draft-ietf-mile-rfc5070-bis-06.txt   draft-ietf-mile-rfc5070-bis-07.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: August 18, 2014 February 14, 2014 Expires: January 24, 2015 July 23, 2014
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-06 draft-ietf-mile-rfc5070-bis-07
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation that provides a framework for sharing information data representation for sharing information commonly exchanged by
commonly exchanged by Computer Security Incident Response Teams Computer Security Incident Response Teams (CSIRTs) about computer
(CSIRTs) about computer security incidents. This document describes security incidents. This document describes the information model
the information model for the IODEF and provides an associated data for the IODEF and provides an associated data model specified with
model specified with XML Schema. XML Schema.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2014. This Internet-Draft will expire on January 24, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 22 skipping to change at page 2, line 22
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 5 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7
1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10
2.12. Person or Organization . . . . . . . . . . . . . . . . . 10 2.12. Person or Organization . . . . . . . . . . . . . . . . . 11
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11
2.16. Identifiers and Identifier References . . . . . . . . . . 11
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 12
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 12 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 13
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 15
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 15 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 15
3.3.2. Indicator Attributes . . . . . . . . . . . . . . . . 16 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 16
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 16 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 17
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 19 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 19
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20
3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 21 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 20
3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23
3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26
3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27
3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 28 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 27
3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28
3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 29 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 28
3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29
3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29
3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29
3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 30 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 29
3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 30 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 29
3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 30 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 29
3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31
3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32
3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 33 3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 32
3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 34 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 33
3.14.1. Impact Class . . . . . . . . . . . . . . . . . . . . 35 3.14.1. Impact Class . . . . . . . . . . . . . . . . . . . . 35
3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 37 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 36
3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 39 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 38
3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 41 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 40
3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 42 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 41
3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 43 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 42
3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 44 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 42
3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 46 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 44
3.16.1. Relating the Incident and EventData Classes . . . . 48 3.16.1. Relating the Incident and EventData Classes . . . . 46
3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 48 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 46
3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 49 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 47
3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 52 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 50
3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 52 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 50
3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 55 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 53
3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 57 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 54
3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 58 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 56
3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 60 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 58
3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 62 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 59
3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 64 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 62
3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 65 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 62
3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 65 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 63
3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 66 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 63
3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 68 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 65
3.22.2. Application Class . . . . . . . . . . . . . . . . . 69 3.22.2. Application Class . . . . . . . . . . . . . . . . . 67
3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 70 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 68
3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 70 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 68
3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 71 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 69
3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 72 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 69
3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 73 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 70
3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 75 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 72
3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 75 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 72
3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 76 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 73
3.27. HashData Class . . . . . . . . . . . . . . . . . . . . . 77 3.27. HashData Class . . . . . . . . . . . . . . . . . . . . . 74
4. Processing Considerations . . . . . . . . . . . . . . . . . . 79 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 75
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 79 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 75
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 80 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 78
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 80 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 78
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 81 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 79
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 81 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 80
5.1. Extending the Enumerated Values of Attributes . . . . . . 81 3.29.5. ObservableReference Class . . . . . . . . . . . . . 82
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 82 3.29.6. IndicatorReference Class . . . . . . . . . . . . . . 82
6. Internationalization Issues . . . . . . . . . . . . . . . . . 84 4. Processing Considerations . . . . . . . . . . . . . . . . . . 83
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 85 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 83
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 85 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 84
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 87 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 84
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 89 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 85
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 90 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 85
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 92 5.1. Extending the Enumerated Values of Attributes . . . . . . 85
9. Security Considerations . . . . . . . . . . . . . . . . . . . 126 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 86
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 127 6. Internationalization Issues . . . . . . . . . . . . . . . . . 88
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 128 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 89
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 128 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 89
12.1. Normative References . . . . . . . . . . . . . . . . . . 128 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 91
12.2. Informative References . . . . . . . . . . . . . . . . . 130 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 92
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 94
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 96
9. Security Considerations . . . . . . . . . . . . . . . . . . . 132
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 133
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 134
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 134
12.1. Normative References . . . . . . . . . . . . . . . . . . 134
12.2. Informative References . . . . . . . . . . . . . . . . . 136
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 6, line 14 skipping to change at page 6, line 21
o Imported the xmlns:ds namespace to include digital signature hash o Imported the xmlns:ds namespace to include digital signature hash
classes. classes.
o The @indicator-* attributes were added to various classes to o The @indicator-* attributes were added to various classes to
reference commonly shared indicators. reference commonly shared indicators.
o The following classes were added to IODEF-Document: o The following classes were added to IODEF-Document:
AdditionalData. AdditionalData.
o The following class was added to Incident: IndicatorData.
o The following classes were added to Incident and EventData: o The following classes were added to Incident and EventData:
Discovery. Discovery.
o The following classes and attributes were added to the Service o The following classes and attributes were added to the Service
class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, class: EmailData, DomainData, AssetID, ApplicationHeader @virtual,
and @ownership. Service@ip_protocol was renamed to @ip-protocol. and @ownership. Service@ip_protocol was renamed to @ip-protocol.
o The following classes were added to the Record class: FileName and o The following classes were added to the Record class: FileName and
WindowsRegistryKeysModified. WindowsRegistryKeysModified.
skipping to change at page 11, line 29 skipping to change at page 11, line 40
The EMAIL data type is implemented as an "xs:string" in the schema. The EMAIL data type is implemented as an "xs:string" in the schema.
2.15. Uniform Resource Locator strings 2.15. Uniform Resource Locator strings
A uniform resource locator (URL) is represented by the URL data type. A uniform resource locator (URL) is represented by the URL data type.
The format of the URL data type is documented in [RFC3986]. The format of the URL data type is documented in [RFC3986].
The URL data type is implemented as an "xs:anyURI" in the schema. The URL data type is implemented as an "xs:anyURI" in the schema.
3. The IODEF Data Model 2.16. Identifiers and Identifier References
An identifier unique to the Document is represented by the ID data
type. A reference to this identifier is represented by the IDREF
data type. The acceptable format of ID and IDREF is documented in
Section 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES].
The ID and IDREF data types are implemented as "xs:ID" and "xs:IDREF"
in the schema.
3. The IODEF Data Model
In this section, the individual components of the IODEF data model In this section, the individual components of the IODEF data model
will be discussed in detail. For each class, the semantics will be will be discussed in detail. For each class, the semantics will be
described and the relationship with other classes will be depicted described and the relationship with other classes will be depicted
with UML. When necessary, specific comments will be made about with UML. When necessary, specific comments will be made about
corresponding definition in the schema in Section 8 corresponding definition in the schema in Section 8
3.1. IODEF-Document Class 3.1. IODEF-Document Class
The IODEF-Document class is the top level class in the IODEF data The IODEF-Document class is the top level class in the IODEF data
model. All IODEF documents are an instance of this class. model. All IODEF documents are an instance of this class.
skipping to change at page 13, line 12 skipping to change at page 13, line 18
This class provides a standardized representation for commonly This class provides a standardized representation for commonly
exchanged incident data. exchanged incident data.
+-------------------------+ +-------------------------+
| Incident | | Incident |
+-------------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM lang |<>--{0..*}--[ RelatedActivity ] | ENUM lang |<>--{0..*}--[ RelatedActivity ]
| ENUM restriction |<>--{0..1}--[ DetectTime ] | ENUM restriction |<>--{0..1}--[ DetectTime ]
| STRING indicator-uid |<>--{0..1}--[ StartTime ] | STRING observable-uid |<>--{0..1}--[ StartTime ]
| STRING indicator-set-id |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>----------[ ReportTime ] | |<>----------[ ReportTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*} [ Discovery ] | |<>--{0..*} [ Discovery ]
| |<>--{1..*}--[ Assessment ] | |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ IndicatorData ]
| |<>--{0..1}--[ History ] | |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 2: The Incident Class Figure 2: The Incident Class
The aggregate classes that constitute Incident are: The aggregate classes that constitute Incident are:
IncidentID IncidentID
One. An incident tracking number assigned to this incident by the One. An incident tracking number assigned to this incident by the
skipping to change at page 14, line 24 skipping to change at page 14, line 32
Zero or more. The techniques used by the intruder in the Zero or more. The techniques used by the intruder in the
incident. incident.
Contact Contact
One or more. Contact information for the parties involved in the One or more. Contact information for the parties involved in the
incident. incident.
EventData EventData
Zero or more. Description of the events comprising the incident. Zero or more. Description of the events comprising the incident.
IndicatorData
Zero or more. Description of indicators.
History History
Zero or one. A log of significant events or actions that occurred Zero or one. A log of significant events or actions that occurred
during the course of handling the incident. during the course of handling the incident.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. Zero or more. Mechanism by which to extend the data model.
The Incident class has five attributes: The Incident class has four attributes:
purpose purpose
Required. ENUM. The purpose attribute represents the reason why Required. ENUM. The purpose attribute represents the reason why
the IODEF document was created. It is closely related to the the IODEF document was created. It is closely related to the
Expectation class (Section 3.17). This attribute is defined as an Expectation class (Section 3.17). This attribute is defined as an
enumerated list: enumerated list:
1. traceback. The document was sent for trace-back purposes. 1. traceback. The document was sent for trace-back purposes.
2. mitigation. The document was sent to request aid in 2. mitigation. The document was sent to request aid in
skipping to change at page 15, line 20 skipping to change at page 15, line 32
attribute. See Section 5.1. attribute. See Section 5.1.
lang lang
Optional. ENUM. A valid language code per [RFC4646] constrained Optional. ENUM. A valid language code per [RFC4646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.3. Common Attributes 3.3. Common Attributes
There are a number of recurring attributes used by the data model. There are a number of recurring attributes used by the data model.
They are documented in this section. They are documented in this section.
3.3.1. restriction Attribute 3.3.1. restriction Attribute
The restriction attribute indicates the disclosure guidelines to The restriction attribute indicates the disclosure guidelines to
which the sender expects the recipient to adhere for the information which the sender expects the recipient to adhere for the information
skipping to change at page 16, line 34 skipping to change at page 16, line 44
parties. parties.
6. white. Same as 'public'. 6. white. Same as 'public'.
7. green. Same as 'partner'. 7. green. Same as 'partner'.
8. amber. Same as 'need-to-know'. 8. amber. Same as 'need-to-know'.
9. red. Same as 'private'. 9. red. Same as 'private'.
3.3.2. Indicator Attributes 3.3.2. observable-id Attribute
For data elements that are commonly used as indicators, the data
model uses four attributes to facilitate their ...
indicator-uid
STRING. See Section 3.3.2.
indicator-set-id Information included in an incident report may be an observable
STRING. See Section 3.3.2. relevant to an indicator. The observable-id attribute provides a
unique identifier in the scope of the document for this observable.
This identifer can then used to reference the observable with an
ObservableReference class to define an indicator in the IndicatorData
class.
