lists the steps required to generate a representative true positive event which triggers this alert.

Any other internal, external, or technical references that may be useful for understanding the ADS.

Recognized issues, assumptions, and areas where an ADS may not fire.

Provides a mapping of the ADS to the relevant entry in the Att&CK.

Provides a mapping of the ADS to the relevant entry in the Att&CK if 'categorization is not sufficient'.

Enter date, when ADS has been created or edited.

Known instances of an ADS misfiring due to a misconfiguration, idiosyncrasy in the environment, or other non-malicious scenario.

Short, plaintext description of the type of behavior the ADS is supposed to detect.

Describes the various alerting levels that an ADS may be tagged with.

General response steps in the event that this alert fired.

Rule in SIGMA format.

High-level walkthrough of how the ADS functions.

Detailed information and background needed for a responder to understand all components of the alert.

lists the steps required to generate a representative true positive event which triggers this alert.

Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious

If the IP is malicious based on the abuse-confidence-score and threshold

If an IP is public

If Tor (The Onion Router) was used

If an IP is spotted in any of AbuseIPDB’s whitelists

Act as a specific person. ['Security Analysts', 'Incident Responder', 'IT Expert', 'Cyber Security Specialists', 'Technical Writer']

Comment associated to the AI chat prompt.

AI chatbot model used for the prompt. ['GPT 3.5', 'GPT 4.0', 'GPT 3.0', 'DALL-E', 'Whisper', 'Embeddings', 'Moderation', 'Codex', 'BioGPT', 'LLaMA', 'GPT4ALL', 'Bing AI', 'Google Bard AI']

Prompt text used for a specific AI chat.

Result ['Unknown', 'Harmless', 'Correct', 'Dangerous', 'Incorrect']

Role as defined in OpenAI or similar API. ['system', 'user', 'assistant']

Duplicate of the existing leaks.

Number of known duplicates.

When the leak has been accessible or seen for the first time.

When the leak has been accessible or seen for the last time.

The link where the leak is (or was) accessible at first-seen.

When the information available in the leak was created. It’s usually before the first-seen.

Raw data as received by the AIL sensor compressed and encoded in Base64.

The AIL sensor uuid where the leak was processed and analysed.

A description of the leak which could include the potential victim(s) or description of the leak.

Estimated time of arrival at destination

IMO ship identification number: a seven digit number that remains unchanged upon transfer of the ship’s registration to another country

Vessel Maritime Maritime Mobile Service Identity (MMSI): a unique nine digit identification number.

International radio call-sign, up to 7 characters.

The course of the vessel, relative to true north to 0.1 degree

Destination of the vessel in max 20 characters

Distance in meters from Forward Perpendicular (FP)

Distance in meters from After Perpendicular (AP)

Distance in meters inboard from port side

Distance in meters inboard from starboard side

Draught of ship. 0.1-25.5 meters

When the location was seen for the first time.

When the location was seen for the last time.

The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.

The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference

20 characters to represent the name of the vessel

right or left, from 0 to 720 degrees per minute

0.1 knot resolution from 0 to 102 knots

The true heading of the vessel. 0 to 359 degrees

The true heading at own position of the vessel. 0 to 359 degrees

Type of ship/cargo

AIS Administrative Area represented using ISO-3166-2.

AIS Country represented using ISO-3166-1_alpha-2.

AIS IndustryType. ['Chemical Sector', 'Commercial Facilities Sector', 'Communications Sector', 'Critical Manufacturing Sector', 'Dams Sector', 'Defense Industrial Base Sector', 'Emergency Services Sector', 'Energy Sector', 'Financial Services Sector', 'Food and Agriculture Sector', 'Government Facilities Sector', 'Healthcare and Public Health Sector', 'Information Technology Sector', 'Nuclear Reactors, Materials, and Waste Sector', 'Transportation Systems Sector', 'Water and Wastewater Systems Sector', 'Other']

AIS Organisation Name.

Application ID

Android certificate

Domain used by the app

Generic name of the application

SHA256 of the APK.

