provided are ONLY SAMPLES and
is not complete. It is upto the application to decide what the values should be. To achieve
interoperability between applications using this specification, it is recommended that an
SLA/agreement is in place as to what the enumeration values will be used in this file
Please note: These schemas have been modified by the STIX team to support remote validation. The only change made is to the schemaLocation attribute(s).
List of information types used for account details
The unique name, number or mixed account identifier, e.g. bank account number
The organisation that assigns and manages the account, e.g. a bank, power supplier, etc.
Commonly recognised names, such as IRD number (for NZ), SSN (for US), ABN (for AU), etc.
The country that issued the account
List of types of blood groups
List of information types used for birth information
Commonly used in some oriental cultures
A free text descriprion of the birth place, e.g. country name, region, etc.
Specific to some cultures
List of communication media types used for contact purposes
List of information types used for phone number details
Code to dial to a country. E.g. 1 for US, 44 for UK
Code to dial an area within a country. For example: "02" for Sydney, "03" for Melbourne
Local number as would be used by others within the same dialing area.
An extension to the number that is usually handled by some PABX
E.g. special access code
Any text that is not part of the phone number, but has some informational content, e.g. Ext.
Area code with local number if one line. May include national access numbers.
Full international number in one line. May include international access numbers.
List of information types used for document details
Usually the number of the document, which can be alphanumeric
Name of the document.e.g. VISA, MASTERCARD for credit cards
A privilege the holder of the document was grunted. E.g. security access level
A restriction imposed on the holder of the document. E.g. learners license
A name of a larger group that recognises this document or supports it.
Verirfication/security code as in credit card
Category of the document such as Donor Type in License,
Gold Card, Silver Card, Platinum Card, etc
Place of issue of the document. e.g. Sydney, Australia
Access/Security code of the document
Use this if the enumeration list for type of document is not used.
List of types of documents
List of electronic address identifiers
List of person's physical features
List of types of skills on languages
List of information types used for describing a membership
Membership identifier, e.g. membership number or some other type of ID
A privilege that the member can enjoy as part of the membership. E.g. access to free events.
A restriction that the membership imposes on the member, e.g. do not smoke.
Larger group or alliance name the membership provides access to.
Category of the membership such as Gold, Silver, Platinum, etc
Use this if the enumeration list for type of memberhsip is not used.
The country that issues the membership
Role in membership for a person , e.g. secretary, President, treasurer
List of name types for commonly used Number type
Indicates that the element contains the lower value of a range, e.g. 25 in 25-37
Indicates that the value is a range, e.g. 25-37
Indicates that the element contains the top value of a range, e.g. 25 in 25-37
Indicates that the element contains some value that is important, but not exactly the number itself. E.g. A250, where A is the prefix to the number 250
Indocates that the element contains some value that is important, but not exactly the number itself. E.g. 'bis' in '45 bis'
Indicates that the value is number, e.g. 2020 in ID 2020. The actual value can be alpha-numeric.
Indicates that the value is a separator that is expected to be preserved. Examples are / - #, etc.
Indicates that the value is an extension number of some identifier, e.g. 01 in ID 2330-01. 01 could be mean a specific semantics
List of information types used for describing an occupation
The actual role the person carries out.
Name, role or position who the person reports to.
E.g. full-time, part-time, temporary, contract, etc.
Commonly used identifier for accounting purposes.
A rank in some ranking system, e.g. private, major, superintendant, Justice, etc.This is different from role
List of category the oranisation belongs to
List of information types used for describing party identifiers
List of identifier types
List of category the person belongs to
List of information types used for describing a qualification
Free text name of the qualification
Name of the major subject of the qualification
Name of a minor subject of the qualification
Grade (average?, percentage? ) achieved with the qualification.
Free text description of the duration of the course, e.g. 4 years, 1 month, etc.
Free text description of the date when the qualification was completed to the best known precision.
Award, or distinction that was awarded to the graduate, e.g. honors.
Restrictions imposed on the graduate, e.g. not valid before completion of 2 year practical work under supervision.
Details of any professional registration if required for practicing, e.g. for pharmacists, electricians, medical professionals.
Full time, part time, evening classes, extramural, etc.
List of information types used for describing a vehicle
Free text make description, e.g. Toyota, Ford
Free text model description, e.g. Pajero, Falcon, etc. May include make as in Ford Falcon or Mitsubishi Pajero. If the make information is included then do not put the make as a separate element qualified with Make.
Free text data which can be a full date or a year.
Free text engine number
Free text chassis number
Free text body number
Free text license plate number
Number plate types are different. e.g. standard, premier, diplomat, etc
Type of body. e.g. Sedan, Ute, Station wagon, 2 door, etc
Use this if the enumeration list for type of vehicle is not used.
List of information types used for describing a visa
Type of visa. e.g. Tourist, Visitor, Student
Some visas are known by its code number. e.g. B1, E3, H-1, Class X1
Name of the country for which the visa is issued to.
Free text description of the issuing place, e.g. country name and office name or country name and the city. For example US Embassy, Prague,
Australia, Sydney
Free text description of the length of maximum stay. E.g. 1 week, 2 months, etc.
Any restrictions imposed on the visa holder, e.g. not for employment, cannot work for more than 20 hours
Any privileges granted to the visa holder, e.g. departure fee waived, etc.
Any special conditions imposed on the visa holder. e.g. Not allowed to work for more than 10 hours a week
Single Entry, Multiple Entry, Double Entry, etc
List of types of account ownerships
List of types of accounts
List of body parts for marks
List of locations on the body parts where the marks are found
List of types of uses of contact number
List of causes of disability
List of types of use of electronic address identifiers
List of type of events
List of types for free text lines for defining party characteristics as free format text
List of type of gender
List of type/category of habit
List of type/category of hobby
List if industry code
List of industry type
Lit of preference to use the language e.g. speak, read, write
Type of language e.g. by birth, by education
List of types of marital status
List of types of memberships
List of types of obtaining nationality
List of organisation nature of business
List of type of organisation
List of relationship types with an organisation
Type of use of organisation details data
List of types of party identifiers
Organisation or Person
List of type of use of party data
List of type of use of person details data
List of ethnicity of person
List of favourites of the person
List of type of physical info for free text
List of physical status of a person
Type of relationship with a person
Type of preferences of a person
List of religions of person
List of residency statusof person
Type of currency codes for revienue
Type of sources of revenue
Type of revenue
List of type of units for measurement
List of types of vehicles
Specification Name: OASIS CIQ TC - extensible Name and Address Language (xNAL)
Description: Defines the W3C schema for representing name and address together
(Using XML Schema based standard code list/enumeration mechanism - OPTION 1 AND DEFAULT)
Produced by: OASIS Customer Information Quality Technical Committee
URL: http://www.oasis-open.org/committees/ciq
Version: 3.0
Status: Committee Specification CS02
Copyright: 2007-09, OASIS, http://www.oasis-open.org
Last Modified: 20 September 2008
Last Modified by: Ram Kumar, Chair, OASIS CIQ TC
NOTE: Do not modify this schema as it will break specifications compatibility
Please note: These schemas have been modified by the STIX team to support remote validation. The only change made is to the schemaLocation attribute(s).
This is a generic contianer to combine name and address. Any cardinality of names and addresses is permitted.
A unique identifier of a record
Type of Record ID
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Primary key for referencing record
Foreign key to reference record
This is a specialised container to combine name and address for postal purposes, e.g. a label on an envelope that has two parts, an addressee and the address.
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Addressee is the party that is the recipient of the postal mail delivery.
When the name of the recipient is not known or the designation is still required to appear on the label.
E.g. Attention CEO, General Manager, the household owner, etc.
The main name has a relationship with a dependant name.
The dependant name should be put under this element and the relationship described.
E.g. Eastbourne Goats Trust in care of Wellingon Lawers Ltd., Ram Kumar, C/O Sakthisoft, etc
This attribute describes the nature/type of relationship between the main name and the dependency. E.g. 'C/O', 'in care of' or 'a son of'.
Specification Name: OASIS CIQ TC - extensible Party Information Language (xPIL)
Description: Defines the W3C schema for representing party information (unique identifiers)
including party name and address
(Using XML Schema based standard code list/enumeration mechanism - OPTION 1 AND DEFAULT)
Produced by: OASIS Customer Information Quality Technical Committee
URL: http://www.oasis-open.org/committees/ciq
Version: 3.0
Status: Committee Specification CS02
Copyright: 2007-09, OASIS, http://www.oasis-open.org
Last Modified: 20 September 2008
Last Modified by: Ram Kumar, Chair, OASIS CIQ TC
NOTE: Do not modify this schema as it will break specifications compatibility
Please note: These schemas have been modified by the STIX team to support remote validation. The only change made is to the schemaLocation attribute(s).
A container for defining the unique characteristics of a party, which can be a person or organisation
Type of Party. e.g. Person or an organisation. An organisation could be university, college, club, association, company, etc
A unique identifier for party
Type of PartyID
A globally unique identifier assigned to party
Type of use of party date. e.g. exchange, update, create
Status of the entity. e.g. Old, Current, Inactive, Active, etc
A primary key to reference Party.
A foreign key to reference attribute Key of Party.
A container to define the accounts details of the party such as utility account, financil accounts
A container for identification document and cards of the party that are unique to the party. e.g. license, identification card, credit card, etc
A container for memberships of party with other organisations (e.g. industry groups) or social networks (clubs, association, etc)
Relationships with other parties (persons or organisations, and the nature of relationship). Examples:
- For person: Contacts, blood relatives, friends, referees, customers, etc
- for Organisation: Subsidiary, Parent company, Branches, Divisions, Partners, etc
Container for income / revenue information of the party (salary/organisation revenue)
Container for other organisation specific details that are not covered in this schema that are common to a party
Container for other person specific details that are not covered in this schema elements that are common to a party
Enumeration of values for the type attribute
A container for defining the unique characteristics of a person only
Type of use of this data. e.g. data exchange, contact, update, create
Status of the organisation details
A primary key to reference Person Details.
A foreign key to reference attribute Key of Person Details.
A container to define the accounts details of the party such as utility account, financil accounts
A container for identification document and cards of the party that are unique to the party. e.g. license, identification card, credit card, etc
A container for memberships of party with other organisations (e.g. industry groups) or social networks (clubs, association, etc)
Relationships with other parties (persons or organisations, and the nature of relationship). Examples:
- For person: Contacts, blood relatives, friends, referees, customers, etc
- for Organisation: Subsidiary, Parent company, Branches, Divisions, Partners, etc
Container for income / revenue information of the party (salary/organisation revenue)
Container for other person specific details that are not covered in this schema elements that are common to a party
A container for defining the unique characteristics of an organisation only
Type of use of this data. e.g. data exchange, contact, update, create
Status of the organisation details
A primary key to reference Organisation Details.
A foreign key to reference attribute Key of Organisation Details.
A container to define the accounts details of the party such as utility account, financil accounts
A container for identification document and cards of the party that are unique to the party. e.g. license, identification card, credit card, etc
A container for memberships of party with other organisations (e.g. industry groups) or social networks (clubs, association, etc)
Relationships with other parties (persons or organisations, and the nature of relationship). Examples:
- For person: Contacts, blood relatives, friends, referees, customers, etc
- for Organisation: Subsidiary, Parent company, Branches, Divisions, Partners, etc
Container for income / revenue information of the party (salary/organisation revenue)
Container for other person specific details that are not covered in this schema elements that are common to a party
Enumeration of values for the type attribute
A container for defining the unique characteristics of a party, which can be a person or organisation
A container for defining the unique characteristics of a person only
A container for defining the unique characteristics of an organisation only
Free text description of the party as line 1, line 2, line n.
Type (semantics or category) of free text data
A container to define the accounts details of the party
Account details such as bank account, customer account with utilities
Type of account. e.g. bank, customer, employee, etc
Joint, Individual, corporate, etc.
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Information about the account
Reference to a Party element that describes the organisation where the account is held.
If present, specifies the type of the information provided as text value of the element.
A container for all party addresses
A container for all kinds of telecommunication lines of party used for contact purposes. e.g. phone, fax, mobile, pager, etc.
Universal telecommunication number structure
Free text explanation of the communication line type. e.g. telephone, land line, mobile, fax, pager, etc
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Current Status of Contact Number
Nature of contact. Example: business, personal, free call, toll free, after hours, etc
Free text expression of contact hours. e.g. 9:00AM-5:00PM
Full contact number or part of it
If present, specifies type of the information provdied as text value of the element.
A container for identification document and cards of the party that are unique to the party.
Passports, driver licenses, credit cards, certificates, etc.
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Full document desctiption or part of it.
Party Name as on the document if different from the main one.
Address details on the document
Reference to a Party element that describes the issuing organisation
If present, specifies the type of the information provided as text value of the element.
A container of different types of electronic addresses of party (e.g. email, chat, skype, etc)
Type of electronic address identifier
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Usage of electronic address identifier. e.g. business, personal
An electronic address identifier is usually stored (and probably exchanged) in conjunction with a label which is typically displayed and the URL/electronic identifier just links that label.
A container for a list of key events and dates of the events of the organisation and person
Type of event for a person - e.g. marriage anniversary, death, daughter's birth, spouse birthday, etc.
Type of event for organisation - date of formation/registration, date of closing down, date of liquidation, data of becoming public limited, etc
Type of event. e.g. Anniversary. If "Anniversary" is type, then the text for Event could be "20th wedding anniversary"
Record the exact date of the event here. For example, deceased date, company closed date, birthday date of spouse, etc
A container for a list of Identifiers to recognise the party such as customer identifer, social security number, tax number, etc
Identifier to recognise the party such as customer identifer, social security number, National ID Card, tax number, buiness number, company number, company registration, etc
Type of identifier. e.g. Tax Number
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Information about the identifer
Reference to a Party element that describes the issuing organisation
A container for memberships of party with other organisations (e.g. industry groups).
Membership details
Type of membership. e.g
Type of membership. e.g IEEE, Rifles Club
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Full description of membership or part of it
Reference to a Party element that describes the organisation where the memberships is held.
If present, specifies the type of the information provided as text value of the element.
A container for relationships with other parties (persons or organisations, and the nature of relationship). Can also use this to define an organisation hierarchy (parent and subsidiary organisations or branches/groups of organisations)
Relationship with a party. e.g. Friend, Wife, referee. organisation, customer. etc
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Type of party involved in the relationship, i.e. person or organisation
If tha party is person, then the type of relationship with the person such as Friend, Mother, wife, contact, referee
If tha party is organisation, then the type of relationship with the organisation such as employer, branch, head office, subsidiary, etc
Container for income / revenue information of the party
Revenue/Income details
A three-letter currency code as per ISO 4217
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Begining of the period. Inclusive.
End of the period. Inclusive.
Defines the type of amount. Example: Total earning, profit, loss, turnover, etc.
Precision range where the value of the element is in the middle of the range. E.g.
Where this revenue / income comes from, e.g. business stream, activity, etc.
Country from where the revenue is generated
If present and set to true indicates that the income / revenue is after tax.
A container for stocks invested information
A Stock market listing details. The organisation could be listed on more than one country
The code name for the organisation as listed in the exchange. E.g. MOT for Motorola Inc
Free text name of the stock exchange or other market. E.g. NYSE or NZX
Name of the country where listed
date of investment
Quantity of shares.....1 million shares
date of listing
A container to define all the vehicles of the party
Vehicle Details
Type of vehicle. Example: Motorbike, Truck, Car, Bicycle, 4WD, Jeep, etc
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Full vehicle description of part of it
If present, specifies the type of the information provided as text value of the element.
Container for organisation specific details that are not covered in this schema that is common to a party
Type of organisation. Free text description, e.g. Company, Trust, Bank, Society, Club, etc.
Type of category the organisation belongs to such as club, association, company, vendor, etc
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Nature of the organisation. e.g. Public limited, Commercial, charity, non-commercial, etc.
Organisation Industry type such as IT, Manufacturing.
Industry code or classification
Type of code used for industry code
Free text description of organisation size in terms of number of employees
Operating hour start time of the organisation, e.g. 9:00am
Operating hour end time for the organisation. e.g. 5:00pm
Container for person specific details that are not covered in this schema that is common to a party
Age of the person as integer
Type of category the person belongs such as customer, employee, friend, prospect, etc
Status of the person. e.g. living, deceased, retired. To log the date of the status such as death or retired, use "Events" element
Free text description of the current marital status, e.g. married, separated, divorced, separated, etc.
Ethnicity of the person, e.g. Asian, Chinese, African, etc.
Free text gender description.
Free text name of the religion
A container to define the Date of Birth details of a person
Birth data and time to the known precision. Usually, it is only the date that is known. Leave time as 00:00:00 if not known.
Specify the duration of the uncertainity period as a range where BirthDateTime is in the middle of the range. Uses xsd:duration as the data type. The time interval is in the format: PnYnMnDTnHnMnS
P: period (required), nY: number of years, nM: number of months, nD: number of days, T: start of a time section (required if hours, minutes or secords to be specified), nH: number of hours, nM: number of minutes, nS: number of seconds
P5Y -> period of 5 years
P5Y2M10D -> 5 years, 2 months, 10 days, and 15 hours
Birth details of the person
Full location details (e.g. address) may be required to get the exact geo-cordinates for astrology purposes
If present, specifies the type of the information provided as text value of the element.