3.4. IncidentID Class 3.4. IncidentID Class
The IncidentID class represents an incident tracking number that is The IncidentID class represents an incident tracking number that is
unique in the context of the CSIRT and identifies the activity unique in the context of the CSIRT and identifies the activity
characterized in an IODEF Document. This identifier would serve as characterized in an IODEF Document. This identifier would serve as
an index into the CSIRT incident handling system. The combination of an index into the CSIRT incident handling system. The combination of
the name attribute and the string in the element content MUST be a the name attribute and the string in the element content MUST be a
globally unique identifier describing the activity. Documents globally unique identifier describing the activity. Documents
generated by a given CSIRT MUST NOT reuse the same value unless they generated by a given CSIRT MUST NOT reuse the same value unless they
skipping to change at page 33, line 37 skipping to change at page 33, line 10
The Reference class is a reference to a vulnerability, IDS alert, The Reference class is a reference to a vulnerability, IDS alert,
malware sample, advisory, or attack technique. A reference consists malware sample, advisory, or attack technique. A reference consists
of a name, a URL to this reference, and an optional description. of a name, a URL to this reference, and an optional description.
+-------------------------+ +-------------------------+
| Reference | | Reference |
+-------------------------+ +-------------------------+
| ENUM attacktype |<>----------[ ReferenceName ] | ENUM attacktype |<>----------[ ReferenceName ]
| STRING ext-attacktype |<>--{0..*}--[ URL ] | STRING ext-attacktype |<>--{0..*}--[ URL ]
| STRING indicator-uid |<>--{0..*}--[ Description ] | ID observable-id |<>--{0..*}--[ Description ]
| STRING indicator-set-id |
+-------------------------+ +-------------------------+
Figure 18: The Reference Class Figure 18: The Reference Class
The aggregate classes that constitute Reference: The aggregate classes that constitute Reference:
ReferenceName ReferenceName
One. ML_STRING. Name of the reference. One. ML_STRING. Name of the reference.
URL URL
Zero or more. URL. A URL associated with the reference. Zero or more. URL. A URL associated with the reference.
Description Description
Zero or more. ML_STRING. A free-form text description of this Zero or more. ML_STRING. A free-form text description of this
reference. reference.
The Reference class has 4 attributes. The Reference class has 3 attributes.
attacktype attacktype
Optional. ENUM. TODO. Optional. ENUM. TODO.
ext-attacktype ext-attacktype
Optional. STRING. A mechanism by which to extend the Attack Optional. STRING. A mechanism by which to extend the
Type. Attack Type.
indicator-uid
Optional. STRING. See Section 3.3.2.
indicator-set-id observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.14. Assessment Class 3.14. Assessment Class
The Assessment class describes the repercussions of the incident to The Assessment class describes the repercussions of the incident to
the victim. the victim.
+-------------------------+ +-------------------------+
| Assessment | | Assessment |
+-------------------------+ +-------------------------+
| ENUM occurrence |<>--{0..*}--[ Impact ] | ENUM occurrence |<>--{0..*}--[ Impact ]
| ENUM restriction |<>--{0..*}--[ BusinessImpact ] | ENUM restriction |<>--{0..*}--[ BusinessImpact ]
| STRING indicator-uid |<>--{0..*}--[ TimeImpact ] | ID observable-id |<>--{0..*}--[ TimeImpact ]
| STRING indicator-set-id |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 19: Assessment Class Figure 19: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes that constitute Assessment are:
Impact Impact
skipping to change at page 35, line 24 skipping to change at page 34, line 40
Confidence Confidence
Zero or one. An estimate of confidence in the assessment. Zero or one. An estimate of confidence in the assessment.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
A least one instance of the possible three impact classes (i.e., A least one instance of the possible three impact classes (i.e.,
Impact, TimeImpact, or MonetaryImpact) MUST be present. Impact, TimeImpact, or MonetaryImpact) MUST be present.
The Assessment class has four attributes: The Assessment class has three attributes:
occurrence occurrence
Optional. ENUM. Specifies whether the assessment is describing Optional. ENUM. Specifies whether the assessment is describing
actual or potential outcomes. actual or potential outcomes.
1. actual. This assessment describes activity that has occurred. 1. actual. This assessment describes activity that has occurred.
2. potential. This assessment describes potential activity that 2. potential. This assessment describes potential activity that
might occur. might occur.
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.14.1. Impact Class 3.14.1. Impact Class
The Impact class allows for categorizing and describing the technical The Impact class allows for categorizing and describing the technical
impact of the incident on the network of an organization. impact of the incident on the network of an organization.
This class is based on [RFC4765]. This class is based on [RFC4765].
+------------------+ +------------------+
| Impact | | Impact |
skipping to change at page 44, line 40 skipping to change at page 43, line 16
course of handling the incident. The details of the entry are a course of handling the incident. The details of the entry are a
free-form description, but each can be categorized with the type free-form description, but each can be categorized with the type
attribute. attribute.
+-------------------------+ +-------------------------+
| HistoryItem | | HistoryItem |
+-------------------------+ +-------------------------+
| ENUM restriction |<>----------[ DateTime ] | ENUM restriction |<>----------[ DateTime ]
| ENUM action |<>--{0..1}--[ IncidentId ] | ENUM action |<>--{0..1}--[ IncidentId ]
| STRING ext-action |<>--{0..1}--[ Contact ] | STRING ext-action |<>--{0..1}--[ Contact ]
| STRING indicator-uid |<>--{0..*}--[ Description ] | ID observable-id |<>--{0..*}--[ Description ]
| STRING indicator-set-id |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 26: HistoryItem Class Figure 26: HistoryItem Class
The aggregate classes that constitute HistoryItem are: The aggregate classes that constitute HistoryItem are:
DateTime DateTime
One. Timestamp of this entry in the history log (e.g., when the One. Timestamp of this entry in the history log (e.g., when the
action described in the Description was taken). action described in the Description was taken).
skipping to change at page 45, line 27 skipping to change at page 44, line 5
DefinedCOA DefinedCOA
Zero or more. ML_STRING. A unique identifier meaningful to the Zero or more. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set action. This class MUST be present if the action attribute is set
to "defined-coa". to "defined-coa".
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
The HistoryItem class has five attributes: The HistoryItem class has four attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
action action
Required. ENUM. Classifies a performed action or occurrence Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed have been instigated either through a previously conveyed
expectation or internal investigation, this attribute is identical expectation or internal investigation, this attribute is identical
to the category attribute of the Expectation class. The to the category attribute of the Expectation class. The
difference is only one of tense. When an action is in this class, difference is only one of tense. When an action is in this class,
it has been completed. See Section 3.17. it has been completed. See Section 3.17.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.16. EventData Class 3.16. EventData Class
The EventData class describes a particular event of the incident for The EventData class describes a particular event of the incident for
a given set of hosts or networks. This description includes the a given set of hosts or networks. This description includes the
systems from which the activity originated and those targeted, an systems from which the activity originated and those targeted, an
assessment of the techniques used by the intruder, the impact of the assessment of the techniques used by the intruder, the impact of the
activity on the organization, and any forensic evidence discovered. activity on the organization, and any forensic evidence discovered.
+-------------------------+ +-------------------------+
| EventData | | EventData |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| STRING indicator-uid |<>--{0..1}--[ DetectTime ] | ID observable-id |<>--{0..1}--[ DetectTime ]
| STRING indicator-set-id |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ Discovery ] | |<>--{0..*}--[ Discovery ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ] | |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
skipping to change at page 47, line 46 skipping to change at page 46, line 19
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the EventData class. This is not enforced in the IODEF schema as of the EventData class. This is not enforced in the IODEF schema as
there is no simple way to accomplish it. there is no simple way to accomplish it.
The EventData class has two attributes: The EventData class has two attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. This attribute is defined in Section 3.2. The
default value is "default". default value is "default".
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.16.1. Relating the Incident and EventData Classes 3.16.1. Relating the Incident and EventData Classes
There is substantial overlap in the Incident and EventData classes. There is substantial overlap in the Incident and EventData classes.
Nevertheless, the semantics of these classes are quite different. Nevertheless, the semantics of these classes are quite different.
The Incident class provides summary information about the entire The Incident class provides summary information about the entire
incident, while the EventData class provides information about the incident, while the EventData class provides information about the
individual events comprising the incident. In the most common case, individual events comprising the incident. In the most common case,
the EventData class will provide more specific information for the the EventData class will provide more specific information for the
general description provided in the Incident class. However, it may general description provided in the Incident class. However, it may
skipping to change at page 49, line 33 skipping to change at page 47, line 41
action is limited to purview of the EventData class in which this action is limited to purview of the EventData class in which this
class is aggregated. class is aggregated.
+-------------------------+ +-------------------------+
| Expectation | | Expectation |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| ENUM severity |<>--{0..*}--[ DefinedCOA ] | ENUM severity |<>--{0..*}--[ DefinedCOA ]
| ENUM action |<>--{0..1}--[ StartTime ] | ENUM action |<>--{0..1}--[ StartTime ]
| STRING ext-action |<>--{0..1}--[ EndTime ] | STRING ext-action |<>--{0..1}--[ EndTime ]
| STRING indicator-uid |<>--{0..1}--[ Contact ] | ID observable-id |<>--{0..1}--[ Contact ]
| STRING indicator-set-id |
+-------------------------+ +-------------------------+
Figure 29: The Expectation Class Figure 29: The Expectation Class
The aggregate classes that constitute Expectation are: The aggregate classes that constitute Expectation are:
Description Description
Zero or more. ML_STRING. A free-form description of the desired Zero or more. ML_STRING. A free-form description of the desired
action(s). action(s).
skipping to change at page 50, line 22 skipping to change at page 48, line 28
Zero or one. The time by which the sender expects the recipient Zero or one. The time by which the sender expects the recipient
to complete the action. If the recipient cannot complete the to complete the action. If the recipient cannot complete the
action before EndTime, the recipient MUST NOT carry out the action before EndTime, the recipient MUST NOT carry out the
action. Because of transit delays, clock drift, and so on, the action. Because of transit delays, clock drift, and so on, the
sender MUST be prepared for the recipient to have carried out the sender MUST be prepared for the recipient to have carried out the
action, even if it completes past EndTime. action, even if it completes past EndTime.
Contact Contact
Zero or one. The expected actor for the action. Zero or one. The expected actor for the action.
The Expectations class has six attributes: The Expectations class has five attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. This attribute is defined in Section 3.2. The
default value is "default". default value is "default".
severity severity
Optional. ENUM. Indicates the desired priority of the action. Optional. ENUM. Indicates the desired priority of the action.
This attribute is an enumerated list with no default value, and This attribute is an enumerated list with no default value, and
the semantics of these relative measures are context dependent. the semantics of these relative measures are context dependent.
skipping to change at page 52, line 9 skipping to change at page 50, line 15
19. other. Perform some custom action described in the 19. other. Perform some custom action described in the
Description class. Description class.
20. ext-value. An escape value used to extend this attribute. 20. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.18. Flow Class 3.18. Flow Class
The Flow class groups related the source and target hosts. The Flow class groups related the source and target hosts.
+------------------+ +------------------+
| Flow | | Flow |
+------------------+ +------------------+
| |<>--{1..*}--[ System ] | |<>--{1..*}--[ System ]
+------------------+ +------------------+
skipping to change at page 54, line 9 skipping to change at page 52, line 7
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
category category
Optional. ENUM. Classifies the role the host or network played Optional. ENUM. Classifies the role the host or network played
in the incident. The possible values are: in the incident. The possible values are:
1. source. The System was the source of the event. 1. source. The System was the source of the event.