Comment about the set of android permission(s)

Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']

An attachment to support the annotation

Initial creation of the annotation

Format of the annotation ['text', 'markdown', 'asciidoctor', 'MultiMarkdown', 'GFM', 'pandoc', 'Fountain', 'CommonWork', 'kramdown-rfc2629', 'rfc7328', 'Extra']

Last update of the annotation

Reference(s) to the annotation

Raw text of the annotation

Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo', 'Full Report']

Description of the anonymisation technique or tool used

Encryption function or algorithm used to anonymise the attribute ['aes128', 'aes-128-cbc', 'aes-128-cfb', 'aes-128-cfb1', 'aes-128-cfb8', 'aes-128-ctr', 'aes-128-ecb', 'aes-128-ofb', 'aes192', 'aes-192-cbc', 'aes-192-cfb', 'aes-192-cfb1', 'aes-192-cfb8', 'aes-192-ctr', 'aes-192-ecb', 'aes-192-ofb', 'aes-256-cfb', 'aes-256-cfb1', 'aes-256-cfb8', 'aes-256-ctr', 'aes-256-ecb', 'aes-256-ofb', 'bf', 'bf-cbc', 'bf-cfb', 'bf-ecb', 'bf-ofb', 'blowfish', 'camellia128', 'camellia-128-cbc', 'camellia-128-cfb', 'camellia-128-cfb1', 'camellia-128-cfb8', 'camellia-128-ctr', 'camellia-128-ecb', 'camellia-128-ofb', 'camellia192', 'camellia-192-cbc', 'camellia-192-cfb', 'camellia-192-cfb1', 'camellia-192-cfb8', 'camellia-192-ctr', 'camellia-192-ecb', 'camellia-192-ofb', 'camellia256', 'camellia-256-cbc', 'camellia-256-cfb', 'camellia-256-cfb1', 'camellia-256-cfb8', 'camellia-256-ctr', 'camellia-256-ecb', 'camellia-256-ofb', 'cast', 'cast5-cbc', 'cast5-cfb', 'cast5-ecb', 'cast5-ofb', 'cast-cbc', 'des', 'des3', 'des-cbc', 'des-cfb', 'des-ecb', 'des-ede', 'des-ede3', 'des-ede3-cbc', 'des-ede3-cfb', 'des-ede3-ofb', 'des-ede-cbc', 'des-ede-cfb', 'des-ede-ofb', 'des-ofb', 'desx', 'gost89', 'gost89-cnt', 'idea', 'idea-cbc', 'idea-cfb', 'idea-ecb', 'idea-ofb', 'rc2', 'rc2-40-cbc', 'rc2-64-cbc', 'rc2-cbc', 'rc2-cfb', 'rc2-ecb', 'rc2-ofb', 'rc4', 'rc4-40', 'rc4-64', 'rc5', 'rc5-cbc', 'rc5-cfb', 'rc5-ecb', 'rc5-ofb', 'seed', 'seed-cbc', 'seed-cfb', 'seed-ecb', 'seed-ofb', 'sm4', 'sm4-cbc', 'sm4-cfb', 'sm4-ctr', 'sm4-ecb', 'sm4-ofb']

Initialisation vector for the encryption function used to anonymise the attribute

Key (such as a PSK in a keyed-hash-function) used to anonymise the attribute

Keyed-hash function used to anonymise the attribute ['hmac-sha1', 'hmac-md5', 'hmac-sha256', 'hmac-sha384', 'hmac-sha512']

Level of knowledge of the organisation who created this object ['Only the anonymised data is known', 'Deanonymised data is known']

Anonymisation (or pseudo-anonymisation) method(s) used ["hiding - Attribute is replaced with a constant value (typically 0) of the same size. Sometimes called 'black marker'.", 'hash - A hash function maps each attribute to a new (not necessarily unique) attribute.', 'permutation - Maps each original value to a unique new value.', "prefix-preserving - Any two values that had the same n-bit prefix before anonymisation will still have the same n-bit prefix as each other after anonymization. (Would be more accurately called 'prefix-relationship-preserving', because the actual prefix values are not preserved.) ", 'shift - Adds a fixed offset to each value/attribute.', 'enumeration - Map each original value to a new value such that their ordering is preserved.', 'partitioning - Possible values are partitioned into meaningful sets; actual values are replaced with a fixed value from the same set. E.g., TCP port numbers 0 to 1023 are replaced with 0, and 1024 to 65535 replaced with 65535.', 'updated - Checksums are recalculated to reflect changes made to other fields.', 'truncation - Field is shortened, losing data at the end.', 'encryption - Attribute is encrypted.']