A container for all citizenships and residencies (Permanent/temporary) of a person.
Citizenship and residence information in a free-text form.
Type of residency. e.g. permenant resident, citizen, temporary resident
Status of the entity. e.g. Old, Current, Inactive, Active, etc
A container for a list of favourites of a person
The favourites of the person
Type of favourite. e.g. author, food, book, sport, etc
<Favourite Type="sport">Cricket</Favourite>
<Favourite Type="Movie">Back to the Future</Favourite>
A container for a list of habits of a person
Personal habits. E.g. smoking, drinking, gambling, etc.
Category/type of habit. e.g. sports, food, reading, etc. If "Hot Drinks" is type, then text for Habit could be "Strong Black Coffee"
A container for a list of hobbies of a person
A hobby of the person. E.g. craft, sport, recreational activity, etc.
Type/Category of Hobby. e.g. sports, travelling. If "Sport" is a type/category of hobby, then text for "Hobby" could be "Playing cricket"
A container for a list of languages spoken by a person.
Name of the language spoken by the person
Mother tongue, by birth, etc
Indicates ability to speak: yes, no, poor, good, bad, average
Indicates ability to read: yes, no, poor, good, bad, average
Indicates ability to write: yes, no, poor, good, bad, average
Indicates ability to understand speech: yes, no, poor, good, bad, average
Indicates preferred language of communication (read and/or write and/or speak)
A container for a list of nationalities of a person
Name of the country of nationality. Could be more than one nationality
Type of nationality - By birth, naturalization, citizen
Status of the entity. e.g. Old, Current, Inactive, Active, etc
A container for a list of occupations of a person
Occupation details
Is the party self employed? A boolean value expected
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Full description of the occupation or part of it
Reference to a Party element that describes the employer.
If present, specifies the type of the information provided as text value of the element.
A container for physical characteristics of a person
Any other physical info not covered by elements here
Description of a physical feature such as hair, height, eye color, etc.
Description of body marks, such as scars, tatoos, spots, etc.
Description of person's disability.
Description of the person's allergy. e.g. Allergic to Pencillin, milk products
Condition of health in terms of medical. e.g. Healthy, diabetic, hgh blood pressure, high cholestrol, etc
Category or type of physical info
If present, specifies the type of the information provided as text value of the element.
Defines the unit of measurement. Example: Inches, feet, cm, meters, days, months, years, kgs, pounds, etc.
Free text name/description of the body part where the mark is located
Free text description of where on the body part the mark is located. E.g. left hand side, front, back, etc
Free text description of the cause of the disability, e.g. birth defect, accident, etc.
A container for a list of preferences of a person (e.g. seat position in flight, restuarants)
Preferences of the person. e.g. seat in non smoking area, holiday with family than alone
Type of preference. e.g. seating position
A container for a list of qualifications of a person
Educational qualification
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Full / partial name or description of person's qualification
Reference to a Party element that describes the institution.
If present, specifies the type of the information provided as text value of the element.
A container to define the VISAs held by a person (e.g. visitor, temporary, permanent resident, work, etc)
All information about Visa details.
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Visa category number depending upon the type of visa. Example: H-1 for employment visa as in the USA
If present, specifies the type of the information provided as text value of the element.
Specification Name: OASIS CIQ TC - extensible Name Language (xNL)
Description: Defines the W3C schema for representing party names (Person or Organisation)
(Using XML Schema based standard code list/enumeration mechanism - OPTION 1 AND DEFAULT)
Produced by: OASIS Customer Information Quality Technical Committee
URL: http://www.oasis-open.org/committees/ciq
Version: 3.0
Status: Committee Specification CS02
Copyright: 2007-09, OASIS, http://www.oasis-open.org
Last Modified: 20 September 2008
Last Modified by: Ram Kumar, Chair, OASIS CIQ TC
NOTE: Do not modify this schema as it will break specifications compatibility
Please note: These schemas have been modified by the STIX team to support remote validation. The only change made is to the schemaLocation attribute(s).
Reusable complex type for a party. A party is a person or an organisation
A unique identifier of a party
Type of Party Name ID
Globally unique identifier
Tye of use of this data. e.g. data exchange, contact, update, create
Status of the entity. e.g. Old, Current, Inactive, Active, etc
The connector used to join more than one person name. Example: Mr Hunt AND Mrs Clark, where AND is the JointNameConnector. The flow is from the preceding to the following. If there is more than 2 names then all names are connected using this connector in the natural order.
Container for person name details. Same person with many types (e.g. alias, pet name, nick name) of names can be used by this container.
A container for organisation name details. Same organisaion with many types of names can be used by this container
Enumeration of values for the type attribute
Reusable complex type
Enumerated list of type of name. example: Alias, Nick Name, former name, known as, etc
A unique identifier of a person
Type of identifier
Globally unique identifier
Usage of a person name. How is it used and for what purpose. Allows user which name in a set of names to select for a given purpose.
e.g. used for legal purposes
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Name or part of a name.
Clarifies the meaning of the element.Could be first name, middle name, etc. that is defined in the List list. Omit this attribute if the type of the name element is not known.
Enumeration of values for the type attribute
Reusable complex type
Enumerated list of common types of aliases or name types.
A unique identifier of an organisation
Type of identifier
Globally unique identifer
Usage of organisation name. How is it used and for what purpose. Allows user which name in a set of names to select for a given purpose.
e.g. used for legal purposes
Status of the entity. e.g. Old, Current, Inactive, Active, etc
Name of the organisation. E.g. ACME Inc.
Name of a subdivision of an organisation (e.g. department)
Clarifies the meaning of the element. Example: name, type . Omit this attribute if the type of the name element is not known.
Type of sub division. e.g. department, warehouse, branch
Enumeration of values for the type attribute
Reference to another Person Name or Organisation Name with primary and foreign key reinforcement.
A primary key to reference Party Name.
A foreign key to reference attribute Key of Party Name.
Define name as a free format text. Use this when the type of the entity (person or organisation) is unknown, or is not broken down into individual elements (e.g. unstructured, unparsed) or is beyond the provided types. The name represented may be formatted in the right order or may not be as it is not parsed/broken into atomic fields
Type define what this free format name line could mean. For example, the Type could be "Unknown"
Container for defining a name of a Person, an Organisation or combination of the above as a joint name.
Person Name
Organisation Name
Specification Name: OASIS CIQ TC - extensible AddressLanguage Types (xAL-types)
Description: Defines the W3C schema that provides enumeration lists to support xNL v3.0
(Using XML Schema based standard code list/enumeration mechanism - OPTION 1 AND DEFAULT)
Produced by: OASIS Customer Information Quality Technical Committee
URL: http://www.oasis-open.org/committees/ciq
Version: 3.0
Status: Committee Specification CS02
Copyright: 2007-09, OASIS, http://www.oasis-open.org
Last Modified: 20 September 2008
Last Modified by: Ram Kumar, Chair, OASIS CIQ TC
NOTE: This is the schema that users can customise the enumeration lists to meet their
exchange requirements. The enumeration values provided are ONLY SAMPLES and
is not complete. It is upto the application to decide what the values should be. To achieve
interoperability between applications using this specification, it is recommended that an
SLA/agreement is in place as to what the enumeration values will be used in this file
Please note: These schemas have been modified by the STIX team to support remote validation. The only change made is to the schemaLocation attribute(s).
A list of types of addresses
A list of types of usage of the address
A list of administrative area types
Only name of the administrative area without its type, e.g. NSW, CA, Quebec
The type of the area, e.g. state, district, province, etc.
A list of administrative area name element types
Name of the administrative area
Reference location information in support of the administrative area. e.g. Territory of France
Other supporting information
A list of country name element types
Name of the country e.g. AUSTRALIA
Although a Country, could be classified as a territory of a country. For example, "NOUVELLE CALEDONIE" is a territory of "FRANCE".
A list of directions for geo-coordinates
A list of name types for commonly used Number type
Applicable to mail box office names such as PO BOX, GPO BOX, MAIL BAG NO., etc.
Indicates that the element contains the lower value of a range, e.g. 25 in 25-37
Indicates that the value is a range, e.g. 25-37
Indicates that the element contains the top value of a range, e.g. 25 in 25-37
Indocates that the element contains some value that is important, but not exactly the number itself. E.g. PoBox can be a prefix in PoBox 2020, street no. A-15, where A is the prefix and 15 is the number
Indicates that the element contains some value that is important, but not exactly the number itself. E.g. 'bis' in '45 bis'
Indicates that the value is number, e.g. 2020 in PoBox 2020. The actual value can be alpha-numeric.
Indicates that the value is a separator that is expected to be preserved. Examples are / - #, as in 15-A where "-" is the separator
Indicates that the value is an extension number of some identifier, e.g. 01 in Private Bag 2330-01, where the main number of the private bag is 2330, 12345-1223 in post code where 1223 is the extension
A list of locality name element types such as name of locality, reference data in support of locality
Name of the locality
Any reference locality data in support of the locality. e.g. Next town north of Town A, via-town name
Other supporting information
A list of locality name types such as Municipality, Village, Area, etc
A list of postal delivery point types
A list of name types for premises
Names of Premises such as airport, hospital, university, military base, etc. Can also be the name of the building or house or apartment
Where in the building/landmark the premises is located, e.g. lobby, ground floor, penthouse, or where in a larger complex (e.g. airport) the address is located.
Free text description that is required to logically connect the 2 premises
Roads and streets within boundaries of larger complexes/premises such as hospitals, airports, etc.
Free text description of some other location and how this premises relates to it, e.g. 300m from water station, new the police station, etc.
additional supporting information
A list of premises type
A list of sub administrative area name element types
Name of the sub administrative area
Reference location information in support of the sub administrative area.
Other supporting information
A list of sub administrative area name types
A list of sub locality name element types
Other supporting information
A ist of sublocality types
A list of sub premises types
A list of name element types for thoroughfare
Just the name part, such as Baker in Baker Street.
North Archer Street, where "North" is PreDirection
Archer Street North, where "North" is PostDirection
This value indicates that the element contains the street name and street number. E.g. 39 Baker Street. Use this when you do not want to break the thoroughfare into atomic types
Baker Street, where Baker is Name and Street is Type
21 Archer Street (Full thoroughfare details)
Full details of a thorughfare in a single line (unstructured)
e.g. 39 Baker Street North
When more than one street name is required to identify the location this type can be used to connect them with values such as CORNER OF or VIA.
Free text description of some other location and how this thoroughfare relates to it, e.g. 300m from water station, new the police station, etc.
Additional description like intersection, cross streets, etc
A list of types of address identiifers
A list of ypes of address line., e.g. street details, locality details
A list of codes for name of administrative area
A list of codes for name of country
A list of codes for datum
A list of codes for mode of delivery of address
A list of codes for name of locality
A list of meridian codes
A list of types of postal delivery offices
A list of codes for projection
A list of rural delivery types such as road, air, water
A list of codes for name of sub adiministrative area
A list of codes for names of sub locality
A list of types for thoroughfare (e.g. STREET, ROAD, CRT)
Specification Name: OASIS CIQ TC - CIQ V3.0
Description: Defines the W3C schema with commonly used types in the name, address and party schemas
(Using XML Schema based standard code list/enumeration mechanism - OPTION 1 AND DEFAULT)
Produced by: OASIS Customer Information Quality Technical Committee
URL: http://www.oasis-open.org/committees/ciq
Version: 3.0
Status: Committee Specification CS02
Copyright: 2007-09, OASIS, http://www.oasis-open.org
Last Modified: 20 September 2008
Last Modified by: Ram Kumar, Chair, OASIS CIQ TC
Please note: These schemas have been modified by the STIX team to support remote validation. The only change made is to the schemaLocation attribute(s).
A list of values to indicate the level of reliability of the data
The data was validated and is considered to be true and correct.
Indicates that at least some part of the content is known to be incorrect.
Normalized and Collapsed String
A list of values to indicate the status of the entity
Date Valid from to Date Valid to
Could be start date, issue date, validity start date, etc
Could be end date, expiry date, validity end date, etc
A group of commonly used attributes for internal reuse
If set to true then indicates that the value is an abbreviation or initial. If set to false then the value is definitely not an abbreviation. If omitted then it is not known if the value is an abbreviation or not.
A group of commonly used attributes for internal reuse
This attribute indicates what level of trust can be given to the parent element. Omit this attribute if the data quality is unknown. If the data quality is known, the value is "Valid, else "InValid"
Date the data quality is valid from
Date the data quality is valid to
The language used (name of human language, e.g. en, en-US)
Human Language used. e.g. "en", "en-US", "en-AUS", etc
XLink attribute specification
Enumeration of values for the type attribute
A URI with a minimum length of 1 character.
A URI with a minimum length of 1 character.
Enumeration of values for the show attribute
Enumeration of values for the actuate attribute
<schema>CPE 2.3 Naming</schema>
<author>Adam Halbardier</author>
<version>2.3</version>
<date>2011-07-29</date>
Define the format for acceptable CPE Names. A URN format is used with the
id starting with the word cpe followed by :/ and then some number of individual components separated by
colons.
Define the format for acceptable CPE Names. A string format is used with
the id starting with the word cpe:2.3 followed by : and then some number of individual components
separated by colons.
<schema>CPE Applicability Language</schema>
<author>Neal Ziring, Andrew Buttner, David Waltermire</author>
<version>2.3</version>
<date>2011-07-29</date>
<sch:ns prefix="cpe" uri="http://cpe.mitre.org/language/2.0"></sch:ns>
This XML Schema defines the CPE Applicability Language. An individual CPE Name
addresses a single part of an actual system. To identify more complex platform types, there needs to be a
way to combine different CPE Names using logical operators. For example, there may be a need to identify a
platform with a particular operating system AND a certain application. The CPE Applicability Language exists
to satisfy this need, enabling the CPE Name for the operating system to be combined with the CPE Name for
the application. For more information, consult the CPE Applicability Language Specification document.
The OperatorEnumeration simple type defines acceptable operators. Each
operator defines how to evaluate multiple arguments.
The description or qualifications of a particular IT platform type. The
platform is defined by the logical-test child element.
A human-readable title for a platform. To support uses intended for
multiple languages, the title element supports the ‘xml:lang’ attribute. At most one title
element can appear for each language.
An additional description. To support uses intended for multiple
languages, the remark element supports the ‘xml:lang’ attribute. There can be multiple remarks
for a single language.
Definition of test using logical operators (AND, OR,
negate).
A locally unique name for the platform. There is no defined
format for this id; however, it must be unique within the containing CPE Applicability
Language document.
The logical-test element appears as a child of a platform element, and may
also be nested to create more complex logical tests. The content consists of one or more elements:
fact-ref, check-fact-ref, and logical-test children are permitted. The operator to be applied, and
optional negation of the test, are given as attributes.
The operator applied to the results of evaluating the fact-ref,
check-fact-ref, and logical-test elements. The permitted operators are "AND" and
"OR".
Whether the result of applying the operator should be negated. Possible
values are "TRUE" and "FALSE". This does not apply if the initial result is
ERROR.
Definition of complex logical test using AND, OR, and/or negate
operators. Evaluates to a TRUE, FALSE, or ERROR result.
A reference to a bound form of a WFN; the reference always
evaluates to a boolean result. The bound name contained within a fact-ref is meant to describe a
possible set of products and is not meant to identify a unique product
class.
A reference to a check that always evaluates to TRUE, FALSE, or
ERROR. Examples of types of checks are OVAL and OCIL checks.
A reference to a CPE Name that always evaluates to a Boolean
result.
A reference to a check that always evaluates to a TRUE, FALSE, or ERROR
result.
The CheckFactRefType complex type is used to define an element for holding
information about an individual check. It includes a checking system specification URI, string content
identifying the check content to invoke, and an external reference. The checking system specification
should be the URI that uniquely identifies a revision of a check system language, and the id-ref will be
an identifier of a test written in that language. The external reference should be used to point to the
content in which the check identifier is defined.
This type allows the xml:lang attribute to associate a specific language
with an element's string content.
Attempting to install the relevant ISO 2- and 3-letter
codes as the enumerated possible values is probably never
going to be a realistic possibility. See
RFC 3066 at http://www.ietf.org/rfc/rfc3066.txt and the IANA registry
at http://www.iana.org/assignments/lang-tag-apps.htm for
further information.
The union allows for the 'un-declaration' of xml:lang with
the empty string.
This element is the root element of a CPE Applicability Language XML
document and therefore acts as a container for child platform definitions.
<sch:pattern id="nonexistent-child">
<sch:rule context="cpe:logical-test">
<sch:assert test="count(cpe:logical-test) > 0 or count(cpe:fact-ref) > 0 or count(cpe:check-fact-ref) > 0">All logical-test elements must contain one or more child logical-test, fact-ref, and/or
check-fact-ref elements.</sch:assert>
</sch:rule>
</sch:pattern>
See http://www.w3.org/XML/1998/namespace.html and
http://www.w3.org/TR/REC-xml for information about this namespace.
This schema document describes the XML namespace, in a form
suitable for import by other schema documents.