2. target. The System was the target of the event. 2. target. The System was the target of the event.
3. watchlist-source. The source of the event was on a watchlist. 3. intermediate. The System was an intermediary in the event.
4. watchlist-target. The target of the event was on a watchlist.
5. intermediate. The System was an intermediary in the event.
6. sensor. The System was a sensor monitoring the event. 4. sensor. The System was a sensor monitoring the event.
7. infrastructure. The System was an infrastructure node of 5. infrastructure. The System was an infrastructure node of
IODEF document exchange. IODEF document exchange.
8. ext-value. An escape value used to extend this attribute. 6. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-set-id
Optional. STRING. See Section 3.3.2.
interface interface
Optional. STRING. Specifies the interface on which the event(s) Optional. STRING. Specifies the interface on which the event(s)
on this System originated. If the Node class specifies a network on this System originated. If the Node class specifies a network
rather than a host, this attribute has no meaning. rather than a host, this attribute has no meaning.
spoofed spoofed
Optional. ENUM. An indication of confidence in whether this Optional. ENUM. An indication of confidence in whether this
System was the true target or attacking host. The permitted System was the true target or attacking host. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"unknown". "unknown".
skipping to change at page 57, line 19 skipping to change at page 54, line 47
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Address | | Address |
+-------------------------+ +-------------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
| STRING indicator-uid | | ID observable-id |
| STRING indicator-set-id |
+-------------------------+ +-------------------------+
Figure 33: The Address Class Figure 33: The Address Class
The Address class has five attributes: The Address class has five attributes:
category category
Optional. ENUM. The type of address represented. The permitted Optional. ENUM. The type of address represented. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"ipv4-addr". "ipv4-addr".
skipping to change at page 58, line 23 skipping to change at page 55, line 51
attribute. See Section 5.1. attribute. See Section 5.1.
vlan-name vlan-name
Optional. STRING. The name of the Virtual LAN to which the Optional. STRING. The name of the Virtual LAN to which the
address belongs. address belongs.
vlan-num vlan-num
Optional. STRING. The number of the Virtual LAN to which the Optional. STRING. The number of the Virtual LAN to which the
address belongs. address belongs.
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.20.2. NodeRole Class 3.20.2. NodeRole Class
The NodeRole class describes the intended function performed by a The NodeRole class describes the intended function performed by a
particular host. particular host.
+---------------------+ +---------------------+
| NodeRole | | NodeRole |
+---------------------+ +---------------------+
| ENUM category | | ENUM category |
skipping to change at page 62, line 20 skipping to change at page 59, line 42
attribute specifies the denominator of the rate (where the type attribute specifies the denominator of the rate (where the type
attribute specified the nominator). The possible values of this attribute specified the nominator). The possible values of this
attribute are defined in Section 3.14.3 attribute are defined in Section 3.14.3
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1. attribute. See Section 5.1.
3.21. DomainData Class 3.21. DomainData Class
...TODO... The DomainData class describes a domain name and meta-data associated
with this domain.
+--------------------------+ +--------------------------+
| DomainData | | DomainData |
+--------------------------+ +--------------------------+
| ENUM system-status |<>----------[ Name ] | ENUM system-status |<>----------[ Name ]
| STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
| ENUM domain-status |<>--{0..1}--[ RegistrationDate ] | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
| STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
| STRING indicator-uid |<>--{0..*}--[ RelatedDNS ] | ID observable-id |<>--{0..*}--[ RelatedDNS ]
| STRING indicator-set-id |<>--{0..*}--[ Nameservers ] | |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ] | |<>--{0..1}--[ DomainContacts ]
| | | |
+--------------------------+ +--------------------------+
Figure 36: The DomainData Class Figure 36: The DomainData Class
The aggregate classes that constitute DomainData are: The aggregate classes that constitute DomainData are:
Name Name
One. ML_STRING. The domain name of the Node (e.g., fully One. ML_STRING. The domain name of the Node (e.g., fully
skipping to change at page 63, line 8 skipping to change at page 60, line 30
RegistrationDate RegistrationDate
Zero or one. DATETIME. A timestamp of when domain listed in Name Zero or one. DATETIME. A timestamp of when domain listed in Name
was registered. was registered.
ExpirationDate ExpirationDate
Zero or one. DATETIME. A timestamp of when the domain listed in Zero or one. DATETIME. A timestamp of when the domain listed in
Name is set to expire. Name is set to expire.
RelatedDNS RelatedDNS
Zero or more. ...TODO... Zero or more. Additional DNS records associated with this domain.
Nameservers Nameservers
Zero or more. The name servers identified for the domain listed Zero or more. The name servers identified for the domain listed
in Name. in Name.
DomainContacts DomainContacts
Zero or one. Contact information for the domain listed in Name Zero or one. Contact information for the domain listed in Name
supplied by the registrar or through a whois query. supplied by the registrar or through a whois query.
The DomainData class has six attribute: The DomainData class has five attribute:
system-status system-status
Required. ENUM. Assesses the domain's involvement in the event. Required. ENUM. Assesses the domain's involvement in the event.
1. spoofed. This domain was spoofed. 1. spoofed. This domain was spoofed.
2. fraudulent. This domain was operated with fraudulent 2. fraudulent. This domain was operated with fraudulent
intentions. intentions.
3. innocent-hacked. This domain was compromised by a third 3. innocent-hacked. This domain was compromised by a third
skipping to change at page 64, line 20 skipping to change at page 61, line 41
5. revoked. The domain is in the process of being purged from 5. revoked. The domain is in the process of being purged from
the database. the database.
6. transferPending. The domain is pending a change in 6. transferPending. The domain is pending a change in
authority. authority.
7. registryLock. The domain is on hold by the registry. 7. registryLock. The domain is on hold by the registry.
8. registrarLock. Same as "registryLock". 8. registrarLock. Same as "registryLock".
9. other. ... TODO -- RFC 5901 has this but doesn't describe it 9. other. The domain has a known status but it is not one of
... the redefined enumerated values.
10. unknown. The domain has an unknown status. 10. unknown. The domain has an unknown status.
11. ext-value. An escape value used to extend this attribute. 11. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-domain-status ext-domain-status
Optional. STRING. A means by which to extend the system-status Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.21.1. RelatedDNS 3.21.1. RelatedDNS
...TODO... The RelatedDNS class describes additional record types associated
with a given domain name. The record type is described in the
record-type attribute and the value of the record is the element
content. ... TODO Issue #39 ...
+----------------------+ +----------------------+
| RelatedDNS | | RelatedDNS |
+----------------------+ +----------------------+
| STRING | | STRING |
| | | |
| ENUM record-type | | ENUM record-type |
| ENUM ext-record-type | | ENUM ext-record-type |
+----------------------+ +----------------------+
Figure 37: The RelatedDNS Class Figure 37: The RelatedDNS Class
The RelatedDNS class has two attribute:
record-type
Required. ENUM. The DNS record type. ... TODO values need to be
listed ...
ext-record-type. An escape value used to extend this attribute.
See Section 5.1.
3.21.2. Nameservers Class 3.21.2. Nameservers Class
The Nameservers class describes the name servers associated with a The Nameservers class describes the name servers associated with a
given domain. given domain.
+--------------------+ +--------------------+
| Nameservers | | Nameservers |
+--------------------+ +--------------------+
| |<>----------[ Server ] | |<>----------[ Server ]
| |<>--{1..*}--[ Address ] | |<>--{1..*}--[ Address ]
skipping to change at page 66, line 29 skipping to change at page 64, line 11
is originating. Conversely, when Service occurs as an aggregate is originating. Conversely, when Service occurs as an aggregate
class of a System that is a target, then that service is the one to class of a System that is a target, then that service is the one to
which activity of interest is directed. which activity of interest is directed.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Service | | Service |
+-------------------------+ +-------------------------+
| INTEGER ip-protocol |<>--{0..1}--[ Port ] | INTEGER ip-protocol |<>--{0..1}--[ Port ]
| STRING indicator-uid |<>--{0..1}--[ Portlist ] | ID observable-id |<>--{0..1}--[ Portlist ]
| STRING indicator-set-id |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..*}--[ ApplicationHeader ] | |<>--{0..*}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+-------------------------+ +-------------------------+
Figure 40: The Service Class Figure 40: The Service Class
The aggregate classes that constitute Service are: The aggregate classes that constitute Service are:
skipping to change at page 67, line 39 skipping to change at page 65, line 20
of these System classes has a Service and Portlist class, an implicit of these System classes has a Service and Portlist class, an implicit
relationship between these Portlists exists. If N ports are listed relationship between these Portlists exists. If N ports are listed
for a System@category="source", and M ports are listed for for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to System@category="target", the number of ports in N must be equal to
M. Likewise, the ports MUST be listed in an identical sequence such M. Likewise, the ports MUST be listed in an identical sequence such
that the n-th port in the source corresponds to the n-th port of the that the n-th port in the source corresponds to the n-th port of the
target. If N is greater than 1, a given instance of a Flow class target. If N is greater than 1, a given instance of a Flow class
MUST only have a single instance of a System@category="source" and MUST only have a single instance of a System@category="source" and
System@category="target". System@category="target".
The Service class has three attributes: The Service class has two attributes:
ip-protocol ip-protocol
Required. INTEGER. The IANA assigned IP protocol number per Required. INTEGER. The IANA assigned IP protocol number per
[IANA.Protocols]. [IANA.Protocols].
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.22.1. ApplicationHeader Class 3.22.1. ApplicationHeader Class
The ApplicationHeader class allows the representation of arbitrary The ApplicationHeader class allows the representation of arbitrary
fields from an application layer protocol header and its fields from an application layer protocol header and its
corresponding value. corresponding value.
+--------------------------+ +--------------------------+
| ApplicationHeader | | ApplicationHeader |
+--------------------------+ +--------------------------+
| ANY | | ANY |
| | | |
| INTEGER proto | | INTEGER proto |
| STRING field | | STRING field |
| ENUM dtype | | ENUM dtype |
| STRING indicator-uid | | ID observable-id |
| STRING indicator-set-uid |
+--------------------------+ +--------------------------+
Figure 41: The ApplicationHeader Class Figure 41: The ApplicationHeader Class
The ApplicationHeader class has five attributes: The ApplicationHeader class has four attributes:
proto proto
Required. INTEGER. The IANA assigned port number per Required. INTEGER. The IANA assigned port number per
[IANA.Ports] corresponding to the application layer protocol whose [IANA.Ports] corresponding to the application layer protocol whose
field will be represented. field will be represented.
field field
Required. STRING. The name of the protocol field whose value Required. STRING. The name of the protocol field whose value
will be found in the element body. will be found in the element body.
skipping to change at page 69, line 26 skipping to change at page 66, line 50
12. xml. The element content is XML. See Section 5. 12. xml. The element content is XML. See Section 5.