Regular expression to perfom the anonymisation (reversible or not)

True if email is a free China email, i.e 163.com.

Field for comments or correlating text

True if domain contains dirty/bad words.

True if username contains dirty/bad words.

True if email is disposable, i.e yopmail.com.

True if domain has DMARC records configured.

True if domain is configured for DMARC and set to an enforcement policy.

Email domain.

True if domain is a known popular domain.

True if domain is an educational domain, i.e .edu

The email address that was queried.

True if email is a free email, i.e gmail.com.

True if domain is a government domain, i.e .gov

True if domain has A records configured.

True if domain has MX records configured.

True if domain has SPF records configured.

True if domain does not have SPF records or if ~all is not configured.

True if domain is a police domain (such as polizei, police, etc).

True if domain TLD is risky, i.e .top or .pro.

True if email is a role address, i.e admin@website.com

True if email is a free Russian email, i.e mail.ru.

A number between 0 (bad) and 100 (good).

True if the score is bad (⇐ 70) and thus it should be blocked.

True if domain is suspicious, i.e known spam or parked.

True if email is considered suspicious.

True if username is suspicious, i.e only numbers.

Username part of the email address (email prefix)

True if email has a valid format.

True if domain TLD is valid, i.e .com or .co.uk

Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive.

If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in.

[Insecure] MD5 hash (128 bits)

Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability.

Specifies the binary data contained in the artifact as a base64-encoded string.

[Insecure] Secure Hash Algorithm 1 (160 bits)

Secure Hash Algorithm 2 (256 bits)

Secure Hash Algorithm 3 (256 bits)

Secure Hash Algorithm 3 (512 bits)

Secure Hash Algorithm 2 (512 bits)

Fuzzy hash using context triggered piecewise hashes (CTPH)

Fuzzy hash by Trend Micro: Locality Sensitive Hash

The value of this property MUST be a valid URL that resolves to the unencoded content. When present, at least one hash value MUST be present too.

Autonomous System Number

Country code of the main location of the autonomous system

Description of the autonomous system

The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format

First time the ASN was seen

The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format

Last time the ASN was seen

This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format

The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format

Subnet announced

CAPEC ID.

Name of the attack pattern.

Prerequisites for the attack pattern to succeed.

External references

Weakness related to the attack pattern.

Solutions for the attack pattern to be countered.

Summary description of the attack pattern.

Command line used to execute attack step, if any.

Description of the attack step

Detections by the victim’s monitoring capabilities.

Domain destination of the attack step, if any.

IP destination of the attack step, if any.

Other type of destination of the attack step, if any. This can be e.g. localhost.

Response or detection expected (in case of purple teaming)

Was this attack step object a key step within the context of the incident/event? ['True', 'False']

Domain source of the attack step, if any.

IP source of the attack step, if any.

Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.

Was this attack step succesful? ['True', 'False']

The CPU architecture of the beacon. Either x86 or x64

ASN where the IP resides

C2 of the beacon IP/hostname. (often matches the host that was scanned)

Path that the beacon uses for the GET method

Path that the beacon uses for the POST method

Protocol that the beacon speaks. Usually HTTP

MD5 of the PE binary

SHA1 of the PE binary

SHA256 of the PE binary

City location of the IP in question

MD5 of the config file

SHA1 of the config file

SHA256 of the config file

The length of the response body in octets

The MIME type of the body of the request

Base64 encoded config file

Length of the base64 decoded raw config

Country location of the IP

Reverse DNS name of the device in question

Source of the hostname field contents

HTTP version in used in response, e.g HTTP/1.1

HTTP Response code: e.g., 200, 401, 404

URL used to illicit the server response

IP of the of the URL

The license number

North American Industry Classification System Code

Port that the response came from

Protocol the response came in on

State / Province / Administrative region where the device in question resides

Sector of the device in question

Severity of the event

Attribute tags

Time that the IP was probed in UTC+0

Destination IP.

IP address originating the authentication failure.

the number of authentication failures reported.

the type of authentication failure. ['ssh']

the username used.