Note that local names in this namespace are intended to be defined
only by the World Wide Web Consortium or its subgroups. The
following names are currently defined in this namespace and should
not be used with conflicting semantics by any Working Group,
specification, or document instance:
base (as an attribute name): denotes an attribute whose value
provides a URI to be used as the base for interpreting any
relative URIs in the scope of the element on which it
appears; its value is inherited. This name is reserved
by virtue of its definition in the XML Base specification.
id (as an attribute name): denotes an attribute whose value
should be interpreted as if declared to be of type ID.
This name is reserved by virtue of its definition in the
xml:id specification.
lang (as an attribute name): denotes an attribute whose value
is a language code for the natural language of the content of
any element; its value is inherited. This name is reserved
by virtue of its definition in the XML specification.
space (as an attribute name): denotes an attribute whose
value is a keyword indicating what whitespace processing
discipline is intended for the content of the element; its
value is inherited. This name is reserved by virtue of its
definition in the XML specification.
Father (in any context at all): denotes Jon Bosak, the chair of
the original XML Working Group. This name is reserved by
the following decision of the W3C XML Plenary and
XML Coordination groups:
In appreciation for his vision, leadership and dedication
the W3C XML Plenary on this 10th day of February, 2000
reserves for Jon Bosak in perpetuity the XML name
xml:Father
This schema defines attributes and an attribute group
suitable for use by
schemas wishing to allow xml:base, xml:lang, xml:space or xml:id
attributes on elements they define.
To enable this, such a schema must import this schema
for the XML namespace, e.g. as follows:
<schema . . .>
. . .
<import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3.org/2001/xml.xsd"/>
Subsequently, qualified reference to any of the attributes
or the group defined below will have the desired effect, e.g.
<type . . .>
. . .
<attributeGroup ref="xml:specialAttrs"/>
will define a type which will schema-validate an instance
element with any of those attributes
In keeping with the XML Schema WG's standard versioning
policy, this schema document will persist at
http://www.w3.org/2007/08/xml.xsd.
At the date of issue it can also be found at
http://www.w3.org/2001/xml.xsd.
The schema document at that URI may however change in the future,
in order to remain compatible with the latest version of XML Schema
itself, or with the XML namespace itself. In other words, if the XML
Schema or XML namespaces change, the version of this document at
http://www.w3.org/2001/xml.xsd will change
accordingly; the version at
http://www.w3.org/2007/08/xml.xsd will not change.
See http://www.w3.org/TR/xmlbase/ for
information about this attribute.
Attempting to install the relevant ISO 2- and 3-letter
codes as the enumerated possible values is probably never
going to be a realistic possibility. See
RFC 3066 at http://www.ietf.org/rfc/rfc3066.txt and the IANA registry
at http://www.iana.org/assignments/lang-tag-apps.htm for
further information.
The union allows for the 'un-declaration' of xml:lang with
the empty string.
See http://www.w3.org/TR/xml-id/ for
information about this attribute.
Attempting to install the relevant ISO 2- and 3-letter
codes as the enumerated possible values is probably never
going to be a realistic possibility. See
RFC 3066 at http://www.ietf.org/rfc/rfc3066.txt and the IANA registry
at http://www.iana.org/assignments/lang-tag-apps.htm for
further information.
The union allows for the 'un-declaration' of xml:lang with
the empty string.
See http://www.w3.org/TR/xmlbase/ for
information about this attribute.
See http://www.w3.org/TR/xml-id/ for
information about this attribute.
<schema>CybOX Extension - CIQ Address 3.0 Instance</schema>
<version>1.0</version>
<date>01/22/2014</date>
<short_description>Cyber Observable eXpression (CybOX) Extension - CIQ Address 3.0 Instance - Schematic implementation for the using version 3.0 of CIQ to describe an Location within the CybOX cyber observable expression language.</short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The CIQAddress3.0InstanceType provides an extension to the AddressAbstractType which imports and leverages version 3.0 of the OASIS CIQ-PIL schema for structured characterization of Addresses.
<schema>CPE2.3</schema>
<version>1.1</version>
<date>01/22/2014</date>
<short_description>Cyber Observable eXpression (CybOX) Extension - CPE 2.3 Platform Instance - Schematic implementation for using the CPE 2.3 Applicability Language to describe a Platform within the CybOX observable expression language. It extends the PlatformSpecificationType defined in the CybOX common schema. (cybox_common.xsd) For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML.</short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
<reference>http://scap.nist.gov/specifications/cpe/</reference>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The CPE23PlatformSpecificationType provides an extension of the PlatformSpecificationType that imports and leverages the CPE 2.3 applicability language schema for structured characterization of a platform or platform combination.
The platform-specification element, defined in the CPE 2.3 Applicability Language schema, supports a structured characterization of a platform or combination of platforms.
<schema>cybox_default_vocabularies</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following defines types for default controlled vocabularies used within CybOX. An individual vocabulary may be revised at any time. Revisions to vocabularies will result in the creation of new types with the new version number embedded in the name of those types. Vocabularies can be reference from CybOX elements through the use of xsi:Type. The individual elements where this may be done indicate the expected default vocabulary.</short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
ActionTypeEnum is a (non-exhaustive) enumeration of cyber observable action types.
Specifies the atomic action of accepting an object or value.
Specifies the atomic action of accessing an object.
Specifies the atomic action of adding an object.
Specifies the atomic action of issuing an alert.
Specifies the atomic action of allocating an object.
Specifies the atomic action of archiving an object or data.
Specifies the atomic action of assigning a value to an object.
Specifies the atomic action of auditing an object or data.
Specifies the atomic action of backing up an object or data.
Specifies the atomic action of binding two objects.
Specifies the atomic action of blocking access to an object or resource.
Specifies the atomic action of calling an object or resource.
Specifies the atomic action of changing an object.
Specifies the atomic action of checking an object.
Specifies the atomic action of cleaning an object, such as a file system.
Specifies the atomic action of clicking an object, as with a mouse.
Specifies the atomic action of closing an object, such as a window handle.
Specifies the atomic action of comparing two objects.
Specifies the atomic action of compressing an object.
Specifies the atomic action of configuring a resource.
Specifies the atomic action of connecting to an object, such as a service or resource.
Specifies the atomic action of controlling an object or data.
Specifies the atomic action of copying or duplicating an object or data EXCEPT in cases where the object is considered a thread or process as a whole.
Specifies the atomic action of creating an object or data.
Specifies the atomic action of decoding an object or data.
Specifies the atomic action of decompressing an object, such as an archive.
Specifies the atomic action of decrypting an object.
Specifies the atomic action of denying access to a object or resource.
Specifies the atomic action of depressing an object that has been pressed, such a button.
Specifies the atomic action of detecting an object.
Specifies the atomic action of disconnecting from a service or resource.
Specifies the atomic action of downloading an object or data.
Specifies the atomic action of drawing an object.
Specifies the atomic action of dropping an object, such as a connection.
Specifies the atomic action of encoding an object or data.
Specifies the atomic action of encrypting an object or data.
Specifies the atomic action of enumerating a list of objects.
Specifies the atomic action of executing an object, such as an executable file.
Specifies the atomic action of extracting an object.
Specifies the atomic action of filtering an object or data.
Specifies the atomic action of finding an object or data.
Specifies the atomic action of flushing an object or data, such as a cache.
Specifies the atomic action of forking, as with a process. Because this is usually associated with processes and threads and does not generalize to objects, it is DIFFERENT from Copy/Duplicate.
Specifies the atomic action of freeing an object.
Specifies the atomic action of getting a value from an object.
Specifies the atomic action of hooking an object to another object.
Specifies the atomic action of hiding an object.
Specifies the atomic action of impersonation, in which an object performs actions that assume the character or appearance of another object.
Specifies the atomic action of initializing an object.
Specifies the atomic action of injecting an object.
Specifies the atomic action of installing an object, such as an application, program, patch, or other resource.
Specifies the atomic action of interleaving an object, i.e. the action of arranging data in a non-contiguous way to increase performance.
Specifies the atomic action of joining one object to another object.
Specifies the atomic action of killing an object, as with a thread or program.
Specifies the atomic action of listening to an object, such as to a port on a network connection.
Specifies the atomic action of loading an object.
Specifies the atomic action of locking an object.
Specifies the atomic action of logging into an object, such as into a system or application.
Specifies the atomic action of logging out of an object, such as a system or application.
Specifies the atomic action of mapping an object to another object or data.
Specifies the atomic action of merging one object to another object.
Specifies the atomic action of modifying an object.
Specifies the atomic action of monitoring the state of an object.
Specifies the atomic action of moving an object.
Specifies the atomic action of opening an object.
Specifies the atomic action of packing an object.
Specifies the atomic action of pausing an object, such as a thread or process.
Specifies the atomic action of pressing an object, such as a button.
Specifies the atomic action of protecting an object.
Specifies the atomic action of placing an object in quarantine, that is, to store the object in an isolated area away from other objects it can operate on.
Specifies the atomic action of querying an object.
Specifies the atomic action of queueing an object.
Specifies the atomic action of raising an object.
Specifies the atomic action of reading an object.
Specifies the atomic action of receiving an object.
Specifies the atomic action of releasing an object.
Specifies the atomic action of renaming an object.
Specifies the atomic action of removing or deleting an object.
Specifies the atomic action of replicating an object.
Specifies the atomic action of restoring an object.
Specifies the atomic action of resuming an object, as with a process or thread.
Specifies the atomic action of reverting an object.
Specifies the atomic action of running an object, such as an application.
Specifies the atomic action of saving an object.
Specifies the atomic action of scanning for an object or data.
Specifies the atomic action of scheduling an object, such as an event.
Specifies the atomic action of searching for an object.
Specifies the atomic action of sending an object.
Specifies the atomic action of setting an object to a value.
Specifies the atomic action of shutting down an object.
Specifies the atomic action of putting to sleep an object.
Specifies the atomic action taking a snapshot of an object.
Specifies the atomic action of starting an object, such as a thread or process.
Specifies the atomic action of stopping an object, such as a thread or process.
Specifies the atomic action of suspending an object, such an account or privileges for an account.
Specifies the atomic action of synchronizing an object.
Specifies the atomic action of throwing an object, such as an exception in a programming language.
Specifies the atomic action of transmitting an object.
Specifies the atomic action of unblocking an object.
Specifies the atomic action of unhiding an object.
Specifies the atomic action of unhooking an object from another object, that is, to detach.
Specifies the atomic action of uninstalling an object.
Specifies the atomic action of unloading an object.
Specifies the atomic action of unlocking an object.
Specifies the atomic action of unmapping an object from another object or data.
Specifies the atomic action of unpacking an object, such as an archive.
Specifies the atomic action of updating an object.
Specifies the atomic action of upgrading an object.
Specifies the atomic action of uploading an object.
Specifies the atomic action of wiping, destroying, or purging an object.
Specifies the atomic action of writing an object.
The ActionNameEnum type is an enumeration of defined action names.
Specifies the defined action of accepting a socket connection.
Specifies the defined action of adding a connection to an existing network share.
Specifies the defined action of adding a new network share.
Specifies the defined action of adding a new system call hook.
Specifies the defined action of adding a new user.
Specifies the defined action of adding a new Windows hook.
Specifies the defined action of adding a scheduled task.
Specifies the defined action of allocating virtual memory in a process.
Specifies the defined action of binding an address to a socket.
Specifies the defined action of changing the service configuration.
Specifies the defined action of checking for a remote debugger.
Specifies the defined action of closing a port.
Specifies the defined action of closing a registry key.
Specifies the defined action of closing a socket.
Specifies the defined action of configuring a service.
Specifies the defined action of connecting to an IP address.
Specifies the defined action of connecting to a named pipe.
Specifies the defined action of connecting to a network share.
Specifies the defined action of connecting to a socket.
Specifies the defined action of connecting to a URL.
Specifies the defined action of controlling a driver.
Specifies the defined action of controlling a service.
Specifies the defined action of copying a file.
Specifies the defined action of creating a dialog box.
Specifies the defined action of creating a new directory.
Specifies the defined action of creating an event.
Specifies the defined action of creating a file.
Specifies the defined action of creating an alternate data stream in a file.
Specifies the defined action of creating a new file mapping.
Specifies the defined action of creating a file symbolic link.
Specifies the defined action of creating a hidden file.
Specifies the defined action of creating a mailslot.
Specifies the defined action of creating a module.
Specifies the defined action of creating a mutex.
Specifies the defined action of creating a named pipe.
Specifies the defined action of creating a process.
Specifies the defined action of creating a process as user.
Specifies the defined action of creating a registry key.
Specifies the defined action of creating a registry key value.
Specifies the defined action of creating a remote thread in a process.
Specifies the defined action of creating a service.
Specifies the defined action of creating a socket.
Specifies the defined action of creating a symbolic link.
Specifies the defined action of creating a thread.
Specifies the defined action of creating a window.
Specifies the defined action of deleting a directory.
Specifies the defined action of deleting a file.
Specifies the defined action of deleting a named pipe.
Specifies the defined action of deleting a network share.
Specifies the defined action of deleting a registry key.
Specifies the defined action of deleting a registry key value.
Specifies the defined action of deleting a service.
Specifies the defined action of deleting a user.
Specifies the defined action of disconnecting from a named pipe.
Specifies the defined action of disconnecting from a network share.
Specifies the defined action of disconnecting from a socket.
Specifies the defined action of downloading a file.
Specifies the defined action of enumerating DLLs.
Specifies the defined action of enumerating network shares.
Specifies the defined action of enumerating protocols.
Specifies the defined action of enumerating registry key subkeys.
Specifies the defined action of enumerating registry key values.
Specifies the defined action of enumerating threads in a process.
Specifies the defined action of enumerating processes.
Specifies the defined action of enumerating services.
Specifies the defined action of enumerating system handles.
Specifies the defined action of enumerating threads.
Specifies the defined action of enumerating users.
Specifies the defined action of enumerating windows.
Specifies the defined action of finding a file.
Specifies the defined action of finding a window.
Specifies the defined action of flushing the Process Instruction Cache.
Specifies the defined action of freeing a library.
Specifies the defined action of freeing virtual memory from a process.
Specifies the defined action of getting the amount of free space available on a disk.
Specifies the defined action of getting the disk type.
Specifies the defined action of getting the elapsed system up-time.
Specifies the defined action of getting file attributes.
Specifies the defined action of getting the function address.
Specifies the defined action of getting system global flags.
Specifies the defined action of getting host by address.
Specifies the defined action of getting host by name.
Specifies the defined action of getting the host name.
Specifies the defined action of getting the library file name.
Specifies the defined action of getting the library handle.
Specifies the defined action of getting the NetBIOS name.
Specifies the defined action of getting the process's current directory.
Specifies the defined action of getting the process environment variable.
Specifies the defined action of getting the process startup information.
Specifies the defined action of getting the processes snapshot.
Specifies the defined action of getting the attributes of a registry key.
Specifies the defined action of getting the service status.
Specifies the defined action of getting the system global flags.
Specifies the defined action of getting the local time on a system.
Specifies the defined action of getting the system host name.
Specifies the defined action of getting the NetBIOS name of a system.
Specifies the defined action of getting the system network parameters.
Specifies the defined action of getting the system time.
Specifies the defined action of getting the thread context.
Specifies the defined action of getting the thread username.
Specifies the defined action of getting the attributes of a user.
Specifies the defined action of getting a username.
Specifies the defined action of getting a windows directory.
Specifies the defined action of getting a windows System directory.
Specifies the defined action of getting the Windows Temporary Files Directory.
Specifies the defined action of hiding a window.
Specifies the defined action of impersonating a process.
Specifies the defined action of impersonating a thread.
Specifies the defined action of injecting a memory page into a process.
Specifies the defined action of killing a process.
Specifies the defined action of killing a thread.
Specifies the defined action of killing a window.
Specifies the defined action of listening on a specific port.
Specifies the defined action of listening on a socket.
Specifies the defined action of loading and calling a driver.
Specifies the defined action of loading a driver.
Specifies the defined action of loading a library.
Specifies the defined action of loading a module.
Specifies the defined action of locking a file.
Specifies the defined action of logging on as a user.
Specifies the defined action of mapping a file.
Specifies the defined action of mapping a library.
Specifies the defined action of mapping a view of a file.
Specifies the defined action of modifying a file.
Specifies the defined action of modifying a named pipe.
Specifies the defined action of modifying a process.
Specifies the defined action of modifying a service.
Specifies the defined action of modifying a registry key.
Specifies the defined action of modifying a registry key value.
Specifies the defined action of monitoring a registry key.
Specifies the defined action of moving a file.
Specifies the defined action of opening a file.
Specifies the defined action of opening a file mapping.
Specifies the defined action of opening a mutex.
Specifies the defined action of opening a port.
Specifies the defined action of opening a process.
Specifies the defined action of opening a registry key.
Specifies the defined action of opening a service.
Specifies the defined action of opening a service control manager.
Specifies the defined action of protecting virtual memory.
Specifies the defined action of querying disk attributes.
Specifies the defined action of querying DNS.
Specifies the defined action of querying process virtual memory.
Specifies the defined action of querying the Asynchronous Procedure Call (APC) in the context of a thread.
Specifies the defined action of reading a file.
Specifies the defined action of reading from a named pipe.
Specifies the defined action of reading from process memory.