13. ext-value. An escape value used to extend this attribute. 13. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-dtype ext-dtype
Optional. STRING. A means by which to extend the dtype Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.22.2. Application Class 3.22.2. Application Class
The Application class describes an application running on a System The Application class describes an application running on a System
providing a Service. providing a Service.
+--------------------+ +--------------------+
| Application | | Application |
+--------------------+ +--------------------+
| STRING swid |<>--{0..1}--[ URL ] | STRING swid |<>--{0..1}--[ URL ]
skipping to change at page 71, line 8 skipping to change at page 68, line 21
3.24. EmailData Class 3.24. EmailData Class
The EmailData class describes headers from an email message. Common The EmailData class describes headers from an email message. Common
headers have dedicated classes, but arbitrary headers can also be headers have dedicated classes, but arbitrary headers can also be
described. described.
+-------------------------+ +-------------------------+
| EmailData | | EmailData |
+-------------------------+ +-------------------------+
| STRING indicator-uid |<>--{0..1}--[ EmailFrom ] | ID observable-id |<>--{0..1}--[ EmailFrom ]
| STRING indicator-set-id |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ EmailHeaderField ]
+-------------------------+ +-------------------------+
Figure 43: EmailData Class Figure 43: EmailData Class
The aggregate class that constitutes EmailData are: The aggregate class that constitutes EmailData are:
EmailFrom EmailFrom
Zero or one. The value of the "From:" header field in an email. Zero or one. The value of the "From:" header field in an email.
skipping to change at page 71, line 36 skipping to change at page 68, line 49
EmailX-Mailer EmailX-Mailer
Zero or one. The value of the "X-Mailer:" header field in an Zero or one. The value of the "X-Mailer:" header field in an
email. email.
EmailHeaderField EmailHeaderField
Zero or one. The value of an arbitrary header field in the email. Zero or one. The value of an arbitrary header field in the email.
See Section 3.22.1. The attributes of EmailHeaderField MUST be See Section 3.22.1. The attributes of EmailHeaderField MUST be
set as follows: proto="25" and dtype="string". The name of the set as follows: proto="25" and dtype="string". The name of the
email header field MUST be set in the field attribute. email header field MUST be set in the field attribute.
The EmailData class has two attributes: The EmailData class has one attribute:
indicator-uid
Optional. STRING. See Section 3.3.2.
indicator-set-id observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.25. Record Class 3.25. Record Class
The Record class is a container class for log and audit data that The Record class is a container class for log and audit data that
provides supportive information about the incident. The source of provides supportive information about the incident. The source of
this data will often be the output of monitoring tools. These logs this data will often be the output of monitoring tools. These logs
substantiate the activity described in the document. substantiate the activity described in the document.
+------------------+ +------------------+
| Record | | Record |
skipping to change at page 72, line 30 skipping to change at page 69, line 38
The Record class has one attribute: The Record class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.25.1. RecordData Class 3.25.1. RecordData Class
The RecordData class groups log or audit data from a given sensor The RecordData class groups log or audit data from a given sensor
(e.g., IDS, firewall log) and provides a way to annotate the output. (e.g., IDS, firewall log) and provides a way to annotate the output.
+-------------------------+ +--------------------+
| RecordData | | RecordData |
+-------------------------+ +--------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| STRING indicator-uid |<>--{0..*}--[ Description ] | ID observable-id |<>--{0..*}--[ Description ]
| STRING indicator-set-id |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ HashData ]
| |<>--{0..*}--[ WindowsRegistryKeysModified ] | |<>--{0..*}--[ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ] +--------------------+
+-------------------------+
Figure 45: The RecordData Class Figure 45: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
skipping to change at page 73, line 30 skipping to change at page 70, line 37
Zero or one. The file name and hash of a file indicator. Zero or one. The file name and hash of a file indicator.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or more. The registry keys that were modified that are Zero or more. The registry keys that were modified that are
indicator(s). indicator(s).
AdditionalData AdditionalData
Zero or more. An extension mechanism for data not explicitly Zero or more. An extension mechanism for data not explicitly
represented in the data model. represented in the data model.
The RecordData class has three attribute: The RecordData class has two attribute:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.25.2. RecordPattern Class 3.25.2. RecordPattern Class
The RecordPattern class describes where in the content of the The RecordPattern class describes where in the content of the
RecordItem relevant information can be found. It provides a way to RecordItem relevant information can be found. It provides a way to
reference subsets of information, identified by a pattern, in a large reference subsets of information, identified by a pattern, in a large
log file, audit trail, or forensic data. log file, audit trail, or forensic data.
+-----------------------+ +-----------------------+
| RecordPattern | | RecordPattern |
skipping to change at page 74, line 27 skipping to change at page 71, line 27
Figure 46: The RecordPattern Class Figure 46: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The specific pattern to search with in the RecordItem is defined in
the body of the element. It is further annotated by six attributes: the body of the element. It is further annotated by six attributes:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". the element content. The default is "regex".
1. regex. regular expression, per Appendix F of 1. regex. regular expression as defined by POSIX Extended
[W3C.SCHEMA.DTYPES]. Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX].
2. binary. Binhex encoded binary pattern, per the HEXBIN data 2. binary. Binhex encoded binary pattern, per the HEXBIN data
type. type.
3. xpath. XML Path (XPath) [W3C.XPATH] 3. xpath. XML Path (XPath) [W3C.XPATH]
4. ext-value. An escape value used to extend this attribute. 4. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-type ext-type
skipping to change at page 75, line 37 skipping to change at page 72, line 37
3.26. WindowsRegistryKeysModified Class 3.26. WindowsRegistryKeysModified Class
The WindowsRegistryKeysModified class describes Windows operating The WindowsRegistryKeysModified class describes Windows operating
system registry keys and the operations that were performed on them. system registry keys and the operations that were performed on them.
This class was derived from [RFC5901]. This class was derived from [RFC5901].
+-----------------------------+ +-----------------------------+
| WindowsRegistryKeysModified | | WindowsRegistryKeysModified |
+-----------------------------+ +-----------------------------+
| STRING indicator-uid |<>--{1..*}--[ Key ] | ID observable-id |<>--{1..*}--[ Key ]
| STRING indicator-set-id |
+-----------------------------+ +-----------------------------+
Figure 47: The WindowsRegistryKeysModified Class Figure 47: The WindowsRegistryKeysModified Class
The aggregate class that constitutes the WindowsRegistryKeysModified The aggregate class that constitutes the WindowsRegistryKeysModified
class is: class is:
Key Key
One or many. The Window registry key. One or many. The Window registry key.
The WindowsRegistryKeysModified class has two attributes: The WindowsRegistryKeysModified class has one attribute:
indicator-uid
Optional. STRING. See Section 3.3.2.
indicator-set-id observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.26.1. Key Class 3.26.1. Key Class
The Key class describes a particular Windows operating system The Key class describes a particular Windows operating system
registry key name and value pair, and the operation performed on it. registry key name and value pair, and the operation performed on it.
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ENUM type | | ID observable-id |
| STRING ext-type |
+---------------------------+ +---------------------------+
Figure 48: The Key Class Figure 48: The Key Class
The aggregate classes that constitutes Key are: The aggregate classes that constitutes Key are:
KeyName KeyName
One. STRING. The name of the Windows operating system registry One. STRING. The name of the Windows operating system registry
key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
KeyValue KeyValue
Zero or one. STRING. The value of the associated registry key Zero or one. STRING. The value of the associated registry key
encoded as in Microsoft .reg files [KB310516]. encoded as in Microsoft .reg files [KB310516].
The Key class has four attributes: The Key class has three attributes:
registryaction registryaction
Optional. ENUM. The type of action taken on the registry key. Optional. ENUM. The type of action taken on the registry key.
1. add-key. Registry key added. 1. add-key. Registry key added.
2. add-value. Value added to registry key. 2. add-value. Value added to registry key.
3. delete-key. Registry key deleted. 3. delete-key. Registry key deleted.
skipping to change at page 77, line 9 skipping to change at page 74, line 5
5. modify-key. Registry key modified. 5. modify-key. Registry key modified.
6. modify-value. Value modified for registry key. 6. modify-value. Value modified for registry key.
7. ext-value. External value. 7. ext-value. External value.
ext-registryaction ext-registryaction
Optional. A means by which to extend the registryaction Optional. A means by which to extend the registryaction
attribute. See Section 5.1. attribute. See Section 5.1.
type observable-id
Optional. TODO. Optional. ID. See Section 3.3.2.
1. watchlist. Registry key information that is provided in a
watchlist.
2. ext-value. Registry key information from an external source.
ext-type
Optional. A means by which to extend the type attribute. See
Section 5.1.
indicator-uid
Optional. STRING. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.27. HashData Class 3.27. HashData Class
The HashData class describes files, file hashes, ... TODO ...the hash The HashData class describes files names and associated hashes and
and signature details that are needed for providing context for signatures. ... TODO Fix Issue #20 and #25 ...
indicators.
+--------------------------+ +--------------------------+
| HashData | | HashData |
+--------------------------+ +--------------------------+
| ENUM type |<>--{0..*}--[ FileName ] | ENUM type |<>--{0..*}--[ FileName ]
| STRING ext-type |<>--{0..*}--[ FileSize ] | STRING ext-type |<>--{0..*}--[ FileSize ]
| BOOL valid |<>--{0..*}--[ ds:Signature ] | BOOL valid |<>--{0..*}--[ ds:Signature ]
| STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ] | ID observable-id |<>--{0..*}--[ ds:KeyInfo ]
| STRING indicator-set-id |<>--{0..*}--[ ds:Reference ] | |<>--{0..*}--[ ds:Reference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 49: The HashData Class Figure 49: The HashData Class
The aggregate classes that constitutes HashData are: The aggregate classes that constitutes HashData are:
FileName FileName
Zero or more. ML_STRING. The name of the file. Zero or more. ML_STRING. The name of the file.
skipping to change at page 78, line 20 skipping to change at page 74, line 49
ds:Reference ds:Reference
Zero or more. The algorithm identification and value of a hash Zero or more. The algorithm identification and value of a hash
computed over a file. This element is defined in [RFC3275]. computed over a file. This element is defined in [RFC3275].
Refer to RFC 5901. Refer to RFC 5901.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9 Section 3.9
The HashData class has five attributes: The HashData class has four attributes:
type type
Optional. ENUM. The Hash Type. Optional. ENUM. The Hash Type.
1. PKI-email-ds. PKI email digital signature. 1. PKI-email-ds. PKI email digital signature.
2. PKI-file-ds. PKI file digital signature.
3. PKI-email-ds_watchlist. Watchlist of PKI email digital
signatures.
4. PKI-file-ds_watchlist. Watchlist of PKI file digital
signatures.
5. PGP-email-ds. PGP email digital signature.
6. PGP-file-ds. PGP file digital signature.
7. PGP-email-ds-watchlist. Watchlist of PGP email digital 2. PKI-file-ds. PKI file digital signature.
signatures.
8. PGP-file-ds-watchlist. Watchlist of PGP file digital 3. PGP-email-ds. PGP email digital signature.
signatures
9. file-hash. A file hash. 4. PGP-file-ds. PGP file digital signature.