Content type

Signature created by the signing certificate’s private key

Algorithm used to hash the file.

Algorithm used to encrypt the digest

Issuer of the certificate

Program name

Serial number of the certificate

Signature algorithm ['SHA1_WITH_RSA_ENCRYPTION', 'SHA256_WITH_RSA_ENCRYPTION']

Free text description of the signer info

Url

Version of the certificate

Datetime

Name of detection signature

Name of antivirus software

Free text value to attach to the file

The availability impact. ['Not Specified', 'None', 'Minimal', 'Significant', 'Denial', 'Loss of Control']

Criticality of the impact ['Not Specified', 'False Positive', 'Low', 'Moderate', 'High', 'Extreme']

Additional details about the impact.

The date and time the impact was last recorded.

Level of fidelity that the end_time is recorded in. ['day', 'hour', 'minute', 'month', 'second', 'year']

Recoverability of this particular impact with respect to feasibility and required time and resources. ['extended', 'not-applicable', 'not-recoverable', 'regular', 'supplemented']

The date and time the impact was first recorded.

Level of fidelity that the start_time is recorded in. ['day', 'hour', 'minute', 'month', 'second', 'year']

ABA routing transit number

Account number

A field to freely describe the bank account details.

The balance of the account after the suspicious transaction was processed.

Final beneficiary of the bank account.

Comment about the final beneficiary.

Branch code or name

Client number as seen by the bank.

When the account was closed.

Comments about the bank account.

Currency of the account. ['USD', 'EUR']

When the balance was reported.

IBAN of the bank account.

Institution code of the bank.

Name of the bank or financial organisation.

A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation. ['True', 'False']

When the account was opened.

Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']

Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']

Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']

SWIFT or BIC as defined in ISO 9362.

A description of the bank account.

Country code of the main location of the attacking autonomous system

BGP Hijack details

Detected Autonomous System Number

Last time the Prefix hijack was seen

Expected Autonomous System Number

First time the Prefix hijack was seen

Subnet announced

The IP address family concerned by the ranking. ['v4', 'v6']

Date fo the ranking.

Position of the ASN for a given day.

Ranking of the Autonomous System number.

Archive of the original document (Internet Archive, Archive.is, etc).

Initial creation of the blog post.

Site linked by the blog post.

Safe site linked by the blog post.

Original link into the blog post (Supposed harmless).

Last update of the blog post.

Raw post.

When the blog post was removed.

Title of blog post.

Type of blog post. ['Medium', 'WordPress', 'Blogger', 'Tumbler', 'LiveJournal', 'Forum', 'Other']

Original URL location of the blog post (potentially malicious).

Username who posted the blog post.

Username who are quoted into the blog post.

Is the username account verified by the operator of the blog platform. ['Verified', 'Unverified', 'Unknown']

Final beneficiary of the boleto.

Recipient bank account number

Recipient bank agency number

Boleto code numbers

Date the boleto was created

Financial institution code in Brazil that created the boleto.

Name of the bank or financial organisation that created the boleto.

Boleto payment date

Inform if boleto was as paid or not ['Not Paid', 'Paid']

The payment boleto value in Brazilian Reais

Organisation, service or affiliated person that requested creation of the boleto.

A Bitcoin transactional address

Date and time of transaction

A Bitcoin transaction number in a sequence of transactions

Value in BTC at date/time displayed in field 'time'

Value in EUR with conversion rate as of date/time displayed in field 'time'

Value in USD with conversion rate as of date/time displayed in field 'time'

Value of received BTC

Value of sent BTC

Value in BTC at date/time displayed in field 'time'

Date and time of lookup/conversion

A Bitcoin wallet address

IP of C2 server with unknown port

IP:Port of C2 server

URL of source of information, e.g. blog post, ransomware analysis

threat actor or malware

The group listing of intended recipients of the alert message. (1) Required when <scope> is “Private”, optional when <scope> is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes.

The code denoting the special handling of the alert message.

The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.

The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.

The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']

The text describing the purpose or significance of the alert message.

The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.

The text describing the rule for limiting distribution of the restricted alert message.

The code denoting the intended distribution of the alert message. ['Public', 'Restricted', 'Private']

The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.

The time and date of the origination of the alert message.

The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.

The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft']