RecordData

The RecordData class describes or references log or audit data from a given type of tool and provides a means to annotate the output.

RecordData RecordData RecordData [DATETIME] DateTime (0..1) [ML_STRING] Description (0..*) [SOFTWARE] Application (0..1) [EXTENSION] RecordItem (0..*) [URL] URL (0..*) [EXTENSION] AdditionalData (0..*) [ENUM] restriction (0..1) [STRING] ext-restriction (0..1) [ID] observable-id (0..1) RecordPattern RecordPattern RecordData->RecordPattern 0..* FileData FileData [ENUM] restriction (0..1) [STRING] ext-restriction (0..1) [ID] observable-id (0..1) RecordData->FileData 0..1 WindowsRegistryKeysModified WindowsRegistryKeysModified [ID] observable-id (0..1) RecordData->WindowsRegistryKeysModified 0..* CertificateData CertificateData [ENUM] restriction (0..1) [STRING] ext-restriction (0..1) [ID] observable-id (0..1) RecordData->CertificateData 0..* File File [STRING] FileName (0..1) [INTEGER] FileSize (0..1) [STRING] FileType (0..1) [URL] URL (0..*) [SOFTWARE] AssociatedSoftware (0..1) [EXTENSION] FileProperties (0..*) [ID] observable-id (0..1) FileData->File 1..* HashData HashData [STRING] HashTargetID (0..1) [STRING] scope (0..1) File->HashData 0..1 SignatureData SignatureData [] Signature (1..*) File->SignatureData 0..1 Hash Hash []  (0..1) [SOFTWARE] Application (0..1) HashData->Hash 0..* FuzzyHash FuzzyHash [EXTENSION] FuzzyHashValue (1..*) [SOFTWARE] Application (0..1) [EXTENSION] AdditionalData (0..*) HashData->FuzzyHash 0..* Key Key [STRING] KeyName (1..1) [STRING] KeyValue (0..1) [ENUM] registryaction (0..1) [STRING] ext-registryaction (0..1) [ID] observable-id (0..1) WindowsRegistryKeysModified->Key 1..* Certificate Certificate []  (1..1) [ML_STRING] Description (0..*) [ID] observable-id (0..1) CertificateData->Certificate 1..* 
digraph RecordData {
	graph [bb="0,0,1392,485.5",
		rankdir=LR
	];
	node [label="\N"];
	RecordData	 [height=3.0278,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cccc52" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="The RecordData class describes or references log or audit data from a given type of tool and provides a means to annotate the output. "><FONT FACE="Nimbus Sans L">RecordData</FONT></td> </tr>" %<tr><td BGCOLOR="#FFFF66"  HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="A timestamp of the data found in the RecordItem or URL classes."><FONT FACE="Nimbus Sans L">[DATETIME] DateTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66"  HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="A free-form text description of the data provided in the RecordItem or URL classes."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66"  HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="Identifies the tool used to generate the data in the RecordItem or URL classes."><FONT FACE="Nimbus Sans L">[SOFTWARE] Application (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66"  HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="Log, audit, or forensic data to support the conclusions made during the course of analyzing the incident."><FONT FACE="Nimbus Sans L">[EXTENSION] RecordItem (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66"  HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="A URL reference to a log or audit data."><FONT FACE="Nimbus Sans L">[URL] URL (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66"  HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="An extension mechanism for data not explicitly represented in the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66"  HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66"  HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="A means by which to extend the restriction attribute.  See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66"  HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>,
		pos="116.5,232",
		shape=plaintext,
		width=3.2361];
	RecordPattern	 [height=0.5,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cccc52" HREF="/idmef_parser/IODEFv2/RecordPattern.html" TITLE="The RecordPattern class describes where in the log data provided or referenced in the RecordData class relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data. "><FONT FACE="Nimbus Sans L">RecordPattern</FONT></td> </tr>" %</table>>,
		pos="396.5,348",
		shape=plaintext,
		width=1.5139];
	RecordData -> RecordPattern	 [label="0..*",
		lp="262.5,320.5",
		pos="e,341.84,336.25 233.4,295.66 252.67,304.88 272.66,313.7 292,321 304.64,325.77 318.45,330 331.77,333.61"];
	FileData	 [height=1.2778,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/FileData.html" TITLE="The FileData class describes a file or set of files. "><FONT FACE="Nimbus Sans L">FileData</FONT></td> </tr>" %<tr><td  HREF="/idmef_parser/IODEFv2/FileData.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/FileData.html" TITLE="A means by which to extend the restriction attribute.  See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/FileData.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>,
		pos="396.5,266",
		shape=plaintext,
		width=2.7778];
	RecordData -> FileData	 [label="0..1",
		lp="262.5,258.5",