10. email-hash. An email hash. 5. file-hash. A file hash.
11. file-hash-watchlist. Watchlist of file hashes 6. email-hash. An email hash.
12. email-hash-watchlist. Watchlist of email hashes 7. ext-value. An escape value used to extend this attribute.
13. ext-value. An escape value used to extend this attribute. See Section 5.1.
See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
valid valid
Optional. BOOLEAN. Indicates if the signature or hash is valid. Optional. BOOLEAN. Indicates if the signature or hash is valid.
indicator-uid observable-id
Optional. STRING. See Section 3.3.2. Optional. ID. See Section 3.3.2.
indicator-set-id 3.28. IndicatorData Class
Optional. STRING. See Section 3.3.2.
The IndicatorData class describes the indicators identified from
analysis of an incident.
+--------------------------+
| IndicatorData |
+--------------------------+
| |<>--{1..*}--[ Indicator ]
+--------------------------+
Figure 50: The IndicatorData Class
The aggregate class that constitutes IndicatorData is:
Indicator
One or more. An indicator from the incident.
The IndicatorData class has no attributes.
3.29. Indicator Class
The Indicator class describes a cyber indicator. An indicator
consists of observable features and phenomenon that aid in the
forensic or proactive detection of malicious activity, and associated
meta-data. This indicator can be described outright or reference
observable features and phenomenon described elsewhere in the
incident information. Portions of an incident description can be
composed to define an indicator, as can the indicators themselves.
+--------------------+
| Indicator |
+--------------------+
| ENUM restriction |<>----------[ IndicatorID ]
| |<>--{0..1}--[ AlternativeIndicatorID ]
| |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Observable ]
| |<>--{0..1}--[ ObservableReference ]
| |<>--{0..1}--[ IndicatorExpression ]
| |<>--{0..1}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ]
+--------------------+
Figure 51: The Indicator Class
The aggregate classes that constitute Indicator are:
IndicatorID
One. An identifier for this indicator. See Section 3.29.1
AlternativeIndicatorID
Zero or one. An alternative identifier for this indicator. See
Section 3.29.2
Description
Zero or more. ML_STRING. A free-form textual description of the
indicator.
StartTime
Zero or one. DATETIME. A timestamp of the start of the time
period during which this indicator is valid.
EndTime
Zero or one. DATETIME. A timestamp fo the end of the time period
during which this indicaor is valid.
Confidence
Zero or one. An estimate of the confidence in the quality of the
indicator. See Section 3.14.5.
Contact
Zero or more. Contact information for this indicator. See
Section 3.10.
Observable
Zero or one. An observable feature or phenomenon of this
indicator. See Section 3.29.3.
ObservableReference
Zero or one. A reference to a feature or phenomenon defined
elsewhere in the document. See Section 3.29.5.
IndicatorExpression
Zero or one. A composition of observables. See Section 3.29.4.
IndicatorReference
Zero or one. A reference to an indicator.
AdditionalData
Zero or more. Mechanism by which to extend the data model. See
Section 3.9
The Indicator class MUST have exactly one instance of an Observable,
IndicatorExpression, ObservableReference, or IndicatorReference
class.
The StartTime and EndTime classes can be used to define an interval
during which the indicator is valid. If both classes are present,
the indicator is consider valid only during the decribed interval.
If neither class is provided, the indicator is considered valid
during any time interval. If only a StartTime is provided, the
indicator is valid anytime after this timestamp. If only an EndTime
is provided, the indicator is valid anytime prior to this timestamp.
The Indicator class has one attribute:
restriction
Optional. ENUM. See Section 3.3.1.
3.29.1. IndicatorID Class
The IndicatorID class identifies an indicator with a indentifier
globally unique identifier. The combination of the name and version
attributes, and the element content form this identifier. Indicators
generated by given CSIRT MUST NOT resuse the same value unless they
are referencing the same indicator.
+------------------+
| IndicatorID |
+------------------+
| ID |
| |
| STRING name |
| STRING version |
+------------------+
Figure 52: The IndicatorID Class
The IndicatorID class has two attributes:
name
Required. STRING. An identifier describing the CSIRT that
created the indicator. In order to have a globally unique CSIRT
name, the fully qualified domain name associated with the CSIRT
MUST be used. This format is identical to the IncidentID@name
attribute in Section 3.4.
version
Required. STRING. A version number of an indicator.
3.29.2. AlternativeIndicatorID Class
The AlternativeIndicatorID class lists alternative identifiers for an
indicator.
+-------------------------+
| AlternativeIndicatorID |
+-------------------------+
| ENUM restriction |<>--{1..*}--[ IndicatorReference ]
| |
+-------------------------+
Figure 53: The AlternativeIndicatorID Class
The aggregate class that constitutes AlternativeIndicatorID is:
IndicatorReference
One or more. A reference to an indicator.
The AlternativeIndicatorID class has one attribute:
restriction
Optional. ENUM. This attribute has been defined in Section 3.2.
3.29.3. Observable Class
The Observable class describes a feature and phenomenon that can be
observed or measured for the purposes of detecting malicious
behavior.
+-------------------+
| Observable |
+-------------------+
| |<>--{0..1}--[ Address ]
| |<>--{0..1}--[ DomainData ]
| |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ ApplicationHeader ]
| |<>--{0..1}--[ WindowsRegistryKeysModified ]
| |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ RecordData ]
| |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ]
| |<>--{0..*}--[ Expectation ]
| |<>--{0..*}--[ Reference ]
| |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ HistoryItem ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------+
Figure 54: The Observable Class
The aggregate classes that constitute Observable are:
Address
Zero or One. An Address observable. See Section 3.20.1.
DomainData
Zero or One. A DomainData observable. See Section 3.21.
Service
Zero or One. A Service observable. See Section 3.22.
EmailData
Zero or One. A EmailData observable. See Section 3.24.
ApplicationHeader
Zero or One. An ApplicationHeader observable. See
Section 3.22.1.
WindowsRegistryKeysModified
Zero or One. A WindowsRegistryKeysModified observable. See
Section 3.26.
HashData
Zero or One. A HashData observable. See Section 3.27.
RecordData
Zero or One. A RecordData observable. See Section 3.25.1.
EventData
Zero or One. An EventData observable. See Section 3.16.
Incident
Zero or One. An Incident observable. See Section 3.2.
EventData
Zero or One. An EventData observable. See Section 3.16.
Expectation
Zero or One. An Expectation observable. See Section 3.17.
Reference
Zero or One. A Reference observable. See Section 3.13.1.
Assessment
Zero or One. An Assessment observable. See Section 3.14.
HistoryItem
Zero or One. A HistoryItem observable. See Section 3.15.1.
AdditionalData
Zero or more. Mechanism by which to extend the data model. See
Section 3.9.
The Observable class MUST have exactly one of the possible child
classes.
The Observable class has no attributes.
3.29.4. IndicatorExpression Class
The IndicatorExpression describes an expression composed of observed
phenomenon or features, or indicators. Elements of the expression
can be described directly, reference relevant data from other parts
of a given IODEF document, or reference previously defined
indicators.
All child classes of a given instance of IndicatorExpression form a
boolean algebraic expression where the operator between them is
determined by the operator attribute. Nesting an IndicatorExpression
in itself is akin to a parenthesis in the expression.
+--------------------------+
| IndicatorExpression |
+--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ]
+--------------------------+
Figure 55: The IndicatorExpression Class
The aggregate classes that constitute IndicatorExpression are:
IndicatorExpression
Zero or more. An expression composed of other observables or
indicators.
Observable
Zero or more. A description of an observable.
ObservableReference
Zero or more. A reference to another observable.
IndicatorReference
Zero or more. A reference to another indicator.
AdditionalData
Zero or more. Mechanism by which to extend the data model. See
Section 3.9
... TODO Additional text is required to describe the valid
combinations of classes and how the operator class should be applied
...
The IndicatorExpression class has one attributes:
operator
Optional. ENUM. The operator to be applied between the child
elements.
1. not. negation operator.
2. and. conjunction operator.
3. or. disjunction operator.
4. xor. exclusive disjunction operator.
3.29.5. ObservableReference Class
The ObservableReference describes a reference to an observable
feature or phenomenon described elsewhere in the document.
This class has no content.
+-------------------------+
| ObservableReference |
+-------------------------+
| EMPTY |
| |
| IDREF uid-ref |
+-------------------------+
Figure 56: The ObservableReference Class
The ObservableReference class has one attributes:
uid-ref
Required. IDREF. An identifier that serves as a reference to a
class in the IODEF document. The referenced class will have this
identifier set in the observable-id attribute.
3.29.6. IndicatorReference Class
The IndicatorReference describes a reference to an indicator. This
reference may be to an indicator described in the IODEF document or
in a previously exchanged IODEF document.
+--------------------------+
| IndicatorReference |
+--------------------------+
| EMPTY |
| |
| IDREF uid-ref |
| STRING euid-ref |
| STRING version |
+--------------------------+
Figure 57: The IndicatorReference Class
The IndicatorReference class has one attributes:
uid-ref
Optional. IDREF. An identifier that serves as a reference to an
Indicator class in the IODEF document. The referenced Indicator
class will have this identifier set in the IndicatorID class.
euid-ref
Optional. STRING. An identifier that references an IndicatorID
not in this IODEF document.
version
Optional. STRING. A version number of an indicator.
Either the uid-ref or the euid-ref attribute MUST be set.
4. Processing Considerations 4. Processing Considerations
This section defines additional requirements on creating and parsing This section defines additional requirements on creating and parsing
IODEF documents. IODEF documents.
4.1. Encoding 4.1. Encoding
Every IODEF document MUST begin with an XML declaration, and MUST Every IODEF document MUST begin with an XML declaration, and MUST
specify the XML version used. If UTF-8 encoding is not used, the specify the XML version used. If UTF-8 encoding is not used, the
skipping to change at page 82, line 18 skipping to change at page 86, line 21
attribute has "ext-value" as one its possible values. This attribute has "ext-value" as one its possible values. This
particular value serves as an escape sequence and has no valid particular value serves as an escape sequence and has no valid
meaning. meaning.
In order to add a new enumerated value to an extensible attribute, In order to add a new enumerated value to an extensible attribute,
the value of this attribute MUST be set to "ext-value", and the new the value of this attribute MUST be set to "ext-value", and the new
desired value MUST be set in the corresponding extension attribute. desired value MUST be set in the corresponding extension attribute.
For example, an extended instance of the type attribute of the Impact For example, an extended instance of the type attribute of the Impact
class would look as follows: class would look as follows:
<Impact type="ext-value" ext-type="new-attack-type"> <Impact type="ext-value" ext-type="new-attack-type">
A given extension attribute MUST NOT be set unless the corresponding A given extension attribute MUST NOT be set unless the corresponding
extensible attribute has been set to "ext-value". extensible attribute has been set to "ext-value".