Specifies the defined action of reading a registry key value.
Specifies the defined action of receiving data on a socket.
Specifies the defined action of receiving an email message.
Specifies the defined action of releasing a mutex.
Specifies the defined action of renaming a file.
Specifies the defined action of reverting a thread to its self.
Specifies the defined action of sending a control code to a file.
Specifies the defined action of sending a control code to a pipe.
Specifies the defined action of sending control code to a service.
Specifies the defined action of sending data on a socket.
Specifies the defined action of sending data to the address on a socket.
Specifies the defined action of sending a DNS query.
Specifies the defined action of sending an email message.
Specifies the defined action of sending an ICMP request.
Specifies the defined action of sending a reverse DNS query.
Specifies the defined action of setting file attributes.
Specifies the defined action of setting the NetBIOS name.
Specifies the defined action of setting the process current directory.
Specifies the defined action of setting the process environment variable.
Specifies the defined action of setting system global flags.
Specifies the defined action of setting the system host name.
Specifies the defined action of setting the system time.
Specifies the defined action of setting the thread context.
Specifies the defined action of showing a window.
Specifies the defined action of shutting down a system.
Specifies the defined action of sleeping a process.
Specifies the defined action of sleeping a system.
Specifies the defined action of starting a service.
Specifies the defined action of unloading a driver.
Specifies the defined action of unlocking a file.
Specifies the defined action of unmapping a file.
Specifies the defined action of unloading a module.
Specifies the defined action of uploading a file.
Specifies the defined action of writing to a file.
Specifies the defined action of writing to process virtual memory.
The ActionNameEnum type is an enumeration of defined action names.
Specifies the defined action of accepting a socket connection.
Specifies the defined action of adding a connection to an existing network share.
Specifies the defined action of adding a new network share.
Specifies the defined action of adding a new system call hook.
Specifies the defined action of adding a new user.
Specifies the defined action of adding a new Windows hook.
Specifies the defined action of adding a scheduled task.
Specifies the defined action of allocating virtual memory in a process.
Specifies the defined action of binding an address to a socket.
Specifies the defined action of changing the service configuration.
Specifies the defined action of checking for a remote debugger.
Specifies the defined action of closing a port.
Specifies the defined action of closing a registry key.
Specifies the defined action of closing a socket.
Specifies the defined action of configuring a service.
Specifies the defined action of connecting to an IP address.
Specifies the defined action of connecting to a named pipe.
Specifies the defined action of connecting to a network share.
Specifies the defined action of connecting to a socket.
Specifies the defined action of connecting to a URL.
Specifies the defined action of controlling a driver.
Specifies the defined action of controlling a service.
Specifies the defined action of copying a file.
Specifies the defined action of creating a dialog box.
Specifies the defined action of creating a new directory.
Specifies the defined action of creating an event.
Specifies the defined action of creating a file.
Specifies the defined action of creating an alternate data stream in a file.
Specifies the defined action of creating a new file mapping.
Specifies the defined action of creating a file symbolic link.
Specifies the defined action of creating a hidden file.
Specifies the defined action of creating a mailslot.
Specifies the defined action of creating a module.
Specifies the defined action of creating a mutex.
Specifies the defined action of creating a named pipe.
Specifies the defined action of creating a process.
Specifies the defined action of creating a process as user.
Specifies the defined action of creating a registry key.
Specifies the defined action of creating a registry key value.
Specifies the defined action of creating a remote thread in a process.
Specifies the defined action of creating a service.
Specifies the defined action of creating a socket.
Specifies the defined action of creating a symbolic link.
Specifies the defined action of creating a thread.
Specifies the defined action of creating a window.
Specifies the defined action of deleting a directory.
Specifies the defined action of deleting a file.
Specifies the defined action of deleting a named pipe.
Specifies the defined action of deleting a network share.
Specifies the defined action of deleting a registry key.
Specifies the defined action of deleting a registry key value.
Specifies the defined action of deleting a service.
Specifies the defined action of deleting a user.
Specifies the defined action of disconnecting from a named pipe.
Specifies the defined action of disconnecting from a network share.
Specifies the defined action of disconnecting from a socket.
Specifies the defined action of downloading a file.
Specifies the defined action of enumerating DLLs.
Specifies the defined action of enumerating network shares.
Specifies the defined action of enumerating protocols.
Specifies the defined action of enumerating registry key subkeys.
Specifies the defined action of enumerating registry key values.
Specifies the defined action of enumerating threads in a process.
Specifies the defined action of enumerating processes.
Specifies the defined action of enumerating services.
Specifies the defined action of enumerating system handles.
Specifies the defined action of enumerating threads.
Specifies the defined action of enumerating users.
Specifies the defined action of enumerating windows.
Specifies the defined action of finding a file.
Specifies the defined action of finding a window.
Specifies the defined action of flushing the Process Instruction Cache.
Specifies the defined action of freeing a library.
Specifies the defined action of freeing virtual memory from a process.
Specifies the defined action of getting the amount of free space available on a disk.
Specifies the defined action of getting the disk type.
Specifies the defined action of getting the elapsed system up-time.
Specifies the defined action of getting file attributes.
Specifies the defined action of getting the function address.
Specifies the defined action of getting system global flags.
Specifies the defined action of getting host by address.
Specifies the defined action of getting host by name.
Specifies the defined action of getting the host name.
Specifies the defined action of getting the library file name.
Specifies the defined action of getting the library handle.
Specifies the defined action of getting the NetBIOS name.
Specifies the defined action of getting the process's current directory.
Specifies the defined action of getting the process environment variable.
Specifies the defined action of getting the process startup information.
Specifies the defined action of getting the processes snapshot.
Specifies the defined action of getting the attributes of a registry key.
Specifies the defined action of getting the service status.
Specifies the defined action of getting the system global flags.
Specifies the defined action of getting the local time on a system.
Specifies the defined action of getting the system host name.
Specifies the defined action of getting the NetBIOS name of a system.
Specifies the defined action of getting the system network parameters.
Specifies the defined action of getting the system time.
Specifies the defined action of getting the thread context.
Specifies the defined action of getting the thread username.
Specifies the defined action of getting the attributes of a user.
Specifies the defined action of getting a username.
Specifies the defined action of getting a windows directory.
Specifies the defined action of getting a windows System directory.
Specifies the defined action of getting the Windows Temporary Files Directory.
Specifies the defined action of hiding a window.
Specifies the defined action of impersonating a process.
Specifies the defined action of impersonating a thread.
Specifies the defined action of injecting a memory page into a process.
Specifies the defined action of killing a process.
Specifies the defined action of killing a thread.
Specifies the defined action of killing a window.
Specifies the defined action of listening on a specific port.
Specifies the defined action of listening on a socket.
Specifies the defined action of loading and calling a driver.
Specifies the defined action of loading a driver.
Specifies the defined action of loading a library.
Specifies the defined action of loading a module.
Specifies the defined action of locking a file.
Specifies the defined action of logging on as a user.
Specifies the defined action of mapping a file.
Specifies the defined action of mapping a library.
Specifies the defined action of mapping a view of a file.
Specifies the defined action of modifying a file.
Specifies the defined action of modifying a named pipe.
Specifies the defined action of modifying a process.
Specifies the defined action of modifying a service.
Specifies the defined action of modifying a registry key.
Specifies the defined action of modifying a registry key value.
Specifies the defined action of monitoring a registry key.
Specifies the defined action of moving a file.
Specifies the defined action of opening a file.
Specifies the defined action of opening a file mapping.
Specifies the defined action of opening a mutex.
Specifies the defined action of opening a port.
Specifies the defined action of opening a process.
Specifies the defined action of opening a registry key.
Specifies the defined action of opening a service.
Specifies the defined action of opening a service control manager.
Specifies the defined action of protecting virtual memory.
Specifies the defined action of querying disk attributes.
Specifies the defined action of querying DNS.
Specifies the defined action of querying process virtual memory.
Specifies the defined action of querying the Asynchronous Procedure Call (APC) in the context of a thread.
Specifies the defined action of reading a file.
Specifies the defined action of reading from a named pipe.
Specifies the defined action of reading from process memory.
Specifies the defined action of reading a registry key value.
Specifies the defined action of receiving data on a socket.
Specifies the defined action of releasing a mutex.
Specifies the defined action of renaming a file.
Specifies the defined action of reverting a thread to its self.
Specifies the defined action of sending a control code to a file.
Specifies the defined action of sending a control code to a pipe.
Specifies the defined action of sending control code to a service.
Specifies the defined action of sending data on a socket.
Specifies the defined action of sending data to the address on a socket.
Specifies the defined action of sending a DNS query.
Specifies the defined action of sending an email message.
Specifies the defined action of sending an ICMP request.
Specifies the defined action of sending a reverse DNS query.
Specifies the defined action of setting file attributes.
Specifies the defined action of setting the NetBIOS name.
Specifies the defined action of setting the process current directory.
Specifies the defined action of setting the process environment variable.
Specifies the defined action of setting system global flags.
Specifies the defined action of setting the system host name.
Specifies the defined action of setting the system time.
Specifies the defined action of setting the thread context.
Specifies the defined action of showing a window.
Specifies the defined action of shutting down a system.
Specifies the defined action of sleeping a process.
Specifies the defined action of sleeping a system.
Specifies the defined action of starting a service.
Specifies the defined action of unloading a driver.
Specifies the defined action of unlocking a file.
Specifies the defined action of unmapping a file.
Specifies the defined action of unloading a module.
Specifies the defined action of uploading a file.
Specifies the defined action of writing to a file.
Specifies the defined action of writing to process virtual memory.
The ActionArgumentNameEnum type is an enumeration of defined argument names.
Specifies an argument called API.
Specifies an argument called Application Name.
Specifies an argument called Database Name.
Specifies an argument called Privilege Name.
Specifies an argument called Proxy Name.
Specifies an argument called Proxy Bypass.
Specifies an argument called Creation Flags.
Specifies an argument called Flags.
Specifies an argument called Access Mode.
Specifies an argument called Share Mode.
Specifies an argument called Callback Address.
Specifies an argument called Source Address.
Specifies an argument called Destination Address.
Specifies an argument called Base Address.
Specifies an argument called Starting Address.
Specifies an argument called Size (bytes).
Specifies an argument called Number of Bytes Per Send.
Specifies an argument called Control Parameter.
Specifies an argument called Host Name.
Specifies an argument called Function Name.
Specifies an argument called Function Address.
Specifies an argument called Options.
Specifies an argument called Transfer Flags.
Specifies an argument called Control Code.
Specifies an argument called APC Mode.
Specifies an argument called APC Address.
Specifies an argument called Base Address.
Specifies an argument called Protection.
Specifies an argument called Target PID.
Specifies an argument called Mapping Offset.
Specifies an argument called File Information Class.
Specifies an argument called Function Ordinal.
Specifies an argument called Function Name.
Specifies an argument called Hook Type.
Specifies an argument called Request Size.
Specifies an argument called Requested Version.
Specifies an argument called Service Type.
Specifies an argument called Service State.
Specifies an argument called Service Name.
Specifies an argument called Hostname.
Specifies an argument called Shutdown Flag.
Specifies an argument called Sleep Time (ms).
Specifies an argument called Delay Time (ms).
Specifies an argument called Code Address.
Specifies an argument called Parameter Address.
Specifies an argument called Server.
Specifies an argument called Reason.
Specifies an argument called System Metric Index.
Specifies an argument called Initial Owner.
Specifies an argument called Initial Owner.
Specifies an argument called Username.
Specifies an argument called Password.
Specifies an argument called Command.
ActionObjectAssociationTypeEnum is a (non-exhaustive) enumeration of types of action-object associations.
Specifies that the associated object initiated the action.
Specifies that the associated object was affected by the action.
Specifies that the associated object was utilized by the action.
Specifies that the associated object was the result of the action.
The ActionRelationshipTypeEnum is an enumeration of types of relationships between actions.
Specifies that this action is preceded by the related action.
Specifies that this action is followed by the related action.
Specifies that this entity (e.g. Action) is equivalent to the associated entity.
Specifies that this action is simply related to the related action in some way.
Specifies that this action is dependent on the related action.
Specifies that this action was initiated by the related action.
Specifies that this action initiated the related action.
EventTypeEnum is a (non-exhaustive) enumeration of cyber observable event types.
Specifies the class of events dealing with file operations.
Specifies the class of events dealing with registry operations.
Specifies the class of events dealing with memory operations.
Specifies the class of events dealing with process management.
Specifies the class of events dealing with thread management.
Specifies the class of events dealing with service management.
Specifies the class of events dealing with session management.
Specifies the class of events dealing with API calls.
Specifies the class of events dealing with port scanning.
Specifies the class of events dealing with IP Operations.
Specifies the class of events dealing with DNS Lookup operations.
Specifies the class of events dealing with thread management.
Specifies the class of events dealing with thread management.
Specifies the class of events dealing with configuration management.
Specifies the class of events dealing with user/password management.
Specifies the class of events dealing with account operations at the application layer.
Specifies the class of events dealing with HTTP traffic.
Specifies the class of events dealing with Application Layer traffic.
Specifies the class of events dealing with packet traffic.
Specifies the class of events dealing with data flow.
Specifies the class of events dealing with anomaly events.
Specifies the class of events dealing with Technical compliance.
Specifies the class of events dealing with procedural compliance.
Specifies the class of events dealing with the GUI/Kernel-based Virtual Machine (KVM).
Specifies the class of events dealing with Autorun.
Specifies the class of events dealing with USB and/or Media detection.
Specifies the class of events dealing with the SQL language.
Specifies the class of events dealing with the Dynamic Host Configuration Protocol (DHCP).
Specifies the class of events dealing with redirection.
Specifies the class of events dealing with authentication operations.
Specifies the class of events dealing with authorization via Access Control Lists (ACL).
Specifies the class of events dealing with privilege operations.
Specifies the class of events dealing with basic system operations.
Specifies the class of events dealing with signature detection.
Specifies the class of events dealing with auto-update operations.
Specifies the class of events dealing with application logic.
Specifies the class of events dealing with e-mail operations.
<deprecated>true</deprecated>
EventTypeEnum is a (non-exhaustive) enumeration of cyber observable event types.
NOTE: As of CybOX Version 2.0.1, this version of the EventTypeEnum is deprecated. Please use EventTypeEnum-1.0.1 instead.
Specifies the class of events dealing with file operations.
Specifies the class of events dealing with registry operations.
Specifies the class of events dealing with memory operations.
Specifies the class of events dealing with process management.
Specifies the class of events dealing with thread management.
Specifies the class of events dealing with service management.
Specifies the class of events dealing with session management.
Specifies the class of events dealing with API calls.
Specifies the class of events dealing with port scanning.
Specifies the class of events dealing with IP Operations.
Specifies the class of events dealing with DNS Lookup operations.
Specifies the class of events dealing with thread management.
Specifies the class of events dealing with thread management.
Specifies the class of events dealing with configuration management.
Specifies the class of events dealing with user/password management.
Specifies the class of events dealing with account operations at the application layer.
Specifies the class of events dealing with HTTP traffic.
Specifies the class of events dealing with Application Layer traffic.
Specifies the class of events dealing with packet traffic.
Specifies the class of events dealing with data flow.
Specifies the class of events dealing with anomoly events.
Specifies the class of events dealing with Technical compliance.
Specifies the class of events dealing with procedural compliance.
Specifies the class of events dealing with the GUI/Kernel-based Virtual Machine (KVM).
Specifies the class of events dealing with Autorun.
Specifies the class of events dealing with USB and/or Media detection.
Specifies the class of events dealing with the SQL language.
Specifies the class of events dealing with the Dynamic Host Configuration Protocol (DHCP).
Specifies the class of events dealing with redirection.
Specifies the class of events dealing with authentication operations.
Specifies the class of events dealing with authorization via Access Control Lists (ACL).
Specifies the class of events dealing with privilege operations.
Specifies the class of events dealing with basic system operations.
Specifies the class of events dealing with signature detection.
Specifies the class of events dealing with auto-update operations.
Specifies the class of events dealing with application logic.
Specifies the class of events dealing with e-mail operations.
ObjectRelationshipEnum is a (non-exhaustive) enumeration of inter-object relationships.
Specifies that this object created the related object.
Specifies that this object was created by the related object.
Specifies that this object deleted the related object.
Specifies that this object was deleted by the related object.
Specifies that this object modified the properties of the related object.
Specifies that the properties of this object were modified by the related object.
Specifies that this object was read from the related object.
Specifies that this object was read from by the related object.
Specifies that this object wrote to the related object.
Specifies that this object was written to by the related object.
Specifies that this object was downloaded from the related object.
Specifies that this object downloaded the related object.
Specifies that this object downloaded the related object.
Specifies that this object was downloaded by the related object.
Specifies that this object uploaded the related object.
Specifies that this object was uploaded by the related object.
Specifies that this object was uploaded to the related object.
Specifies that this object received the related object via upload.
Specifies that this object was uploaded from the related object.
Specifies that this object sent the related object via upload.
Specifies that this object suspended the related object.
Specifies that this object was suspended by the related object.
Specifies that this object paused the related object.
Specifies that this object was paused by the related object.
Specifies that this object resumed the related object.
Specifies that this object was resumed by the related object.
Specifies that this object opened the related object.
Specifies that this object was opened by the related object.
Specifies that this object closed the related object.
Specifies that this object was closed by the related object.
Specifies that this object was copied from the related object.
Specifies that this object was copied to the related object.
Specifies that this object copied the related object.
Specifies that this object was copied by the related object.
Specifies that this object was moved from the related object.
Specifies that this object was moved to the related object.
Specifies that this object moved the related object.
Specifies that this object was moved by the related object.
Specifies that this object searched for the related object.
Specifies that this object was searched for by the related object.
Specifies that this object allocated the related object.
Specifies that this object was allocated by the related object.
Specifies that this object was initialized to the related object.
Specifies that this object was initialized by the related object.
Specifies that this object sent the related object.
Specifies that this object was sent by the related object.
Specifies that this object was sent to the related object.
Specifies that this object was received from the related object.
Specifies that this object received the related object.
Specifies that this object was received by the related object.
Specifies that this object was mapped into the related object.
Specifies that this object was mapped by the related object.
Specifies that the object queried properties of the related object.
Specifies that the properties of this object were queried by the related object.
Specifies that the object enumerated values of the related object.
Specifies that the values of the object were enumerated by the related object.
Specifies that this object bound the related object.
Specifies that this object was bound by the related object.
Specifies that this object freed the related object.
Specifies that this object was freed by the related object.
Specifies that this object killed the related object.
Specifies that this object was killed by the related object.
Specifies that this object encrypted the related object.
Specifies that this object was encrypted by the related object.
Specifies that this object was encrypted to the related object.
Specifies that this object was encrypted from the related object.
Specifies that this object decrypted the related object.
Specifies that this object was decrypted by the related object.
Specifies that this object packed the related object.
Specifies that this object was packed by the related object.
Specifies that this object unpacked the related object.
Specifies that this object was unpacked by the related object.
Specifies that this object was packed from the related object.
Specifies that this object was packed into the related object.
Specifies that this object encoded the related object.
Specifies that this object was encoded by the related object.
Specifies that this object decoded the related object.
Specifies that this object was decoded by the related object.
Specifies that this object was compressed from the related object.
Specifies that this object was compressed into the related object.
Specifies that this object compressed the related object.
Specifies that this object was compressed by the related object.
Specifies that this object decompressed the related object.
Specifies that this object was decompressed by the related object.
Specifies that this object joined the related object.
Specifies that this object was joined by the related object.
Specifies that this object merged the related object.
Specifies that this object was merged by the related object.
Specifies that this object locked the related object.
Specifies that this object was locked by the related object.
Specifies that this object unlocked the related object.
Specifies that this object was unlocked by the related object.
Specifies that this object hooked the related object.
Specifies that this object was hooked by the related object.
Specifies that this object unhooked the related object.
Specifies that this object was unhooked by the related object.
Specifies that this object monitored the related object.
Specifies that this object was monitored by the related object.
Specifies that this object listened on the related object.
Specifies that this object was listened on by the related object.
Specifies that this object was renamed from the related object.
Specifies that this object was renamed to the related object.
Specifies that this object renamed the related object.
Specifies that this object was renamed by the related object.
Specifies that this object injected into the related object.
Specifies that this object injected as the related object.
Specifies that this object injected the related object.
Specifies that this object was injected by the related object.
Specifies that this object was deleted from the related object.
Specifies that this object previously contained the related object.
Specifies that this object loaded into the related object.
Specifies that this object was loaded from the related object.
Specifies that this object was set to the related object.
Specifies that this object was set from the related object.
Specifies that this object was resolved to the related object.
Specifies that this object is related to the related object.
Specifies that this object dropped the related object.
Specifies that this object was dropped by the related object.
Specifies that this object contains the related object.
Specifies that this object is contained within the related object.
Specifies that this object was extracted from the related object.
Specifies that this object installed the related object.
Specifies that this object was installed by the related object.
Specifies that this object connected to the related object.
Specifies that this object was connected to from the related object.
Specifies that this object is a sub-domain of the related object.
Specifies that this object is a supra-domain of the related object.
Specifies that this object is the root domain of the related object.
Specifies that this object is an FQDN of the related object.
Specifies that this object is a parent of the related object.
Specifies that this object is a child of the related object.
Specifies that this object describes the properties of the related object. This is most applicable in cases where the related object is an Artifact Object and this object is a non-Artifact Object.
Specifies that the related object describes the properties of this object. This is most applicable in cases where the related object is a non-Artifact Object and this object is an Artifact Object.
ObjectRelationshipEnum is a (non-exhaustive) enumeration of inter-object relationships.
Specifies that this object created the related object.
Specifies that this object was created by the related object.
Specifies that this object deleted the related object.
Specifies that this object was deleted by the related object.
Specifies that this object modified the properties of the related object.
Specifies that the properties of this object were modified by the related object.
Specifies that this object was read from the related object.
Specifies that this object was read from by the related object.
Specifies that this object wrote to the related object.
Specifies that this object was written to by the related object.
Specifies that this object was downloaded from the related object.
Specifies that this object downloaded the related object.
Specifies that this object downloaded the related object.
Specifies that this object was downloaded by the related object.
Specifies that this object uploaded the related object.
Specifies that this object was uploaded by the related object.
Specifies that this object was uploaded to the related object.
Specifies that this object received the related object via upload.
Specifies that this object was uploaded from the related object.
Specifies that this object sent the related object via upload.
Specifies that this object suspended the related object.
Specifies that this object was suspended by the related object.
Specifies that this object paused the related object.
Specifies that this object was paused by the related object.
Specifies that this object resumed the related object.
Specifies that this object was resumed by the related object.
Specifies that this object opened the related object.
Specifies that this object was opened by the related object.
Specifies that this object closed the related object.
Specifies that this object was closed by the related object.
Specifies that this object was copied from the related object.
Specifies that this object was copied to the related object.
Specifies that this object copied the related object.
Specifies that this object was copied by the related object.
Specifies that this object was moved from the related object.
Specifies that this object was moved to the related object.
Specifies that this object moved the related object.
Specifies that this object was moved by the related object.
Specifies that this object searched for the related object.
Specifies that this object was searched for by the related object.
Specifies that this object allocated the related object.
Specifies that this object was allocated by the related object.
Specifies that this object was initialized to the related object.
Specifies that this object was initialized by the related object.
Specifies that this object sent the related object.
Specifies that this object was sent by the related object.
Specifies that this object was sent to the related object.
Specifies that this object was received from the related object.
Specifies that this object received the related object.
Specifies that this object was received by the related object.
Specifies that this object was mapped into the related object.
Specifies that this object was mapped by the related object.
Specifies that the object queried properties of the related object.
Specifies that the properties of this object were queried by the related object.
Specifies that the object enumerated values of the related object.
Specifies that the values of the object were enumerated by the related object.
Specifies that this object bound the related object.
Specifies that this object was bound by the related object.
Specifies that this object freed the related object.
Specifies that this object was freed by the related object.
Specifies that this object killed the related object.
Specifies that this object was killed by the related object.
Specifies that this object encrypted the related object.
Specifies that this object was encrypted by the related object.
Specifies that this object was encrypted to the related object.
Specifies that this object was encrypted from the related object.
Specifies that this object decrypted the related object.
Specifies that this object was decrypted by the related object.
Specifies that this object packed the related object.
Specifies that this object was packed by the related object.
Specifies that this object unpacked the related object.
Specifies that this object was unpacked by the related object.
Specifies that this object was packed from the related object.
Specifies that this object was packed into the related object.
Specifies that this object encoded the related object.
Specifies that this object was encoded by the related object.
Specifies that this object decoded the related object.
Specifies that this object was decoded by the related object.
Specifies that this object was compressed from the related object.
Specifies that this object was compressed into the related object.
Specifies that this object compressed the related object.
Specifies that this object was compressed by the related object.
Specifies that this object decompressed the related object.
Specifies that this object was decompressed by the related object.
Specifies that this object joined the related object.
Specifies that this object was joined by the related object.
Specifies that this object merged the related object.
Specifies that this object was merged by the related object.
Specifies that this object locked the related object.
Specifies that this object was locked by the related object.
Specifies that this object unlocked the related object.
Specifies that this object was unlocked by the related object.
Specifies that this object hooked the related object.
Specifies that this object was hooked by the related object.
Specifies that this object unhooked the related object.
Specifies that this object was unhooked by the related object.
Specifies that this object monitored the related object.
Specifies that this object was monitored by the related object.
Specifies that this object listened on the related object.
Specifies that this object was listened on by the related object.
Specifies that this object was renamed from the related object.
Specifies that this object was renamed to the related object.
Specifies that this object renamed the related object.
Specifies that this object was renamed by the related object.
Specifies that this object injected into the related object.
Specifies that this object injected as the related object.
Specifies that this object injected the related object.
Specifies that this object was injected by the related object.
Specifies that this object was deleted from the related object.
Specifies that this object previously contained the related object.
Specifies that this object loaded into the related object.
Specifies that this object was loaded from the related object.
Specifies that this object was set to the related object.
Specifies that this object was set from the related object.
Specifies that this object was resolved to the related object.
Specifies that this object is related to the related object.
Specifies that this object dropped the related object.
Specifies that this object was dropped by the related object.
Specifies that this object contains the related object.
Specifies that this object is contained within the related object.
Specifies that this object was extracted from the related object.
Specifies that this object installed the related object.
Specifies that this object was installed by the related object.
Specifies that this object connected to the related object.
Specifies that this object was connected to from the related object.
Specifies that this object is a sub-domain of the related object.
Specifies that this object is a supra-domain of the related object.
Specifies that this object is the root domain of the related object.
Specifies that this object is an FQDN of the related object.
Specifies that this object is a parent of the related object.
Specifies that this object is a child of the related object.
Specifies that this object describes the properties of the related object. This is most applicable in cases where the related object is an Artifact Object and this object is a non-Artifact Object.
Specifies that the related object describes the properties of this object. This is most applicable in cases where the related object is a non-Artifact Object and this object is an Artifact Object.
Specifies that this object used the related object.
Specifies that this object was used by the related object.
Specifies that this object redirects to the related object.
ObjectStateEnum is a (non-exhaustive) enumeration of cyber observable object states.
Specifies that the object exists.
Specifies that the object does not exist.
Specifies that the object is open.
Specifies that the object is closed.
Specifies that the object is active.
Specifies that the object is inactive.
Specifies that the object is locked.
Specifies that the object is unlocked.
Specifies that the object has started.
Specifies that the object has stopped.
CharacterEncodingEnum is a (non-exhaustive) enumeration of character encodings.
Specifies the American Standard Code for Information Interchange (ASCII) character encoding scheme.
Specifies the UCS Transformation Format-8 bit (UTF-8) character encoding scheme.
Specifies the UCS Transformation Format-16 bit (UTF-16) character encoding scheme.
Specifies the UCS Transformation Format-32 bit (UTF-32) character encoding scheme.
Specifies the Windows-1250 character encoding scheme, for Central European languages.
Specifies the Windows-1251 character encoding scheme, for Cyrillic alphabets.
Specifies the Windows-1252 character encoding scheme, for Western languages.
Specifies the Windows-1253 character encoding scheme, for Greek.
Specifies the Windows-1254 character encoding scheme, for Turkish.
Specifies the Windows-1255 character encoding scheme, for Hebrew.
Specifies the Windows-1256 character encoding scheme, for Arabic.
Specifies the Windows-1257 character encoding scheme, for Baltic languages.
Specifies the Windows-1258 character encoding scheme, for Vietnamese.
The InformationSourceTypeEnum is a (non-exhaustive) enumeration of cyber observation information source types.
The Comm Logs value specifies a cyber observation coming from communications logs.
The Application Logs value specifies a cyber observation coming from application logs.
The Web Logs value specifies a cyber observation coming from web logs.
The DBMS Log value specifies a cyber observation coming from the Database Management System log.
The OS/Device Driver APIs value specifies a cyber observation coming from OS/Device Driver APIs.
The Frameworks value specifies a cyber observation coming from Frameworks.
The VM Hypervisor value specifies a cyber observation coming from the VM hypervisor data.
The TPM value specifies a cyber observation made using TPM output data.
The Application Framework value specifies a cyber observation coming from an application framework.
The Help Desk value specifies a cyber observation coming from an human or automated help desk.
The Incident Management value specifies a cyber observation made using information provided by Incident Management services.
The IAVM value specifies a cyber observation made using information provided by Information Assurance Vulnerability Management mechanisms.
HashNameEnum is a (non-exhaustive) enumeration of hashing algorithm names.
The MD5 value specifies the MD5 hashing algorithm.
The MD6 value specifies the MD6 hashing algorithm.
The SHA1 value specifies the SHA1 hashing algorithm.
The SHA24 value specifies the SHA224 hashing algorithm.
The SHA256 value specifies the SHA256 hashing algorithm.
The SHA384 value specifies the SHA384 hashing algorithm.
The SHA512 value specifies the SHA512 hashing algorithm.
The SSDEEP value specifies the SSDEEP hashing algorithm.
The ToolTypeEnum is a (non-exhaustive) enumeration of cyber observation source tool types.
The NIDS value specifies the Network Intrusion Detection System tool.
The NIPS value specifies the Network Intrusion Protection System tool.
The HIDS value specifies the Host-based Intrusion Detection System tool.
The HIPS value specifies the Host-based Intrusion Protection System tool.
The Firewall value specifies a cyber observation made using a firewall.
The Router value specifies a cyber observation made using a router.
The Proxy value specifies a cyber observation made using a network proxy.
The Gateway value specifies a cyber observation made using a network gateway.
The SNMP/MIBs value specifies a cyber observation made using the Simple Network Management Protocol or via the Management Information Bases.
The A/V value specifies a cyber observation made using Anti-Virus tools and/or software.
The DBMS value specifies a cyber observation made using a Database Management System monitor.
The Vulnerability Scanner value specifies a cyber observation made using a vulnerability scanner.
The Configuration Scanner value specifies a cyber observation made using a configuration scanner.
The Asset Scanner value specifies a cyber observation made using an asset scanner.
The SIM value specifies a cyber observation made using Security Information Management tools.
The SEM value specifies a cyber observation made using Security Event Management tools.
The ToolTypeEnum is a (non-exhaustive) enumeration of cyber observation source tool types.
The NIDS value specifies a Network Intrusion Detection System tool.
The NIPS value specifies a Network Intrusion Protection System tool.
The HIDS value specifies a Host-based Intrusion Detection System tool.
The HIPS value specifies a Host-based Intrusion Protection System tool.
The Firewall value specifies a software or hardware firewall.
The Router value specifies a software or hardware router.
The Proxy value specifies a cyber observation made using a software or hardware network proxy.
The Gateway value specifies a cyber observation made using a software or hardware network gateway.
The SNMP/MIBs value specifies a Simple Network Management Protocol or Management Information Base tool.
The AV value specifies Anti-Virus tools and/or software.
The DBMS value specifies a Database Management System monitor tool.
The Vulnerability Scanner value specifies a vulnerability scanner tool.
The Configuration Scanner value specifies a configuration scanner tool.
The Asset Scanner value specifies an asset scanner tool.
The SIM value specifies a Security Information Management tool.
The SEM value specifies a Security Event Management tool.
The Digital Forensics value specifies a digital forensics tool.
The Static Malware Analysis value specifies a static malware Analysis tool.
The Dynamic Malware Analysis value specifies a dynamic malware Analysis tool.
The System Configuration Management value specifies a system configuration management tool.
The Network Configuration Management value specifies a network configuration management tool.
The Packet Capture and Analysis value specifies a packet capture and analysis tool.
The Network Flow Capture and Analysis value specifies a network flow capture and analysis tool.
The Intelligence Service Platform value specifies an intelligence service platform tool.
<schema>CybOX Core</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Core.</short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
This Event construct is included recursively to enable description/specification of composite Events.
TrendEnum is a (non-exhaustive) enumeration of trend types.
Specifies an increasing trend.
Specifies a decreasing trend.
ActionStatusTypeEnum is a (non-exhaustive) enumeration of cyber observable action status types.
Specifies a cyber observable action that was successful.
Specifies a cyber observable action that failed.
Specifies a cyber observable action that resulted in an error.
Specifies a cyber observable action that completed or finished. This action status does not specify the result of the action (e.g., Success/Error).
Specifies a cyber observable action is pending.
Specifies a cyber observable action that is ongoing.
Specifies a cyber observable action with an unknown status.
ActionContextTypeEnum is a (non-exhaustive) enumeration of cyber observable action contexts.
Specifies that the cyber observable action occurred on a host.
Specifies that the cyber observable action occurred on a network.
EffectTypeEnum is a (non-exhaustive) enumeration of effect types.
Specifies that the associated Action had an effect on the Object of changing its state.
Specifies that the associated Action had an effect on the Object of reading data from it.
Specifies that the associated Action had an effect on the Object of writing data to it.
Specifies that the associated Action had an effect on the Object of sending data to it.
Specifies that the associated Action had an effect on the Object of receiving data from it.
Specifies that the associated Action had an effect on the Object of reading properties from it.
Specifies that the associated Action had an effect on the Object of enumerating properties from it.
Specifies that the associated Action had an effect on the Object of enumerating values from it.
Specifies that the associated Action had an effect on the Object of having a control code sent to it.
OperatorTypeEnum is a (non-exhaustive) enumeration of operators.
Specifies the AND logical composition operation.
Specifies the OR logical composition operation.
NoisinessEnum is a (non-exhaustive) enumeration of potential levels of noisiness for a given observable pattern.
Specifies that this observable has a high level of noisiness meaning a potentially high level of false positives.
Specifies that this observable has a medium level of noisiness meaning a potentially medium level of false positives.
Specifies that this observable has a low level of noisiness meaning a potentially low level of false positives.
The EaseOfObfuscationEnum is a (non-exhaustive) enumeration of simple characterizations of how easy it would be for an attacker to obfuscate the observability of this Observable.
Specifies that this observable is very easy to obfuscate and hide.
Specifies that this observable is somewhat easy to obfuscate and hide.
Specifies that this observable is not very easy to obfuscate and hide.
The ObservablesType is a type representing a collection of cyber observables.
The cybox_major_version field specifies the major version of the CybOX language utilized for this set of Observables.
The cybox_minor_version field specifies the minor version of the CybOX language utilized for this set of Observables.
The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.
The Observable_Package_Source field is optional and enables descriptive specification of how this package of Observables was identified and specified.
The Pools construct enables the description of Events, Actions, Objects and Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled elements. This reduces redundancy caused when identical observable elements occur multiple times within a set of defined Observables.
The ObservableType is a type representing a description of a single cyber observable.
The id field specifies a unique id for this Observable.
The idref field specifies a unique id reference to an Observable defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.
The negate field, when set to true, indicates the absence (rather than the presence) of the given Observable in a CybOX pattern.
False
The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.
The Title field provides a mechanism to specify a short title or description for this Observable.
The Description field provides a mechanism to specify a structured text description of this Observable.
Keywords enables capture of relevant keywords for this cyber observable.
The Observable_Source field is optional and enables descriptive specification of how this Observable was identified and specified.
Pattern_Fidelity contains elements that enable the characterization of the fidelity of this pattern to its purpose.
The EventType is a complex type representing a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
The id field specifies a unique id for this Event.
The idref field specifies a unique id reference to an Event defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Event should not hold content unless an extension of the Event allows it.
The FrequencyType is a type representing the specification of a frequency for a given action or event.
This field specifies the rate for this defined frequency.
This field specifies the units for this defined frequency.
This field specifies the time scale for this defined frequency.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the frequency of the associated event or action. This field would be leveraged within an event or action pattern observable triggering on the matching of a specified trend in the frequency of an event or action.
The ActionsType is a complex type representing a set of cyber observable actions.
The Action construct enables description/specification of a single cyber observable action.
The ActionType is a complex type representing a single cyber observable action.
The id field specifies a unique id for this Action.
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
The action_status field enables description of the status of the action being described.
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
The Type field is optional and utilizes a standardized controlled vocabulary to specify the basic type of the action that was performed.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific name of the action that was performed.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Description field contains a textual description of the action.
The Action_Aliases field is optional and enables identification of other potentially used names for this Action.
The Action_Arguments field is optional and enables the specification of relevant arguments/parameters for this Action.
The Location field specifies a relevant physical location.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Discovery_Method field is optional and enables descriptive specification of how this Action was observed (in the case of a Cyber Observable Action instance) or could potentially be observed (in the case of a Cyber Observable Action pattern).
The Associated_Objects construct is optional and enables the description/specification of cyber Objects relevant (either initiating or affected by) this Action.
The Relationships construct is optional and enables description of other cyber observable actions that are related to this Action.
The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.
The ActionAliasesType enables identification of other potentially used names for this Action.
The Action_Alias field is optional and enables identification of a single other potentially used name for this Action.
The ActionArgumentsType enables the specification of relevant arguments/parameters for this Action.
The Action_Argument construct is optional and enables the specification of a single relevant argument/parameter for this Action.
The ActionArgumentType enables the specification of a single relevant argument/parameter for this Action.
The Argument_Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific action argument utilized.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionArgumentNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Argument_Value field specifies the value for this action argument/parameter.
The AssociatedObjectsType enables the description/specification of cyber Objects relevant to an Action.
The Associated_Object construct enables the description of cyber Objects associated with this Action. This could include Objects that initiated the action, are the target Objects affected by the Action, are utilized by the Action or are the returned result of the Action.
The AssociatedObjectType is a complex type representing the characterization of a cyber observable Object associated with a given cyber observable Action.
The Association_Type field utilizes a standardized controlled vocabulary to specify the kind of association this Object holds for this Action.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionObjectAssociationTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Action_Pertinent_Object_Properties construct is optional and identifies which of the Properties of this Object are specifically pertinent to this Action.
The ActionPertinentObjectPropertiesType identifies which of the Properties of this Object are specifically pertinent to this Action.
The Property construct identifies a single Object Property that is specifically pertinent to this Action.
The ActionPertinentObjectPropertyType identifies one of the Properties of an Object that specifically pertinent to an Action.
The name field specifies the field name for the pertinent Object Property.
The xpath field specifies the XPath 1.0 expression identifying the pertinent property within the Properties schema for this object type.
The ActionRelationshipsType captures 1-n relationships between an Action and another Action.
The Relationship construct is required and enables description of a single other cyber observable Action that is related to this Action.
The ActionRelationshipType characterizes a relationship between a specified cyber observable action and another cyber observable action.
The Type field utilizes a standardized controlled vocabulary to describe the nature of the relationship between this Action and the related Action.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionRelationshipTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Action_Reference construct captures references to other Actions.
ActionReferenceType is intended to serve as a method for linking to actions.
The action_id field refers to the id of the action being referenced.
The ObjectType is a complex type representing the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).
The id field specifies a unique id for this Object.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The State field enables the description of the current state of the object, through a standardized controlled vocabulary.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectStateVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Description field provides a mechanism to specify a structured text description of this Object.
The Properties construct is an abstract placeholder for various predefined Object type schemas (e.g. File, Process or System) that can be instantiated in its place through extension of the ObjectPropertiesType. This mechanism enables the specification of a broad range of Object types with consistent Object Property naming and structure. The set of Properties schemas are maintained independent of the core CybOX schema.
The Domain_Specific_Object_Properties construct is of an Abstract type placeholder within the CybOX schema enabling the inclusion of domain-specific metadata for an object through the use of a custom type defined as an extension of this base Abstract type. This enables domains utilizing CybOX such as malware analysis or forensics to incorporate non-generalized object metadata from their domains into CybOX objects.
The Location field specifies a relevant physical location.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Related_Objects construct is optional and enables the identification and/or specification of Objects with relevant relationships with this Object.
The Defined_Effect construct is an abstract placeholder for various predefined Object Effect types (e.g. DataReadEffect, ValuesEnumeratedEffect or StateChangeEffect) that can be instantiated in its place through extension of the DefinedEffectType. This mechanism enables the specification of a broad range of types of potential complex action effects on Objects. The set of Defined_Effect types (extending the DefinedEffectType) are maintained as part of the core CybOX schema.
The Discovery_Method field is optional and enables descriptive specification of how this Object was observed (in the case of a Cyber Observable Object instance) or could potentially be observed (in the case of a Cyber Observable Object pattern).
The DomainSpecificObjectPropertiesType is an abstract type placeholder within the CybOX schema enabling the inclusion of domain-specific metadata for an object through the use of a custom type defined as an extension of this base Abstract type. This enables domains utilizing CybOX such as malware analysis or forensics to incorporate non-generalized object metadata from their domains into CybOX objects.
The RelatedObjectsType enables the identification and/or specification of Objects with relevant relationships with this Object.
The Related_Object construct is optional and enables the identification and/or specification of a single Objects with relevant relationships with this Object.
The RelatedObjectType enables the identification and/or specification of an Object with a relevant relationship with this Object.
The Relationship field uses a standardized controlled vocabulary to capture the nature of the relationship between this Object and the Related_Object.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectRelationshipVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
When idref is specified, by design, an instance may declare a Relationship child.
The DefinedEffectType is an abstract placeholder for various predefined Object Effect types (e.g. DataReadEffect, ValuesEnumeratedEffect or StateChangeEffect) that can be instantiated in its place through extension of the DefinedEffectType. This mechanism enables the specification of a broad range of types of potential complex action effects on Objects. The set of Defined_Effect types (extending the DefinedEffectType) are maintained as part of the core CybOX schema.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
The StateChangeEffectType is intended as a generic way of characterizing the effects of actions upon objects where the some state of the object is changed.
The Old_Object construct specifies the object and its properties as they were before the state change effect occurred.
The New_Object construct specifies the object and its properties as they are after the state change effect occurred.
The DataReadEffectType type is intended to characterize the effects of actions upon objects where some data is read, such as from a file or a pipe.
The Data field specifies the data that was read from the object by the action.
The DataWrittenEffectType type is intended to characterize the effects of actions upon objects where some data is written, such as to a file or a pipe.
The Data field specifies the data that was written to the object by the action.
The DataSentEffectType type is intended to characterize the effects of actions upon objects where some data is sent, such as a byte sequence on a socket.
The Data field specifies the data that was sent on the object, or from the object, by the action.
The DataReceivedEffectType type is intended to characterize the effects of actions upon objects where some data is received, such as a byte sequence on a socket.
The Data field specifies the data that was received on the object, or from the object, by the action.
The PropertyReadEffectType type is intended to characterize the effects of actions upon objects where some specific property is read from an object, such as the current running state of a process.
The Name field specifies the Name of the property being read.
The Value field specifies the value of the property being read.
The PropertiesEnumeratedEffectType type is intended to characterize the effects of actions upon objects where some properties of the object are enumerated, such as the startup parameters for a process.
The Properties field specifies the properties that were enumerated as a result of the action on the object.
The PropertiesType specifies the properties that were enumerated as a result of the action on the object.
The Property element specifies a single property that was enumerated as a result of the action on the object.
The ValuesEnumeratedEffectType type is intended to characterize the effects of actions upon objects where some values of the object are enumerated, such as the values of a registry key.
The Values field specifies the values that were enumerated as a result of the action on the object.
The ValuesType specifies the values that were enumerated as a result of the action on the object.
The Value field specifies a single value that was enumerated as a result of the action on the object.
The SendControlCodeEffectType is intended to characterize the effects of actions upon objects where some control code, or other control-oriented communication signal, is sent to the object. For example, an action may send a control code to change the running state of a process.
The Control_Code field specifies the actual control code that was sent to the object.
The ObservablesCompositionType enables the specification of higher-order composite observables composed of logical combinations of other observables.
The operator field enables the specification of complex compositional cyber observables by providing logical operators for defining interrelationships between constituent cyber observables defined utilizing the recursive Observable element.
The Observable construct represents a description of a single cyber observable.
The PoolsType enables the description of Events, Actions, Objects and Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled elements. This reduces redundancy caused when identical observable elements occur multiple times within a set of defined Observables.
The Event_Pool construct enables the description of CybOX Events in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Event elements. This reduces redundancy caused when identical Events occur multiple times within a set of defined Observables.
The Action_Pool construct enables the description of CybOX Actions in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Action elements. This reduces redundancy caused when identical Actions occur multiple times within a set of defined Observables.
The Object_Pool construct enables the description of CybOX Objects in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Object elements. This reduces redundancy caused when identical Objects occur multiple times within a set of defined Observables.
The Property_Pool construct enables the description of CybOX Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Properties elements. This reduces redundancy caused when identical Properties occur multiple times within a set of defined Observables.
The EventPoolType enables the description of CybOX Events in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Event elements. This reduces redundancy caused when identical Events occur multiple times within a set of defined Observables.
The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
The ActionPoolType enables the description of CybOX Actions in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Action elements. This reduces redundancy caused when identical Actions occur multiple times within a set of defined Observables.
The Action construct enables description/specification of a single cyber observable action.
The ObjectPoolType enables the description of CybOX Objects in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Object elements. This reduces redundancy caused when identical Objects occur multiple times within a set of defined Observables.
The Object construct identifies and specifies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).
The PropertyPoolType enables the description of CybOX Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Properties elements. This reduces redundancy caused when identical Properties occur multiple times within a set of defined Observables.
The Property construct enables the specification of a single Object Property.
The ObfuscationTechniquesType enables the description of a set of potential techniques an attacker could leverage to obfuscate the observability of this Observable.
The Obfuscation_Technique field is optional and enables the description of a single potential technique an attacker could leverage to obfuscate the observability of this Observable.
The ObfuscationTechniqueType enables the description of a single potential technique an attacker could leverage to obfuscate the observability of this Observable.
The Description field captures a structured text description of the obfuscation technique.
The Observables construct is optional and enables description of potential cyber observables that could indicate the use of this particular obfuscation technique.
Each keyword element contains one keyword.
The Noisiness field is optional and enables simple characterization of how noisy this Observable typically could be. In other words, how likely is it to generate false positives.
The Ease_of_Obfuscation field is optional and enables simple characterization of how easy it would be for an attacker to obfuscate the observability of this Observable.
The Obfuscation_Techniques field is optional and enables the description of potential techniques an attacker could leverage to obfuscate the observability of this Observable.
The Object construct identifies and specifies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).
The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
The Observable_Composition construct enables specification of composite observables made up of logical constructions of atomic observables or other composite observables (e.g. Obs5 = (Obs1 OR Obs2) AND (Obs3 OR Obs4)).
The Type field uses a standardized controlled vocabulary to capture what type of Event this is.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is EventTypeVocab-1.0.1 in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Description field provides a mechanism to specify a structured text description of this Event.
The Observation_Method field is optional and enables descriptive specification of how this Event was observed (in the case of a Cyber Observable Event instance) or could potentially be observed (in the case of a Cyber Observable Event pattern).
The Actions construct enables description/specification of one or more cyber observable actions.
The Location field specifies a relevant physical location.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.
<schema>CybOX Common</schema>
<version>2.1</version>
<date>01/22/2014</date>
<short_description>The following specifies the fields and types that compose this defined CybOX Common Types.</short_description>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.</terms_of_use>
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The SourceClassTypeEnum is a (non-exhaustive) enumeration of cyber observation source classes.
Describes a Network-based cyber observation.
Describes a System-based cyber observation.
Describes a Software-based cyber observation.
The SourceTypeEnum is a (non-exhaustive) enumeration of cyber observation source types.
Describes a cyber observation made using various tools, such as scanners, firewalls, gateways, protection systems, and detection systems. See ToolTypeEnum for a more complete list of tools that CybOX supports.
Describes a cyber observation made from analysis methods, such as Static and Dynamic methods. See AnalysisMethodTypeEnum for a more complete list of methods that CybOX supports.
Describes a cyber observation made using other information sources, such as logs, Device Driver APIs, and TPM output data. See InformationSourceTypeEnum for a more complete list of information sources that CybOX supports.
The CompensationModelEnum is a (non-exhaustive) enumeration of compensation models for tools.
Specifies that the tool is available for use at no monetary cost as the compensation model.
Specifies that the tool is proprietary and offers a limited use license as the compensation model.
Specifies that the tool is produced for sale or serves commercial purposes as the compensation model.
Specifies that the tool uses automatically rendered advertisements as the compensation model.
The nature of referenced material regarding a tool.
The reference is to documentation about the identified tool.
The reference is to source code for the identified tool.
The reference is to where an executable version of the tool can be downloaded.
The reference is to the tool implemented as an online service.
The reference is to material about the tool not covered by other values in this enumeration.
ConditionTypeEnum is a (non-exhaustive) enumeration of condition types.
Specifies the equality or = condition.
Specifies the "does not equal" or != condition.
Specifies the "contains" condition.
Specifies the "does not contain" condition.
Specifies the "starts with" condition.
Specifies the "ends with" condition.
Specifies the "greater than" condition.
Specifies the "greater than or equal to" condition.
Specifies the "less than" condition.
Specifies the "less than or equal" condition.
The pattern is met if the given value lies between the values indicated in the field value body, inclusive of the bounding values themselves. The field value body MUST contain at least 2 values to be valid. If the field value body contains more than 2 values, then only the greatest and least values are considered. (I.e., If the body contains "2,4,6", then an InclusiveBetween condition would be satisfied if the observed value fell between 2 and 6, inclusive. Since this is an inclusive range, an observed value of 2 or 6 would fit the pattern in this example.) As such, always treat the InclusiveBetween condition as applying to a single range for the purpose of evaluating the apply_condition attribute.
The pattern is met if the given value lies between the values indicated in the field value body, exclusive of the bounding values themselves. The field value body MUST contain at least 2 values to be valid. If the field value body contains more than 2 values, then only the greatest and least values are considered. (I.e., If the body contains "2,4,6", then an InclusiveBetween condition would be satisfied if the observed value fell between 2 and 6, exclusive. Since this is an exclusive range, an observed value of 2 or 6 would not fit the pattern in this example.) As such, always treat the ExclusiveBetween condition as applying to a single range for the purpose of evaluating the apply_condition attribute.
Specifies the condition that a value fits a given pattern.
Specifies the condition of bitwise AND. Specifically, when applying this pattern, a given value is bitwise-ANDed with the bit_mask attribute value (which must be present). If the result is identical to the value provided in the body of this field value, the pattern is considered fulfilled.