		pos="e,296.44,253.85 233.22,246.17 250.78,248.31 268.84,250.5 286.26,252.61"];
	WindowsRegistryKeysModified	 [height=0.69444,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/WindowsRegistryKeysModified.html" TITLE="The WindowsRegistryKeysModified class describes Windows operating system registry keys and the operations that were performed on them. This class was derived from [RFC5901]. "><FONT FACE="Nimbus Sans L">WindowsRegistryKeysModified</FONT></td> </tr>" %<tr><td  HREF="/idmef_parser/IODEFv2/WindowsRegistryKeysModified.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>,
		pos="396.5,177",
		shape=plaintext,
		width=2.9028];
	RecordData -> WindowsRegistryKeysModified	 [label="0..*",
		lp="262.5,211.5",
		pos="e,291.59,197.61 233.22,209.07 249.25,205.92 265.7,202.69 281.69,199.55"];
	CertificateData	 [height=1.2778,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/CertificateData.html" TITLE="The CertificateData class describes X.509 certificates. "><FONT FACE="Nimbus Sans L">CertificateData</FONT></td> </tr>" %<tr><td  HREF="/idmef_parser/IODEFv2/CertificateData.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/CertificateData.html" TITLE="A means by which to extend the restriction attribute.  See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/CertificateData.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>,
		pos="396.5,67",
		shape=plaintext,
		width=2.7778];
	RecordData -> CertificateData	 [label="0..*",
		lp="262.5,156.5",
		pos="e,318.23,113.12 233.22,163.22 258.74,148.18 285.33,132.51 309.46,118.29"];
	File	 [height=2.4444,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/File.html" TITLE="The File class describes a file; its associated metadata; and cryptographic hashes and signatures applied to it. "><FONT FACE="Nimbus Sans L">File</FONT></td> </tr>" %<tr><td  HREF="/idmef_parser/IODEFv2/File.html" TITLE="The name of the file."><FONT FACE="Nimbus Sans L">[STRING] FileName (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/File.html" TITLE="The size of the file in bytes."><FONT FACE="Nimbus Sans L">[INTEGER] FileSize (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/File.html" TITLE="The type of file per the IANA &quot;Media Types&quot; registry [IANA.Media].  Valid values correspond to the text in the &quot;Template&quot; column (e.g., &quot;application/pdf&quot;)."><FONT FACE="Nimbus Sans L">[STRING] FileType (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/File.html" TITLE="A URL reference to the file."><FONT FACE="Nimbus Sans L">[URL] URL (0..*)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/File.html" TITLE="The software application or operating system to which this file belongs or by which it can be processed."><FONT FACE="Nimbus Sans L">[SOFTWARE] AssociatedSoftware (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/File.html" TITLE="Mechanism by which to extend the data model to describe properties of the file."><FONT FACE="Nimbus Sans L">[EXTENSION] FileProperties (0..*)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/File.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>,
		pos="693,350",
		shape=plaintext,
		width=3.6944];
	FileData -> File	 [label="1..*",
		lp="530.5,312.5",
		pos="e,559.87,312.28 496.88,294.44 513.96,299.28 531.99,304.39 549.92,309.47"];
	HashData	 [height=0.98611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/HashData.html" TITLE="The HashData class describes different types of hashes on a given object (e.g., file, part of a file, email). "><FONT FACE="Nimbus Sans L">HashData</FONT></td> </tr>" %<tr><td  HREF="/idmef_parser/IODEFv2/HashData.html" TITLE="An identifier that references a subset of the object being hashed.  The semantics of this identifier are specified by the scope attribute."><FONT FACE="Nimbus Sans L">[STRING] HashTargetID (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/HashData.html" TITLE="A means by which to extend the scope attribute.  See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] scope (0..1)</FONT></td></tr>%</table>>,
		pos="986.5,400",
		shape=plaintext,
		width=2.8194];
	File -> HashData	 [label="0..1",
		lp="855.5,386.5",
		pos="e,884.72,382.66 826.01,372.66 842.34,375.44 858.9,378.26 874.86,380.98"];
	SignatureData	 [height=0.69444,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/SignatureData.html" TITLE="The SignatureData class describes different types of digital signatures on an object. "><FONT FACE="Nimbus Sans L">SignatureData</FONT></td> </tr>" %<tr><td  HREF="/idmef_parser/IODEFv2/SignatureData.html" TITLE="A given signature.  See Section 4.2 of [W3C.XMLSIG]."><FONT FACE="Nimbus Sans L">[] Signature (1..*)</FONT></td></tr>%</table>>,
		pos="986.5,321",
		shape=plaintext,
		width=1.7222];
	File -> SignatureData	 [label="0..1",
		lp="855.5,341.5",
		pos="e,924.3,327.15 826.01,336.86 856.41,333.85 887.59,330.77 914.3,328.13"];