5.2. Extending Classes 5.2. Extending Classes
The classes of the data model can be extended only through the use of The classes of the data model can be extended only through the use of
the AdditionalData and RecordItem classes. These container classes, the AdditionalData and RecordItem classes. These container classes,
collectively referred to as the extensible classes, are implemented collectively referred to as the extensible classes, are implemented
with the iodef:ExtensionType data type in the schema. They provide with the iodef:ExtensionType data type in the schema. They provide
skipping to change at page 84, line 21 skipping to change at page 88, line 15
<xs:import <xs:import
namespace="urn:ietf:params:xml:ns:iodef-1.0" namespace="urn:ietf:params:xml:ns:iodef-1.0"
schemaLocation=" urn:ietf:params:xml:schema:iodef-1.0"/> schemaLocation=" urn:ietf:params:xml:schema:iodef-1.0"/>
<xs:element name="newdata" type="xs:string" /> <xs:element name="newdata" type="xs:string" />
</xs:schema> </xs:schema>
The following XML excerpt demonstrates the use of the above schema as The following XML excerpt demonstrates the use of the above schema as
an extension to the IODEF. an extension to the IODEF.
<IODEF-Document <IODEF-Document
version="2.00" lang="en-US" version="2.00" lang="en-US"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef-extension1="iodef-extension1.xsd" xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="iodef-extension1.xsd"> xsi:schemaLocation="iodef-extension1.xsd">
<Incident purpose="reporting"> <Incident purpose="reporting">
... ...
<AdditionalData dtype="xml" meaning="xml"> <AdditionalData dtype="xml" meaning="xml">
<iodef-extension1:newdata> <iodef-extension1:newdata>
Field that could not be represented elsewhere Field that could not be represented elsewhere
</iodef-extension1:newdata> </iodef-extension1:newdata>
</AdditionalData> </AdditionalData>
</IODEF-Document </IODEF-Document
6. Internationalization Issues 6. Internationalization Issues
Internationalization and localization is of specific concern to the Internationalization and localization is of specific concern to the
IODEF, since it is only through collaboration, often across language IODEF, since it is only through collaboration, often across language
barriers, that certain incidents be resolved. The IODEF supports barriers, that certain incidents be resolved. The IODEF supports
this goal by depending on XML constructs, and through explicit design this goal by depending on XML constructs, and through explicit design
choices in the data model. choices in the data model.
Since IODEF is implemented as an XML Schema, it implicitly supports Since IODEF is implemented as an XML Schema, it implicitly supports
skipping to change at page 92, line 16 skipping to change at page 96, line 7
</Flow> </Flow>
<!-- Expectation class recommends that these networks <!-- Expectation class recommends that these networks
be filtered --> be filtered -->
<Expectation action="block-host" /> <Expectation action="block-host" />
</EventData> </EventData>
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
8. The IODEF Schema 8. The IODEF Schema
<xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0" <xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
elementFormDefault="qualified" elementFormDefault="qualified"
attributeFormDefault="unqualified"> attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/ schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation>
Incident Object Description Exchange Format v2.0, RFC5070-bis Incident Object Description Exchange Format v2.0, RFC5070-bis
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<!--
==================================================================
== IODEF-Document class ==
==================================================================
-->
<xs:element name="IODEF-Document">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Incident"
maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="version"
type="xs:string" fixed="2.00"/>
<xs:attribute name="lang"
type="xs:language" use="required"/>
<xs:attribute name="formatid"
type="xs:string"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
=== Incident class ===
==================================================================
-->
<xs:element name="Incident">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"/>
<xs:element ref="iodef:AlternativeID"
minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:History"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch" />
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType> <!--
</xs:attribute> ==================================================================
<xs:attribute name="ext-purpose" == IODEF-Document class ==
type="xs:string" use="optional"/> ==================================================================
<xs:attribute name="lang" -->
type="xs:language"/> <xs:element name="IODEF-Document">
<xs:attribute name="restriction" <xs:complexType>
type="iodef:restriction-type" default="private"/> <xs:sequence>
<xs:attribute name="indicator-uid" <xs:element ref="iodef:Incident"
type="xs:string" use="optional"/> maxOccurs="unbounded"/>
<xs:attribute name="indicator-set-id" <xs:element ref="iodef:AdditionalData"
type="xs:string" use="optional"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:complexType> </xs:sequence>
</xs:element> <xs:attribute name="version"
<!-- type="xs:string" fixed="2.00"/>
================================================================== <xs:attribute name="lang"
== IncidentID class == type="xs:language" use="required"/>
================================================================== <xs:attribute name="formatid"
--> type="xs:string"/>
<xs:element name="IncidentID" type="iodef:IncidentIDType"/> </xs:complexType>
<xs:complexType name="IncidentIDType"> </xs:element>
<xs:simpleContent> <!--
<xs:extension base="xs:string"> ==================================================================
<xs:attribute name="name" === Incident class ===
type="xs:string" use="required"/> ==================================================================
<xs:attribute name="instance" -->
<xs:element name="Incident">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"/>
<xs:element ref="iodef:AlternativeID"
minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:History"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch" />
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="lang"
type="xs:language"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type" default="private"/>
default="public"/> <xs:attribute name="observable-id"
</xs:extension> type="xs:ID" use="optional"/>
</xs:simpleContent>
</xs:complexType>
<!-- </xs:complexType>
================================================================== </xs:element>
== ReportID class == <!--
================================================================== ==================================================================
--> == IncidentID class ==
<xs:element name="ReportID"> ==================================================================
<xs:complexType> -->
<xs:sequence> <xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:element ref="iodef:IncidentID" <xs:complexType name="IncidentIDType">
maxOccurs="unbounded"/> <xs:simpleContent>
</xs:sequence> <xs:extension base="xs:string">
<xs:attribute name="restriction" <xs:attribute name="name"
type="iodef:restriction-type"/> type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="public"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> <!--
==================================================================
== ReportID class ==
==================================================================
-->
<xs:element name="ReportID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== AlternativeID class == == AlternativeID class ==
================================================================== ==================================================================
--> -->
<xs:element name="AlternativeID"> <xs:element name="AlternativeID">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== RelatedActivity class ==
==================================================================
-->
<xs:element name="RelatedActivity">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:Confidence"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!-- </xs:sequence>
================================================================== <xs:attribute name="restriction"
== ThreatActor class == type="iodef:restriction-type"/>
================================================================== </xs:complexType>
--> </xs:element>
<xs:element name="ThreatActor"> <!--
<xs:complexType> ==================================================================
<xs:sequence> == RelatedActivity class ==
<xs:choice> ==================================================================
<xs:sequence> -->
<xs:element ref="iodef:ThreatActorID" /> <xs:element name="RelatedActivity">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:Confidence"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== ThreatActor class ==
==================================================================
-->
<xs:element name="ThreatActor">
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:sequence>
<xs:element ref="iodef:ThreatActorID" />
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:element ref="iodef:Description" <xs:attribute name="restriction"
minOccurs="1" maxOccurs="unbounded"/> type="iodef:restriction-type"/>
</xs:choice> </xs:complexType>
<xs:element ref="iodef:AdditionalData" </xs:element>
minOccurs="0" maxOccurs="unbounded"/> <xs:element name="ThreatActorID" type="xs:string"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActorID" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== Campaign class == == Campaign class ==
================================================================== ==================================================================
--> -->
<xs:element name="Campaign"> <xs:element name="Campaign">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:choice>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:CampaignID"/> <xs:element ref="iodef:CampaignID"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="CampaignID" type="xs:string"/>
<!--
==================================================================
== AdditionalData class ==
==================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<!--
==================================================================
== Contact class ==
==================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:choice> <xs:element ref="iodef:RegistryHandle"
<xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:PostalAddress"
</xs:sequence> minOccurs="0"/>
<xs:attribute name="restriction" <xs:element ref="iodef:Email"
type="iodef:restriction-type"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:complexType> <xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Fax"
minOccurs="0"/>
<xs:element ref="iodef:Timezone"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="zone"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="le"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:element> </xs:simpleType>
<xs:element name="CampaignID" type="xs:string"/> </xs:attribute>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="ContactName"
type="iodef:MLStringType"/>
<xs:element name="ContactTitle"
type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="registry">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="PostalAddress">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Email" type="iodef:ContactMeansType"/>
<xs:element name="Telephone" type="iodef:ContactMeansType"/>
<xs:element name="Fax" type="iodef:ContactMeansType"/>
<!-- <xs:complexType name="ContactMeansType">
==================================================================
== AdditionalData class ==
==================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<!--
==================================================================
== Contact class ==
==================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Fax"
minOccurs="0"/>
<xs:element ref="iodef:Timezone"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="zone"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="le"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="ContactName"
type="iodef:MLStringType"/>
<xs:element name="ContactTitle"
type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="registry">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="PostalAddress">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<xs:element name="Email" type="iodef:ContactMeansType"/>
<xs:element name="Telephone" type="iodef:ContactMeansType"/>
<xs:element name="Fax" type="iodef:ContactMeansType"/>
<xs:complexType name="ContactMeansType"> <!--
<xs:simpleContent> ==================================================================
<xs:extension base="xs:string"> == Time-based classes ==
<xs:attribute name="meaning" ==================================================================
-->
<xs:element name="DateTime"
type="xs:dateTime"/>
<xs:element name="ReportTime"
type="xs:dateTime"/>
<xs:element name="DetectTime"
type="xs:dateTime"/>
<xs:element name="StartTime"
type="xs:dateTime"/>
<xs:element name="EndTime"
type="xs:dateTime"/>
<xs:element name="Timezone"
type="iodef:TimezoneType"/>
<xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string">
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== History class ==
==================================================================
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Expectation class ==
==================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> <xs:attribute name="observable-id"
</xs:simpleContent> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Time-based classes == == Discovery class ==
================================================================== ==================================================================
--> -->
<xs:element name="DateTime" <xs:element name="Discovery">
type="xs:dateTime"/> <xs:complexType>
<xs:element name="ReportTime" <xs:sequence>
type="xs:dateTime"/> <xs:element ref="iodef:Description"
<xs:element name="DetectTime" minOccurs="0" maxOccurs="unbounded"/>
type="xs:dateTime"/> <xs:element ref="iodef:Contact"
<xs:element name="StartTime" minOccurs="0" maxOccurs="unbounded"/>