Specifies the condition of bitwise OR. Specifically, when applying this pattern, a given value is bitwise-ORed with the bit_mask attribute value (which must be present). If the result is identical to the value provided in the body of this field value, the pattern is considered fulfilled.
Specifies the condition of bitwise XOR. Specifically, when applying this pattern, a given value is bitwise-XORed with the bit_mask attribute value (which must be present). If the result is identical to the value provided in the body of this field value, the pattern is considered fulfilled.
Used to indicate how a condition should be applied to a list of values.
Indicates that a pattern holds if the given condition can be successfully applied to any of the field values.
Indicates that a pattern holds only if the given condition can be successfully applied to all of the field values.
Indicates that a pattern holds only if the given condition can be successfully applied to none of the field values.
DataTypeEnum is a (non-exhaustive) enumeration of data types.
Specifies the string datatype as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#string for more information.
Specifies the int datatype as it applies to the W3C standard for int. See http://www.w3.org/TR/xmlschema-2/#int for more information.
Specifies the float datatype as it apples to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#float for more information.
Specifies a date, which is usually in the form yyyy-mm--dd as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#date for more information.
Specifies a positive integer in the infinite set {1,2,...} as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#positiveInteger for more information.
Specifies an unsigned integer, which is a nonnegative integer in the set {0,1,2,...,4294967295} as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#unsignedInt for more information.
Specifies a date in full format including both date and time as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#dateTime for more information.
Specifies a time as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#time for more information.
Specifies a boolean value in the set {true,false,1,0} as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#boolean for more information.
Specifies a name (which represents XML Names) as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#Name and http://www.w3.org/TR/2000/WD-xml-2e-20000814#dt-name for more information.
Specifies a long integer, which is an integer whose maximum value is 9223372036854775807 and minimum value is -9223372036854775808 as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#long for more information.
Specifies an unsigned long integer, which is an integer whose maximum value is 18446744073709551615 and minimum value is 0 as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#unsignedLong for more information.
Specifies a length of time in the extended format PnYn MnDTnH nMnS, where nY represents the number of years, nM the number of months, nD the number of days, 'T' is the date/time separator, nH the number of hours, nM the number of minutes and nS the number of seconds, as it applies to the W3 standard. See http://www.w3.org/TR/xmlschema-2/#duration for more information.
Specifies a decimal of datatype double as it is patterned after the IEEE double-precision 64-bit floating point type (IEEE 754-1985) and as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#double for more information.
Specifies a non-negative integer in the infinite set {0,1,2,...} as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#nonNegativeInteger for more information.
Specifies arbitrary hex-encoded binary data as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#hexBinary for more information.
Specifies a Uniform Resource Identifier Reference (URI) as it applies to the W3C standard and to RFC 2396, as amended by RFC 2732. See http://www.w3.org/TR/xmlschema-2/#anyURI for more information.
Specifies base64-encoded arbitrary binary data as it applies to the W3C standard. See http://www.w3.org/TR/xmlschema-2/#base64Binary for more information.
Specifies an IPV4 address in dotted decimal form. CIDR notation is also accepted.
Specifies an IPV6 address, which is represented by eight groups of 16-bit hexadecimal values separated by colons (:) in the form a:b:c:d:e:f:g:h. CIDR notation is also accepted.
Specifies a host name. For compatibility reasons, this could be any string. Even so, it is best to use the proper notation for the given host type. For example, web hostnames should be written as fully qualified hostnames in practice.
Specifies a MAC address, which is represented by six groups of 2 hexdecimal digits, separated by hyphens (-) or colons (:) in transmission order.
Specifies a domain name, which is represented by a series of labels concatenated with dots conforming to the rules in RFC 1035, RFC 1123, and RFC 2181.
Specifies a Uniform Resource Identifier, which identifies a name or resource and can act as a URL or URN.
Specifies a timezone in UTC notation (UTC+number).
Specifies arbitrary octal (base-8) encoded data.
Specifies arbitrary binary encoded data.
Specifies arbitrary data encoded in the Mac OS-originated BinHex format.
Specifies a subnet mask in IPv4 or IPv6 notation.
Specifies a globally/universally unique ID represented as a 32-character hexadecimal string. See ISO/IEC 11578:1996 Information technology -- Open Systems Interconnection -- Remote Procedure Call - http://www.iso.ch/cate/d2229.html.
Specifies data represented as a container of multiple data of a shared elemental type.
Specifies a CVE ID, expressed as CVE- appended by a four-digit integer, a - and another four-digit integer, as in CVE-2012-1234.
Specifies a CWE ID, expressed as CWE- appended by an integer.
Specifies a CAPEC ID, expressed as CAPEC- appended by an integer.
Specifies a CCE ID, expressed as CCE- appended by an integer.
Specifies a CPE Name. See http://cpe.mitre.org/specification/archive/version2.0/cpe-specification_2.0.pdf for more information.
The PatternTypeEnum type is a non-exhaustive enumeration of potentially relevant pattern types.
Specifies the regular expression pattern type.
Specifies the binary (bit operations) pattern type.
Specifies the XPath 1.0 expression pattern type.
The DataFormatEnum is a (non-exhaustive) enumeration of data formats.
Specifies binary data.
Specifies hexadecimal data.
Specifies text.
Specifies any other type of data from the ones listed.
The DataSizeUnitsEnum is a (non-exhaustive) enumeration of data size units.
Specifies an object size in Bytes.
Specifies an object size in Kilobytes.
Specifies an object size in Megabytes.
Possible values for representing date precision.
Date is precise to the given year.
Date is precise to the given month.
Date is precise to the given day.
Possible values for representing time precision.
Time is precise to the given hour.
Time is precise to the given minute.
Time is precise to the given second (including fractional seconds).
The SIDTypeEnum type is an enumeration of Windows Security ID (SID) types. These correspond to the values specified by the SID_NAME_USE enumeration--see http://msdn.microsoft.com/en-us/library/windows/desktop/aa379601(v=vs.85).aspx for more information.
Indicates a SID of type User.
Indicates a SID of type Group.
Indicates a SID of type Domain.
Indicates a SID of type Alias.
Indicates a SID for a well-known group.
Indicates a SID for a deleted account.
Indicates an invalid SID.
Indicates a SID of unknown type.
Indicates a SID for a computer.
Indicates a mandatory integrity label SID.
Layer4ProtocolEnum is a non-exhaustive enumeration of Layer 4 (transport) layer protocols.
Specifies the Transmission Control Protocol.
Specifies the User Datagram Protocol.
Specifies the Authentication Header protocol.
Specifies the Encapsulating Security Payload protocol.
Specifies the Generic Routing Encapsulation protocol.
Specifies the Internet Link protocol.
Specifies the Stream Control Transmission Protocol.
Specifies the Siemens Sinec H1 protocol.
Specifies the Sequenced Packet Exchange protocol.
Specifies the Datagram Congestion Control Protocol.
The EndiannessTypeEnum is a non-exhaustive eumeration of byte ordering methods.
The Big-endian value specifies a big-endian byte ordering.
The Little-endian value specifies a little-endian byte ordering.
The Middle-endian value specifies a middle-endian byte ordering.
The RegionalRegistryTypeEnum is an enumeration of Regional Internet Registries (RIRs) names, represented via their respective acronyms.
AfriNIC stands for African Network Information Centre, and is the RIR for Africa.
ARIN stands for American Registry for Internet Numbers, and is the RIR for the United States, Canada, several parts of the Caribbean Region, and Antarctica.
APNIC stands for Asia-Pacific Network Information Centre, and is the RIR for Asia, Australia, New Zealand, and neighboring countries.
LACNIC stands for Latin American and Caribbean Network Information Centre, and is the RIR for Latin America and parts of the Caribbean region.
RIPE NCC stands for Réseaux IP Européens Network Coordination Centre, and is the RIR for Europe, Russia, the Middle East, and Central Asia.
Possible values for representing time precision.
The MeasureSourceType is a type representing a description of a single cyber observation source.
The class field is optional and enables identification of the high-level class of this cyber observation source.
The source_type field is optional and enables identification of the broad type of this cyber observation source.
The name field is optional and enables the assignment of a relevant name to this Discovery Method.
The sighting_count field specifies how many different identical instances of a given Observable may have been seen/sighted by the observation source.
The Information_Source_Type field is optional and utilizes a standardized controlled vocabulary to identify the type of information source leveraged for this cyber observation source.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is InformationSourceTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Tool_Type field is optional and (when tools are used) enables identification of the type of tool leveraged as part of this cyber observation source, via a standardized controlled vocabulary.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ToolTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Description field is optional and enables a generalized but structured description of this syber observation source.
The Contributors field is optional and enables description of the individual contributors involved in this cyber observation source.
The Time field is optional and enables description of various time-related properties for this cyber observation source instance.
The Observation_Location field specifies a relevant physical location for the observation measurement of the associated Observable.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Tools field is optional and enables description of the tools utilized for this cyber observation source.
The Platform field is optional and enables a formal, standardized specification of the platform for this cyber observation source.
The System field is optional and enables characterization of the system on which the mechanism of cyber observation executed. System should be an object of type SystemObj:SystemObjectType.
The Instance field is optional and enables characterization of the process instance in which the mechanism of cyber observation executed. Instance should be of type ProcessObj:ProcessObjectType.
The Observable_Location field specifies a relevant physical location for the associated Observable.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The ContributorType represents a description of an individual who contributed as a source of cyber observation data.
This field describes the role played by this contributor.
This field contains the name of this contributor.
This field contains the email of this contributor.
This field contains a telephone number of this contributor.
This field contains the organization name of this contributor.
This field contains a description (bounding) of the timing of this contributor's involvement.
This field contains information describing the location at which the contributory activity occured.
The DateRangeType specifies a range of dates.
This field contains the start date for this contributor's involvement. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
This field contains the end date for this contributor's involvement. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
The PersonnelType is an abstracted data type to standardize the description of sets of personnel.
This field contains information describing the identify, resources and timing of involvement for a single contributor.
The TimeType specifies various time properties for this construct.
The Start_Time field is optional and describes the starting time for this construct. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
The End_Time field is optional and describes the ending time for this construct. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
The Produced_Time field is optional and describes the time that this construct was produced. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
The Received_Time field is optional and describes the time that this construct was received. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
The ToolSpecificDataType is an Abstract type placeholder within the CybOX schema enabling the inclusion of metadata for a specific type of tool through the use of a custom type defined as an extension of this base Abstract type.
The ToolsInformationType represents a description of a set of automated tools.
The Tool field is optional and enables description of a single tool utilized for this cyber observation source.
The ToolInformationType is intended to characterize the properties of a hardware or software tool, including those related to instances of its use.
The id field specifies a unique ID for this Tool.
The idref field specifies reference to a unique ID for this Tool.
When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.
This field contains the name of the tool leveraged.
This field contains the type of the tool leveraged.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for CybOX 2.0. Users may either define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a free string field. Additionally, locations where the ToolInformationType is used may define default vocabularies for this field.
This field contains general descriptive information for this tool.
This field contains references to instances or additional information for this tool.
This field contains information identifying the vendor organization for this tool.
This field contains an appropriate version descriptor of this tool.
This field contains an appropriate service pack descriptor for this tool.
This is an abstract type provided to a flexible mechanism for enabling tool-specific data to be included.
This field contains a hash value computed on the tool file content in order to verify its integrity.
This field contains information describing the configuration and usage of the tool.
This field contains information describing the execution environment of the tool.
This field captures any errors generated during the run of the tool.
This field captures other relevant metadata including tool-specific fields.
This field contains the name of the compensation model used for the tool.
The CompensationModelType characterizes the compensation model for a tool.
This attribute is optional and specifies the expected type for the value of the specified property.
Used to indicate one or more references to tool instances and information.
Contains one reference to information or instances of a given tool.
Contains one reference to information or instances of a given tool.
Indicates the nature of the referenced material (documentation, source, executable, etc.).
The ToolConfigurationType characterizes the configuration for a tool used as a cyber observation source.
This field describes the configuration settings of this tool instance.
This field contains information describing the relevant dependencies for this tool.
This field contains descriptions of the various relevant usage context assumptions for this tool .
This field contains information describing relevant internationalization setting for this tool .
This field contains information describing how this tool was built.
The ConfigurationSettingsType is a modularized data type used to provide a consistent approach to describing configuration settings for a tool, application or other cyber object.
This field contains a single configuration setting instance.
The ConfigurationSettingType is a modularized data type used to provide a consistent approach to describing a particular configuration setting for a tool, application or other cyber object.
This field contains the name of the configuration item referenced by this configuration setting instance.
This field contains the value of this configuration setting instance.
This field contains the type of the configuration item referenced in this configuration setting instance.
This field contains a description of the configuration item referenced in this configuration setting instance.
The DependenciesType contains information describing a set of dependencies for this tool.
This field contains information describing a single dependency for this tool.
The DependencyType contains information describing a single dependency for this tool.
This field describes the type of this dependency instance.
This field contains a description of this dependency instance.
The UsageContextAssumptionsType contains descriptions of the various relevant usage context assumptions for this tool.
This field contains a single usage context assumption for this tool.
The InternationalizationSettingsType contains information describing relevant internationalization setting for this tool.
This field contains a single internal string instance for this internationalization setting instance.
The InternalStringsType contains a single internal string instance for this internationalization setting instance.
This field contains the actual key of this internal string instance.
This field contains the actual content of this internal string instance.
The BuildInformationType contains information describing how this tool was built.
This field contains an externally defined unique identifier of this build of this application instance.
This field contains the project name of this build of this application instance.
This field contains information identifying the utility used to build this application.
This field contains the appropriate version descriptor of this build of this application instance.
This field contains any relevant label for this build of this application instance.
This field describes the compilers utilized during this build of this application.
This field identifies the compilation date for the build of the tool. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
This field describes how the build utility was configured for this build of this application.
This field contains the actual build script for this build of this application instance.
This field identifies the libraries incorporated into the build of the tool.
This field contains a capture of the output log of the build process.
The BuildUtilityType contains information identifying the utility used to build this application.
This field contains the informally defined name of the utility used to build this application instance.
This field identifies the build utility used to build this application.
The CompilersType describes the compilers utilized during this build of this application.
This field describes a single compiler utilized during this build of this application.
The CompilerType describes a single compiler utilized during this build of this application.
This field contains the informal description of this compiler instance.
This field identifies this compiler instance.
The CompilerInformalDescriptionType contains the informal description of this compiler instance.
This field contains the name of the compiler.
This field contains the version of the compiler.
The BuildConfigurationType describes how the build utility was configured for this build of this application.
This field contains the description of the configuration settings for this build of this application instance.
This field contains the configuration settings for this build of this application instance.
The LibrariesType identifies the libraries incorporated into the build of the tool.
This field identifies a library incorporated into the build of the tool.
The LibraryType identifies a single library incorporated into the build of the tool.
This field identifies the name of the library.
This field identifies the version of the library.
The ExecutionEnvironmentType contains information describing the execution environment of the tool.
This field contains information describing the system on which the tool was executed. System should be of type SystemObj:SystemObjectType.
This field contains information describing the user account that executed the tool. User_Account_Info should be of type UserAccountObj:UserAccountObjectType.
This field specifies the command line string used to run the tool.
This field specifies when the tool was run. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
The ErrorsType captures any errors generated during the run of the tool.
This field captures a single type of error generated during the run of the tool.
The ErrorType captures a single error generated during the run of the tool.
This field specifies the type for this tool run error.
This field specifies the count of instances for this error in the tool run.
This field captures the actual error output for each instance of this type of error.
The ErrorInstancesType captures the actual error output for each instance of this type of error.
This field captures the actual error output for a single instance of this type of error.
The ObjectPropertiesType is an Abstract type placeholder within the CybOX schema enabling the inclusion of contextually varying object properties descriptions. This Abstract type is leveraged as the extension base for all predefined CybOX object properties schemas. Through this extension mechanism any object instance data based on an object properties schema extended from ObjectPropertiesType (e.g. File_Object, Address_Object, etc.) can be directly integrated into any instance document where a field is defined as ObjectPropertiesType. For flexibility and extensibility purposes any user of CybOX can specify their own externally defined object properties schemas (outside of or derived from the set of predefined objects) extended from ObjectPropertiesType and utilize them as part of their CybOX content.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The Custom_Properties construct is optional and enables the specification of a set of custom Object Properties that may not be defined in existing Properties schemas.
The CustomPropertiesType enables the specification of a set of custom Object Properties that may not be defined in existing Properties schemas.
The Property construct enables the specification of a single Object Property.
The PropertyType is a type representing the specification of a single Object Property.
The name field specifies a name for this property.
A description of what this property represents.
This type is an intermediate type to allow for the addition of the precision attribute to TimeObjectPropertyType. It should not be used directly.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The TimeObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type time. This type will be assigned to any property of a CybOX object that should contain content of type Time and enables the use of relevant metadata for the property. In order to avoid ambiguity, it is strongly suggested that any time representation in this field include a specification of the timezone if it is known. As with the rest of the field, this should be formatted per the xs:time specification.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
For fields of this type using CybOX patterning, it is strongly suggested that the condition (pattern type) is limited to one of Equals, DoesNotEqual, GreaterThan, LessThan, GreaterThanOrEqual, LessThanOrEqual, ExclusiveBetween, or InclusiveBetween. The use of other conditions may lead to ambiguity or unexpected results. When evaluating data against a pattern, the evaluator should take into account the precision of the field (as given by the precision attribute) and any timezone information that is available to perform a data-aware comparison. The usage of simple string comparisons is discouraged due to ambiguities in how precision and timezone information is processed.