	Hash	 [height=0.98611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Hash.html" TITLE="The Hash class describes a cryptographic hash value; the algorithm and application used to generate it; and the canonicalization method applied to the object being hashed. "><FONT FACE="Nimbus Sans L">Hash</FONT></td> </tr>" %<tr><td  HREF="/idmef_parser/IODEFv2/Hash.html" TITLE="The canonicalization method used on the object being hashed.  See Section 4.3.1 of [W3C.XMLSIG]."><FONT FACE="Nimbus Sans L">[]  (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/Hash.html" TITLE="The application used to calculate the hash."><FONT FACE="Nimbus Sans L">[SOFTWARE] Application (0..1)</FONT></td></tr>%</table>>,
		pos="1269.5,450",
		shape=plaintext,
		width=2.9444];
	HashData -> Hash	 [label="0..*",
		lp="1117.5,432.5",
		pos="e,1163.4,431.25 1088.3,417.98 1109.4,421.72 1131.9,425.69 1153.5,429.51"];
	FuzzyHash	 [height=1.2778,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/FuzzyHash.html" TITLE="The FuzzyHash class describes a fuzzy hash and the application used to generate it. "><FONT FACE="Nimbus Sans L">FuzzyHash</FONT></td> </tr>" %<tr><td  HREF="/idmef_parser/IODEFv2/FuzzyHash.html" TITLE="The computed fuzzy hash value."><FONT FACE="Nimbus Sans L">[EXTENSION] FuzzyHashValue (1..*)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/FuzzyHash.html" TITLE="The application used to calculate the hash."><FONT FACE="Nimbus Sans L">[SOFTWARE] Application (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/FuzzyHash.html" TITLE="Mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%</table>>,
		pos="1269.5,350",
		shape=plaintext,
		width=3.4028];
	HashData -> FuzzyHash	 [label="0..*",
		lp="1117.5,384.5",
		pos="e,1146.9,371.66 1088.3,382.02 1104,379.24 1120.5,376.33 1136.8,373.45"];
	Key	 [height=1.8611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Key.html" TITLE="The Key class describes a Windows operating system registry key name and value pair, as well as the operation performed on it. "><FONT FACE="Nimbus Sans L">Key</FONT></td> </tr>" %<tr><td  HREF="/idmef_parser/IODEFv2/Key.html" TITLE="The name of a Windows operating system registry key (e.g., [HKEY_LOCAL_MACHINE\Software\Test\KeyName])."><FONT FACE="Nimbus Sans L">[STRING] KeyName (1..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/Key.html" TITLE="The value of the registry key identified in the KeyName class encoded per the .reg file format [KB310516]."><FONT FACE="Nimbus Sans L">[STRING] KeyValue (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/Key.html" TITLE="The type of action taken on the registry key. These values are maintained in the &quot;Key-registryaction&quot; IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] registryaction (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/Key.html" TITLE="A means by which to extend the registryaction attribute.  See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-registryaction (0..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/Key.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>,
		pos="693,177",
		shape=plaintext,
		width=3.0833];
	WindowsRegistryKeysModified -> Key	 [label="1..*",
		lp="530.5,184.5",
		pos="e,581.87,177 501.03,177 523.94,177 548.37,177 571.86,177"];
	Certificate	 [height=1.2778,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Certificate.html" TITLE="The Certificate class describes a given X.509 certificate or certificate chain. "><FONT FACE="Nimbus Sans L">Certificate</FONT></td> </tr>" %<tr><td  HREF="/idmef_parser/IODEFv2/Certificate.html" TITLE="A given X.509 certificate or chain.  See Section 4.4.4 of [W3C.XMLSIG]."><FONT FACE="Nimbus Sans L">[]  (1..1)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/Certificate.html" TITLE="A free-form text description explaining the context of this certificate."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td  HREF="/idmef_parser/IODEFv2/Certificate.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>,
		pos="693,46",
		shape=plaintext,
		width=2.9444];
	CertificateData -> Certificate	 [label="1..*",
		lp="530.5,65.5",
		pos="e,586.89,53.515 496.88,59.89 522.58,58.07 550.43,56.098 576.84,54.227"];
}

Aggregates

DateTime (0..1)

A timestamp of the data found in the RecordItem or URL classes.

Description (0..*)

A free-form text description of the data provided in the RecordItem or URL classes.

Application (0..1)

Identifies the tool used to generate the data in the RecordItem or URL classes.

RecordPattern (0..*)

A search string to precisely find the relevant data in the RecordItem or URL classes. See Section 3.22.2.

RecordItem (0..*)

Log, audit, or forensic data to support the conclusions made during the course of analyzing the incident.

URL (0..*)

A URL reference to a log or audit data.

FileData (0..1)

The files involved in the incident. See Section 3.25.

WindowsRegistryKeysModified (0..*)

The registry keys that were involved in the incident. See Section 3.23.

CertificateData (0..*)

The certificates that were involved in the incident. See Section 3.24.

AdditionalData (0..*)

An extension mechanism for data not explicitly represented in the data model.

restriction (0..1)

See Section 3.3.1.

ext-restriction (0..1)

A means by which to extend the restriction attribute. See Section 5.1.1.

observable-id (0..1)

See Section 3.3.2.

IDMEFv1

IDMEFv2

IODEFv1

IODEFv2