type="xs:dateTime"/> <xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="source"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="idps"/>
<xs:enumeration value="siem"/>
<xs:enumeration value="av"/>
<xs:enumeration value="file-integrity"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-source"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="EndTime" <xs:element name="DetectionPattern">
type="xs:dateTime"/> <xs:complexType>
<xs:element name="Timezone" <xs:sequence>
type="iodef:TimezoneType"/> <xs:element ref="iodef:Application"/>
<xs:simpleType name="TimezoneType"> <xs:element ref="iodef:Description"
<xs:restriction base="xs:string"> minOccurs="0" maxOccurs="unbounded"/>
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/> <xs:element name="DetectionConfiguration"
</xs:restriction> type="xs:string"
</xs:simpleType> minOccurs="0" maxOccurs="unbounded"/>
<!-- </xs:sequence>
================================================================== <xs:attribute name="restriction"
== History class == type="iodef:restriction-type"/>
================================================================== </xs:complexType>
--> </xs:element>
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Expectation class ==
==================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Discovery class == == Method class ==
================================================================== ==================================================================
--> -->
<xs:element name="Discovery"> <xs:element name="Method">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Description" <xs:choice maxOccurs="unbounded">
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Reference"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Description"/>
minOccurs="0" maxOccurs="unbounded"/> </xs:choice>
<xs:element ref="iodef:DetectionPattern" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="source" <xs:attribute name="restriction"
use="optional" default="unknown"> type="iodef:restriction-type"/>
<xs:simpleType> </xs:complexType>
<xs:restriction base="xs:NMTOKEN"> </xs:element>
<xs:enumeration value="idps"/> <!--
<xs:enumeration value="siem"/> ==================================================================
<xs:enumeration value="av"/> == Reference class ==
<xs:enumeration value="file-integrity"/> ==================================================================
<xs:enumeration value="third-party-monitoring"/> -->
<xs:enumeration value="os-log"/> <xs:element name="Reference">
<xs:enumeration value="application-log"/> <xs:complexType>
<xs:enumeration value="device-log"/> <xs:sequence>
<xs:enumeration value="network-flow"/> <xs:element name="ReferenceName"
<xs:enumeration value="investigation"/> type="iodef:MLStringType"/>
<xs:enumeration value="internal-notification"/> <xs:element ref="iodef:URL"
<xs:enumeration value="external-notification"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="unknown"/> <xs:element ref="iodef:Description"
<xs:enumeration value="ext-value"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:restriction> </xs:sequence>
</xs:simpleType> <xs:attribute name="observable-id"
</xs:attribute> type="xs:ID" use="optional"/>
<xs:attribute name="ext-source" <!-- Adding in Attack Type -->
type="xs:string" use="optional"/> <xs:attribute name="attacktype" type="att-type"
<xs:attribute name="restriction" use="required">
type="iodef:restriction-type"/> </xs:attribute>
</xs:complexType> <xs:attribute name="ext-attacktype"
</xs:element> type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="DetectionPattern"> <!--
<xs:complexType> ==================================================================
<xs:sequence> == Assessment class ==
<xs:element ref="iodef:Application"/> ==================================================================
<xs:element ref="iodef:Description" -->
minOccurs="0" maxOccurs="unbounded"/> <xs:element name="Assessment">
<xs:element name="DetectionConfiguration" <xs:complexType>
type="xs:string" <xs:sequence>
minOccurs="0" maxOccurs="unbounded"/> <xs:choice maxOccurs="unbounded">
</xs:sequence> <xs:element ref="iodef:Impact"/>
<xs:attribute name="restriction" <xs:element ref="iodef:BusinessImpact"/>
type="iodef:restriction-type"/> <xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/>
</xs:choice>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:complexType> <xs:element ref="iodef:Confidence" minOccurs="0"/>
</xs:element> <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="occurrence">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/>
<xs:enumeration value="potential"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Impact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="completion">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="type"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="admin"/>
<xs:enumeration value="dos"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="file"/>
<xs:enumeration value="info-leak"/>
<xs:enumeration value="misconfiguration"/>
<xs:enumeration value="recon"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="social-engineering"/>
<xs:enumeration value="user"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
<!-- </xs:restriction>
================================================================== </xs:simpleType>
== Method class == </xs:attribute>
================================================================== <xs:attribute name="ext-type"
--> type="xs:string" use="optional"/>
<xs:element name="Method"> </xs:extension>
<xs:complexType> </xs:simpleContent>
<xs:sequence> </xs:complexType>
<xs:choice maxOccurs="unbounded"> </xs:element>
<xs:element ref="iodef:Reference"/> <xs:element name="BusinessImpact">
<xs:element ref="iodef:Description"/> <xs:complexType>
</xs:choice> <xs:simpleContent>
<xs:element ref="iodef:AdditionalData" <xs:extension base="iodef:MLStringType">
minOccurs="0" maxOccurs="unbounded"/> <xs:attribute name="severity"
</xs:sequence> use="optional">
<xs:attribute name="restriction" <xs:simpleType>
type="iodef:restriction-type"/> <xs:restriction base="xs:NMTOKEN">
</xs:complexType> <xs:enumeration value="none"/>
</xs:element> <xs:enumeration value="low"/>
<!-- <xs:enumeration value="medium"/>
================================================================== <xs:enumeration value="high"/>
== Reference class == <xs:enumeration value="unknown"/>
================================================================== <xs:enumeration value="ext-value"/>
--> </xs:restriction>
<xs:element name="Reference"> </xs:simpleType>
<xs:complexType> </xs:attribute>
<xs:sequence> <xs:attribute name="ext-severity"
<xs:element name="ReferenceName" type="xs:string" use="optional"/>
type="iodef:MLStringType"/> <xs:attribute name="type"
<xs:element ref="iodef:URL" use="optional">
minOccurs="0" maxOccurs="unbounded"/> <xs:simpleType>
<xs:element ref="iodef:Description" <xs:restriction base="xs:NMTOKEN">
minOccurs="0" maxOccurs="unbounded"/> <xs:enumeration value="breach-proprietary"/>
</xs:sequence> <xs:enumeration value="breach-privacy"/>
<xs:attribute name="indicator-uid" <xs:enumeration value="loss-of-integrity"/>
type="xs:string" use="optional"/> <xs:enumeration value="loss-of-service" />
<xs:attribute name="indicator-set-id" <xs:enumeration value="loss-financial"/>
type="xs:string" use="optional"/> <xs:enumeration value="degraded-reputation"/>
<!-- Adding in Attack Type --> <xs:enumeration value="asset-damage"/>
<xs:attribute name="attacktype" type="att-type" <xs:enumeration value="asset-manipulation"/>
use="required"> <xs:enumeration value="legal"/>
</xs:attribute> <xs:enumeration value="ext-value"/>
<xs:attribute name="ext-attacktype" </xs:restriction>
type="xs:string" use="optional"/> </xs:simpleType>
</xs:complexType> </xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:element> </xs:simpleContent>
</xs:complexType>
</xs:element>
<!-- <xs:element name="TimeImpact">
================================================================== <xs:complexType>
== Assessment class == <xs:simpleContent>
================================================================== <xs:extension base="iodef:PositiveFloatType">
--> <xs:attribute name="severity"
<xs:element name="Assessment"> type="iodef:severity-type"/>
<xs:attribute name="metric"
use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="MonetaryImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="currency"
type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType mixed="true">
<xs:attribute name="rating" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<!--
==================================================================
== EventData class ==
==================================================================
-->
<xs:element name="EventData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Flow class ==
==================================================================
-->
<!-- Added System unbounded for use only when the source or
target watchlist is in use, otherwise only one system entry
is expected.
-->
<xs:element name="Flow">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:System"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
==================================================================
== System class ==
==================================================================
-->
<xs:element name="System">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/>
<xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="category">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface"
type="xs:string"/>
<xs:attribute name="spoofed" type="yes-no-unknown-type"
default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/>
<xs:attribute name="ownership">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Node class ==
==================================================================
-->
<xs:element name="Node">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Location"
minOccurs="0"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Address">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category" default="ipv4-addr">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name"
type="xs:string"/>
<xs:attribute name="vlan-num"
type="xs:integer"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="attacktype" type="att-type"
use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Service Class ==
==================================================================
-->
<xs:element name="Service">
<xs:complexType>
<xs:sequence>
<xs:choice minOccurs="0">
<xs:element name="Port"
type="xs:integer"/>
<xs:element name="Portlist"
type="iodef:PortlistType"/>
</xs:choice>
<xs:element name="ProtoType"
type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoCode"
type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoField"
type="xs:integer" minOccurs="0"/>
<xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="EmailData" minOccurs="0"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="ip-protocol"
type="xs:integer" use="required"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== Counter class ==
==================================================================
-->
<xs:element name="Counter">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:double">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!--
==================================================================
== EmailData class ==
==================================================================
-->
<xs:element name="EmailData">
<xs:complexType>
<xs:sequence>
<xs:element name="EmailFrom"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailX-Mailer"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailHeaderField"
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== DomainData class - from RFC5901 ==
==================================================================
-->
<xs:element name="DomainData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:element name="Name"
<xs:element ref="iodef:Impact"/> type="iodef:MLStringType" maxOccurs="1" />
<xs:element ref="iodef:BusinessImpact"/> <xs:element name="DateDomainWasChecked"
<xs:element ref="iodef:TimeImpact"/> type="xs:dateTime"
<xs:element ref="iodef:MonetaryImpact"/> minOccurs="0" maxOccurs="1" />
</xs:choice> <xs:element name="RegistrationDate"
<xs:element ref="iodef:Counter" type="xs:dateTime"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="1" />
<xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element name="ExpirationDate"
<xs:element ref="iodef:AdditionalData" type="xs:dateTime"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="1" />
<xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"
minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:Nameservers"
minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:DomainContacts"
minOccurs="0" maxOccurs="1" />
</xs:sequence> </xs:sequence>
<xs:attribute name="occurrence">
<xs:attribute name="system-status">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:string">
<xs:enumeration value="actual"/> <xs:enumeration value="spoofed"/>
<xs:enumeration value="potential"/> <xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="restriction" <xs:attribute name="ext-system-status"
type="iodef:restriction-type"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="domain-status">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Impact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="completion">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="type"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="admin"/>
<xs:enumeration value="dos"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="file"/>
<xs:enumeration value="info-leak"/>
<xs:enumeration value="misconfiguration"/>
<xs:enumeration value="recon"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="social-engineering"/>
<xs:enumeration value="user"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="BusinessImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service" />
<xs:enumeration value="loss-financial"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="TimeImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="metric"
use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent> <xs:element name="RelatedDNS"
</xs:complexType> type="iodef:RelatedDNSEntryType"/>
</xs:element> <xs:complexType name="RelatedDNSEntryType">
<xs:element name="MonetaryImpact"> <xs:simpleContent>
<xs:complexType> <xs:extension base="xs:string">
<xs:simpleContent> <xs:attribute name="record-type" use="optional">