The precision of the associated time. If omitted, the default is "second", meaning the full field value (including fractional seconds). Digits in the time that are required by the xs:time datatype but are beyond the specified precision should be zeroed out.
When used in conjunction with CybOX patterning, the pattern should only be evaluated against the target up to the given precision.
The LocationType is used to express geographic location information.
This type is extended through the xsi:type mechanism. The default type is CIQAddress3.0InstanceType in the http://cybox.mitre.org/extensions/Address#CIQAddress3.0-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address_3.0/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field of this type.
Specifies a unique ID for this Location.
Specifies a reference to a unique ID defined elsewhere.
The Name field allows for expression of an location through a simple name.
The ExtractedFeaturesType is a type representing a description of features extracted from an object such as a file.
This field enables description of a set of static strings extracted from a raw cyber object.
This field enables description of a set of references to external resources imported by a raw cyber object.
This field enables description of a set of references to functions called by a raw cyber object.
This field enables description of a set of code snippets extracted from a raw cyber object.
The ExtractedStringsType type is intended as container for strings extracted from CybOX objects.
This field enables description of a single static string extracted from a raw cyber object.
The ExtractedStringType type is intended as container a single string extracted from a CybOX object.
The Encoding field refers to the encoding method used for the string extracted from the CybOX object, via a standardized controlled vocabulary.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is CharacterEncodingVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The String_Value field specifies the actual value of the string extracted from the CybOX object, if it is capable of being represented in the encoding scheme used in the document (most commonly UTF-8).
The Byte_String_Value field specifies the raw, byte-string representation of the string extracted from the CybOX object, in hexadecimal format.
The Hashes field is used to include any hash values computed using the string extracted from the CybOX object as input.
The Address field specifies the location or offset of the specified string in the CybOX objects.
The Length field specifies the length, in characters, of the string extracted from the CybOX object.
The Language field specifies the language the string is written in, e.g. English. For consistency, we strongly recommend using the ISO 639-2 language code, if available. Please see http://www.loc.gov/standards/iso639-2/php/code_list.php for a list of ISO 639-2 codes.
The English_Translation field specifies the English translation of the string, if it is not written in English.
The ImportsType is intended to represent an extracted list of imports specified within a CybOX object.
This field enables description of a single reference to an external resource imported by a raw cyber object.
The FunctionsType is intended to represent an extracted list of functions leveraged within a CybOX object.
This field enables description of a single reference to a function called by a raw cyber object.
The CodeSnippetsType is intended to represent an set of code snippets extracted from within a CybOX object.
This field enables description of a single code snippet extracted from a raw cyber object. Code_Snippet should be of CodeObj:CodeObjectType.
The ByteRunsType is used for representing a list of byte runs from within a raw object.
The Byte_Run field contains a single byte run from the raw object.
The ByteRunType is used for representing a single byte run from within a raw object.
The Offset field specifies the offset of the beginning of the byte run as measured from the beginning of the object.
The Byte_Order field specifies the endianness of the unpacked (e.g., unencoded, unencrypted, etc.) data contained within the Byte_Run_Data field.
The File_System_Offset field is relevant only for byte runs of files in forensic analysis.It specifies the offset of the beginning of the byte run as measured from the beginning of the relevant file system.
The Image_Offset field is provided for forensic analysis purposes and specifies the offset of the beginning of the byte run as measured from the beginning of the relevant forensic image.
The Length field specifies the number of bytes in the byte run.
The Hashes field contains computed hash values for this the data in this byte run.
The Byte_Run_Data field contains a raw dump of the byte run data, typically enclosed within an XML CDATA section.
The HashListType type is used for representing a list of hash values.
The Hash field specifies a single calculated hash value.
The HashValueType is used for specifying the resulting value from a hash calculation.
The FuzzyHashStructureType is used for characterizing the internal components of a cryptograhic fuzzy hash algorithmic calculation.
The Block_Size field is optional and specifies the calculated block size for this fuzzy hash calculation.
The Block_Hash field is optional and enables specification of the elemental components utilized for a fuzzy hash calculation on the hashed object utilizing Block_Size to calculate trigger points.
The FuzzyHashBlockType is used for characterizing the internal components of a single block in a cryptograhic fuzzy hash algorithmic calculation.
The Block_Hash_Value field is optional and specifies a fuzzy hash calculation result value for this Block.
The Segment_Count field is optional and specifies the number of segments identified and utilized within this fuzzy hash calculation.
The Segments field is optional and specifies the set of segments identified and utilized within this fuzzy hash calculation.
The HashSegmentsType is used for characterizing the internal components of a set of trigger point-delimited segments in a cryptographic fuzzy hash algorithmic calculation.
The Segment field is optional and specifies a single segment identified and utilized within this fuzzy hash calculation.
The HashSegmentType is used for characterizing the internal components of a single trigger point-delimited segment in a cryptograhic fuzzy hash algorithmic calculation.
The Trigger_point field is optional and specifies the offset within the hashed object of the trigger point for this segment.
The Segment_Hash field is optional and specifies a calculated hash value for this segment.
The Raw_Segment_Content field is optional and contains the raw content of this segment of the hashed object.
The HashType type is intended to characterize hash values.
The Type field utilizes a standardized controlled vocabulary to capture the type of hash used in the Simple_Hash_Value or Fuzzy_Hash_Value elements.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is HashNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Fuzzy_Hash_Structure field is optional and enables the characterization of the key internal components of a fuzzy hash calculation with a given block size.
The DataSegmentType is intended to provide a relatively abstract way of characterizing data segments that may be written/read/transmitted or otherwise utilized in actions or behaviors.
The id field specifies a unique id for this data segment.
The Data_Format field refers to the type of data contained in the Data_Segment element.
The Data_Size field contains the size of the data contained in this element.
The Byte_Order field specifies the endianness of the unpacked (e.g., decoded, unencrypted, etc.) data stored within the Data_Segment field.
The Data_Segment field contains the actual segment of data being characterized.
The Offset field allows for the specification of where to start searching for the specified data segment in an object, in bytes.
The Search_Distance field specifies how far into an object should be ignored, in bytes, before starting to search for the specified data segment relative to the end of the previous data segment.
The Search_Within field specifies that at most N bytes are between data segments in related objects.
PlatformSpecificationType is a modularized data type intended for providing a consistent approach to uniquely specifying the identity of a specific platform.
In addition to capturing basic information, this type is intended to be extended to enable the structured description of a platform instance using the XML Schema extension feature. The CybOX default extension uses the Common Platform Enumeration (CPE) Applicability Language schema to do so. The extension that defines this is captured in the CPE23PlatformSpecificationType in the http://cybox.mitre.org/extensions/platform#CPE2.3-1 namespace. This type is defined in the extensions/platform/cpe2.3.xsd file.
A prose description of the indicated platform.
Indicates a pre-defined name for the given platform using some naming scheme. For example, one could provide a CPE (Common Platform Enumeration) name using the CPE naming format.
The MetadataType is intended as mechanism to capture any non-context-specific metadata.
This field specifies the type of name of a single metadata field.
This field specifies the value of name of a single metadata field.
This field uses recursion of the MetadataType specify subdatum structures for this metadata field.
The EnvironmentVariableListType type is used for representing a list of environment variables.
The Environment_Variable field is used for representing environment variables using a name/value pair.
The EnvironmentVariableType type is used for representing environment variables using a name/value pair.
The Name field specifies the name of the environment variable.
The Value field specifies the value of the environment variable.
The DigitalSignaturesType is used for representing a list of digital signatures.
The Digital_Signature field is optional and captures a single digital signature for this Object.
The DigitalSignatureInfoType type is used as a way to represent some of the basic information about a digital signature.
Specifies whether the digital signature exists.
Specifies if the digital signature is verified.
The certificate issuer of the digital signature.
The certificate subject of the digital signature.
A description of the digital signature.
SIDType specifies Windows Security ID (SID) types via a union of the SIDTypeEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the expected type for the value of the specified property.
Layer4ProtocolType specifies Layer 4 protocol types, via a union of the Layer4ProtocolEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
This attribute is optional and specifies the expected type for the value of the specified property.
The EndiannessType specifies names for byte ordering methods.
This attribute is optional and specifies the expected type for the value of the specified property.
CipherType specifies encryption algorithms, via a union of the CipherEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.
The RegionalRegistryType specifies a Regional Internet Registry (RIR) for a given WHOIS entry. RIRs defined by the RegionalRegistryTypeEnum may be used, as well as those specified by a free form text string.
CipherEnum is a non-exhaustive enumeration of encryption algorithms.
Specifies the Advanced Encryption Standard (AES) algorithm.
Specifies the Blowfish algorithm.
Specifies the CAST-128 algorithm.
Specifies the CAST-256 algorithm.
Specifies the Data Encryption Standard (DES) algorithm.
Specifies the International Data Encryption Algorithm (IDEA).
Specifies the Rijndael algorithm.
Specifies the RC5 algorithm.
Specifies the Skipjack algorithm.
<p><span>Specifies the Triple Data Encryption Standard (DES) algorithm.</span></p>
The PatternFieldGroup is a simple field group aggregating a set of fields for application of patterns.
This field is optional and defines the relevant condition to apply to the value.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
True
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The ObjectPropertyGroup is a simple field group aggregating a set of fields for Object Properties.
The id field specifies a unique ID for this Object Property.
The idref field specifies a unique ID reference for this Object Property.
When idref is specified, the id attribute must not be specified, and any instance of this property should not hold content unless an extension of the property allows it.
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
This field is optional and conveys whether the associated Object property has been obfuscated.
This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
This field is optional and specifies the encoding of the string when it is/was observed. This may be different from the encoding used to represent the string within this element.
It is strongly recommended that character set names should be taken from the IANA character set registry (https://www.iana.org/assignments/character-sets/character-sets.xhtml).
This field is intended to be applicable only to fields which contain string values.
The PatternableFieldType is a grouping of attributes applicable to defining patterns on a specific field.
The BaseObjectPropertyType is a type representing a common typing foundation for the specification of a single Object Property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
The UnsignedLongObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type UnsignedLong. This type will be assigned to any property of a CybOX object that should contain content of type UnsignedLong and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The IntegerObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type Int. This type will be assigned to any property of a CybOX object that should contain content of type Integer and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
<p>The ControlledVocabularyStringType data type specifies a formally defined vocabulary. It is an abstract data type so it MUST be extended via an enumeration from the STIX Vocabulary data model (descriptions of all default vocabularies defined within the STIX Vocabulary data model are found in the stixVocab package. Any custom vocabulary must be defined via an enumeration added to the STIX Vocabulary data model, if appropriate enumeration values are to be enforced.</p>
<p>The UnenforcedVocabularyStringType data type specifies custom vocabulary values via an enumeration defined outside of the STIX Vocabulary data model. It extends the VocabularyStringType data type. Note that the STIX vocabulary data model does not define any enforcement policy for this data type.</p>
<p>The vocab_name property specifies the name of the externally defined vocabulary.</p>
<p>The vocab_reference property specifies the location of the externally defined vocabulary using a Uniform Resource Identifier (URI).</p>
The UnsignedIntegerObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type UnsignedInt. This type will be assigned to any property of a CybOX object that should contain content of type UnsignedInteger and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The StringObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type String. This type will be assigned to any property of a CybOX object that should contain content of type String and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The PositiveIntegerObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type PositveInteger. This type will be assigned to any property of a CybOX object that should contain content of type PositiveInteger and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The NonNegativeIntegerObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type nonNegativeInteger. This type will be assigned to any property of a CybOX object that should contain content of type NonNegativeInteger and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the expected type for the value of the specified property.
The NameObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type Name. This type will be assigned to any property of a CybOX object that should contain content of type Name and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The LongObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type Long. This type will be assigned to any property of a CybOX object that should contain content of type Long and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The HexBinaryObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type HexBinary. This type will be assigned to any property of a CybOX object that should contain content of type HexBinary and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The FloatObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type Float. This type will be assigned to any property of a CybOX object that should contain content of type Float and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The DurationObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type duration. This type will be assigned to any property of a CybOX object that should contain content of type Duration and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The DoubleObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type Double. This type will be assigned to any property of a CybOX object that should contain content of type Double and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
This type is an intermediate type to allow for the addition of the precision attribute to DateTimeObjectPropertyType. It should not be used directly.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The DateTimeObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type DateTime. This type will be assigned to any property of a CybOX object that should contain content of type DateTime and enables the use of relevant metadata for the property. In order to avoid ambiguity, it is strongly suggested that any dateTime representation in this field include a timezone. As with the rest of the field, this should be formatted per the xs:dateTime specification.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
For fields of this type using CybOX patterning, it is strongly suggested that the condition (pattern type) is limited to one of Equals, DoesNotEqual, GreaterThan, LessThan, GreaterThanOrEqual, LessThanOrEqual, ExclusiveBetween, or InclusiveBetween. The use of other conditions may lead to ambiguity or unexpected results. When evaluating data against a pattern, the evaluator should take into account the precision of the field (as given by the precision attribute) and any timezone information that is available to perform a data-aware comparison. The usage of simple string comparisons is discouraged due to ambiguities in how precision and timezone information is processed.
The precision of the associated time. If omitted, the default is "second", meaning the full field value (including fractional seconds). Digits in the dateTime that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
When used in conjunction with CybOX patterning, the pattern should only be evaluated against the target up to the given precision.
This type is an intermediate type to allow for the addition of the precision attribute to DateObjectPropertyType. It should not be used directly.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The DateObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type Date. This type will be assigned to any property of a CybOX object that should contain content of type Date and enables the use of relevant metadata for the property. In order to avoid ambiguity, it is strongly suggested that any date representation in this field include a timezone if it is known. As with the rest of the field, this should be formatted per the xs:date specification.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
For fields of this type using CybOX patterning, it is strongly suggested that the condition (pattern type) is limited to one of Equals, DoesNotEqual, GreaterThan, LessThan, GreaterThanOrEqual, LessThanOrEqual, ExclusiveBetween, or InclusiveBetween. The use of other conditions may lead to ambiguity or unexpected results. When evaluating data against a pattern, the evaluator should take into account the precision of the field (as given by the precision attribute) and any timezone information that is available to perform a data-aware comparison. The usage of simple string comparisons is discouraged due to ambiguities in how precision and timezone information is processed.
The precision of the associated time. If omitted, the default is "day", meaning the full field value. Digits in the date that are required by the xs:date datatype but are beyond the specified precision should be zeroed out.
When used in conjunction with CybOX patterning, the pattern should only be evaluated against the target up to the given precision.
The Base64BinaryObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type base64Binary. This type will be assigned to any property of a CybOX object that should contain content of type Base64Binary and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The AnyURIObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type anyURI. This type will be assigned to any property of a CybOX object that should contain content of type AnyURI and enables the use of relevant metadata for the property.
Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
The DataSizeType specifies the size of the data segment.
This field represents the Units used in the object size element.
The FuzzyHashValueType is used for characterizing the output of cryptograhic fuzzy hash functions outputting a single complex string based hash value.
Used to specify a name for a platform using a particular naming system and also allowing a reference pointing to more information about that naming scheme. For example, one could provide a CPE (Common Platform Enumeration) name using the CPE naming format. In this case, the system value could be "CPE" while the system_ref value could be "http://scap.nist.gov/specifications/cpe/".
Indicates the naming system from which the indicated name was drawn.
A reference to information about the naming system from which the indicated name was drawn.
The SimpleHashValueType is used for characterizing the output of basic cryptograhic hash functions outputting a single hexbinary hash value.
The StructuredTextType is a type representing a generalized structure for capturing structured or unstructured textual information such as descriptions of things.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
The Fuzzy_Hash_Value field specifies a single result value of a cryptograhic fuzzy hash function outputting a single complex string based hash value. (e.g. SSDEEP's Block1hash:Block2hash format).
The Simple_Hash_Value field specifies a single result value of a basic cryptograhic hash function outputting a single hexbinary hash value.
This type is used as a replacement for the standard xs:dateTime type but allows for the representation of the precision of the dateTime. If the precision is given, consumers must ignore the portions of this field that is more precise than the given precision. Producers should zero-out (fill with zeros) digits in the dateTime that are required by the xs:dateTime datatype but are beyond the specified precision.
In order to avoid ambiguity, it is strongly suggested that all dateTimes include a specification of the timezone if it is known.
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
This type is used as a replacement for the standard xs:date type but allows for the representation of the precision of the date. If the precision is given, consumers must ignore the portions of this field that is more precise than the given precision. Producers should zero-out (fill with zeros) digits in the date that are required by the xs:date datatype but are beyond the specified precision.
In order to avoid ambiguity, it is strongly suggested that all dates include a specification of the timezone if it is known.
The precision of the associated date. If omitted, the default is "day", meaning the full field value.