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="currency"
type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType mixed="true">
<xs:attribute name="rating" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/> <xs:enumeration value="A"/>
<xs:enumeration value="medium"/> <xs:enumeration value="AAAA"/>
<xs:enumeration value="high"/> <xs:enumeration value="AFSDB"/>
<xs:enumeration value="numeric"/> <xs:enumeration value="APL"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="AXFR"/>
<xs:enumeration value="CAA"/>
<xs:enumeration value="CERT"/>
<xs:enumeration value="CNAME"/>
<xs:enumeration value="DHCID"/>
<xs:enumeration value="DLV"/>
<xs:enumeration value="DNAME"/>
<xs:enumeration value="DNSKEY"/>
<xs:enumeration value="DS"/>
<xs:enumeration value="HIP"/>
<xs:enumeration value="IXFR"/>
<xs:enumeration value="IPSECKEY"/>
<xs:enumeration value="LOC"/>
<xs:enumeration value="MX"/>
<xs:enumeration value="NAPTR"/>
<xs:enumeration value="NS"/>
<xs:enumeration value="NSEC"/>
<xs:enumeration value="NSEC3"/>
<xs:enumeration value="NSEC3PARAM"/>
<xs:enumeration value="OPT"/>
<xs:enumeration value="PTR"/>
<xs:enumeration value="RRSIG"/>
<xs:enumeration value="RP"/>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
</xs:complexType> <xs:attribute name="ext-record-type"
</xs:element>
<!--
==================================================================
== EventData class ==
==================================================================
-->
<xs:element name="EventData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:extension>
</xs:element> </xs:simpleContent>
<!-- </xs:complexType>
==================================================================
== Flow class == <xs:element name="Nameservers">
================================================================== <xs:complexType>
--> <xs:sequence>
<!-- Added System unbounded for use only when the source or <xs:element name="Server" type="iodef:MLStringType"/>
target watchlist is in use, otherwise only one system entry <xs:element ref="iodef:Address" maxOccurs="unbounded"/>
is expected. </xs:sequence>
--> </xs:complexType>
<xs:element name="Flow"> </xs:element>
<xs:complexType>
<xs:sequence> <xs:element name="DomainContacts">
<xs:element ref="iodef:System" <xs:complexType>
maxOccurs="unbounded"/> <xs:choice>
</xs:sequence> <xs:element name="SameDomainContact"
</xs:complexType> type="iodef:MLStringType"/>
</xs:element> <xs:element ref="iodef:Contact"
<!-- maxOccurs="unbounded" minOccurs="1"/>
==================================================================
== System class == </xs:choice>
================================================================== </xs:complexType>
--> </xs:element>
<xs:element name="System">
<!--
==================================================================
== Record class ==
==================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:RecordData"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordPattern">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
use="optional" default="line">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="RecordItem"
type="iodef:ExtensionType"/>
<!--
==================================================================
== Class to describe Windows Registry Keys ==
==================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/> <xs:element name="Key" maxOccurs="unbounded">
<xs:element ref="iodef:Service" <xs:complexType>
<xs:sequence>
<!-- Allows for the value to be optional for cases
such as, the registry key was deleted -->
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value"
type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Classes that describe hash types, file information ==
== with certificate properties and digital signature info ==
== provided through the W3C digital signature schema ==
== so it does not need to be maintained here. ==
==================================================================
-->
<xs:element name="HashData">
<xs:complexType>
<xs:sequence>
<xs:element name="FileName" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem" <xs:element name="FileSize" type="xs:integer"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter" <!-- CHANGE: Represent file hash information via digsig schema
and the Reference class. You may need any of the other classes
and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5),
which has been added. KeyName, KeyValue, SignatureProperties
classes may be useful, so Signature was added, but you can use
KeyInfo and Reference directly to avoid some bloat. -->
<xs:element ref="ds:Signature"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID" type="xs:string" <xs:element ref="ds:KeyInfo"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="ds:Reference"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="type" use="optional">
type="iodef:restriction-type"/>
<xs:attribute name="category">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<!-- CHANGE - adding two new values to cover
watchlist groups -->
<xs:enumeration value="watchlist-source"/>
<xs:enumeration value="watchlist-target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface"
type="xs:string"/>
<xs:attribute name="spoofed" type="yes-no-unknown-type"
default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/>
<xs:attribute name="ownership">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/> <xs:enumeration value="PKI-email-ds"/>
<xs:enumeration value="personal"/> <xs:enumeration value="PKI-file-ds"/>
<xs:enumeration value="partner"/> <xs:enumeration value="PGP-email-ds"/>
<xs:enumeration value="customer"/> <xs:enumeration value="PGP-file-ds"/>
<xs:enumeration value="no-relationship"/> <xs:enumeration value="file-hash"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="email-hash"/>
<!-- QUESTION: Are values needed to differentiate the
key information shared when the ds:KeyInfo class
is referenced? -->
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-ownership" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="valid"
type="xs:boolean" use="optional" />
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!--
================================================================== <!--
== Node class == ==================================================================
================================================================== == Classes that describe software ==
--> ==================================================================
<xs:element name="Node"> -->
<xs:complexType> <xs:complexType name="SoftwareType">
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Location"
minOccurs="0"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Address">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category" default="ipv4-addr">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name"
type="xs:string"/>
<xs:attribute name="vlan-num"
type="xs:integer"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="attacktype" type="att-type"
use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Service Class ==
==================================================================
-->
<xs:element name="Service">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice minOccurs="0"> <xs:element ref="iodef:URL"
<xs:element name="Port"
type="xs:integer"/>
<xs:element name="Portlist"
type="iodef:PortlistType"/>
</xs:choice>
<xs:element name="ProtoType"
type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoCode"
type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoField"
type="xs:integer" minOccurs="0"/>
<xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="EmailData" minOccurs="0"/>
<xs:element ref="iodef:Application"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="ip-protocol" <xs:attribute name="swid"
type="xs:integer" use="required"/> type="xs:string" default="0"/>
<xs:attribute name="indicator-uid" <xs:attribute name="configid"
type="xs:string" use="optional"/> type="xs:string" default="0"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="vendor"
type="xs:string" use="optional"/> type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<!-- CHANGE: Should UserAgent or HTTPUserAgent fit in
SoftwareTypes? This is typically intended to mean
servers, but the category seems more appropriate
than others.
-->
<xs:attribute name="user-agent"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType> </xs:complexType>
</xs:element> <xs:element name="Application"
<xs:simpleType name="PortlistType"> type="iodef:SoftwareType"/>
<xs:restriction base="xs:string"> <xs:element name="OperatingSystem"
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> type="iodef:SoftwareType"/>
</xs:restriction>
</xs:simpleType> <!--
<!-- ==================================================================
================================================================== == IndicatorData classes ==
== Counter class == ==================================================================
==================================================================
--> -->
<xs:element name="Counter"> <xs:element name="IndicatorData">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:sequence>
<xs:extension base="xs:double"> <xs:element ref="iodef:Indicator"
<xs:attribute name="type" use="required"> minOccurs="1" maxOccurs="unbounded"/>
<xs:simpleType> </xs:sequence>
<xs:restriction base="xs:NMTOKEN"> </xs:complexType>
<xs:enumeration value="byte"/> </xs:element>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> <xs:element name="Indicator">
</xs:simpleType> <xs:complexType>
</xs:attribute> <xs:sequence>
<xs:attribute name="ext-type" <xs:element ref="iodef:IndicatorID" />
type="xs:string" use="optional"/> <xs:element ref="iodef:AlternativeIndicatorID"
<xs:attribute name="meaning" minOccurs="0" maxOccurs="unbounded"/>
type="xs:string" use="optional"/> <xs:element ref="iodef:Description"
<xs:attribute name="duration" minOccurs="0" maxOccurs="unbounded"/>
type="iodef:duration-type"/> <xs:element ref="iodef:StartTime"
<xs:attribute name="ext-duration" minOccurs="0" />
type="xs:string" use="optional"/> <xs:element ref="iodef:EndTime"
minOccurs="0" />
<xs:element ref="iodef:Confidence"
minOccurs="0" />
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice>
<xs:element ref="iodef:Observable" />
<xs:element ref="iodef:ObservableReference" />
<xs:element ref="iodef:IndicatorExpression" />
<xs:element ref="iodef:IndicatorReference" />
</xs:choice>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorID" type="iodef:IndicatorIDType"/>
<xs:complexType name="IndicatorIDType">
<xs:simpleContent>
<xs:extension base="xs:id">
<xs:attribute name="name"
type="xs:string" use="required"/>
<xs:attribute name="version"
type="xs:string" use="required"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<!-- <xs:element name="AlternativeIndicatorID">
================================================================== <xs:complexType>
== EmailData class == <xs:sequence>
================================================================== <xs:element ref="iodef:IndicatorID"
--> maxOccurs="unbounded"/>
<xs:element name="EmailData"> </xs:sequence>
<xs:complexType> <xs:attribute name="restriction"
<xs:sequence> type="iodef:restriction-type"/>
<xs:element name="EmailFrom" </xs:complexType>
type="iodef:MLStringType" minOccurs="0"/> </xs:element>
<xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailX-Mailer"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailHeaderField"
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <xs:element name="Observable">
================================================================== <xs:complexType>
== DomainData class - from RFC5901 == <xs:sequence>
================================================================== <xs:element ref="iodef:Address"
--> minOccurs="0"/>
<xs:element name="DomainData"> <xs:element ref="iodef:DomainData"
<xs:complexType> minOccurs="0"/>
<xs:sequence> <xs:element ref="iodef:EmailData"
<xs:element name="Name" minOccurs="0"/>
type="iodef:MLStringType" maxOccurs="1" /> <xs:element name="ApplicationHeader"
<xs:element name="DateDomainWasChecked" type="iodef:ApplicationHeaderType"
type="xs:dateTime" minOccurs="0"/>
minOccurs="0" maxOccurs="1" /> <xs:element ref="iodef:WindowsRegistryKeysModified"
<xs:element name="RegistrationDate" minOccurs="0"/>
type="xs:dateTime" <xs:element ref="iodef:HashData"
minOccurs="0" maxOccurs="1" /> minOccurs="0"/>
<xs:element name="ExpirationDate" <xs:element ref="iodef:RecordData"
type="xs:dateTime" minOccurs="0"/>
minOccurs="0" maxOccurs="1" /> <xs:element ref="iodef:EventData"
<xs:element name="RelatedDNS" minOccurs="0"/>
type="iodef:RelatedDNSEntryType" <xs:element ref="iodef:Incident"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0"/>
<xs:element ref="iodef:Nameservers" <xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DomainContacts" <xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> <xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:HistoryItem"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:attribute name="system-status"> <xs:element name="IndicatorExpression">
<xs:simpleType> <xs:complexType>
<xs:restriction base="xs:string"> <xs:sequence>
<xs:enumeration value="spoofed"/> <xs:choice>
<xs:enumeration value="fraudulent"/> <xs:element ref="iodef:IndicatorExpression"
<xs:enumeration value="innocent-hacked"/> minOccurs="0"/>
<xs:enumeration value="innocent-hijacked"/> <xs:element ref="iodef:Observable"
<xs:enumeration value="unknown"/> minOccurs="0" />
</xs:restriction> <xs:element ref="iodef:ObservableReference"
</xs:simpleType> minOccurs="0"/>
</xs:attribute> <xs:element ref="iodef:IndicatorReference"
<xs:attribute name="ext-system-status" minOccurs="0"/>
type="xs:string" use="optional"/> </xs:choice>
<xs:attribute name="domain-status"> <xs:element ref="iodef:AlternativeIndicatorID"
<xs:simpleType> minOccurs="0" maxOccurs="unbounded"/>
<xs:restriction base="xs:string"> </xs:sequence>
<xs:enumeration value="reservedDelegation"/> <xs:attribute name="operator" use="required">
<xs:enumeration value="assignedAndActive"/> <xs:simpleType>
<xs:enumeration value="assignedAndInactive"/> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="assignedAndOnHold"/> <xs:enumeration value="not"/>
<xs:enumeration value="revoked"/> <xs:enumeration value="and"/>
<xs:enumeration value="transferPending"/> <xs:enumeration value="or"/>
<xs:enumeration value="registryLock"/> <xs:enumeration value="xor"/>
<xs:enumeration value="registrarLock"/> </xs:restriction>
<xs:enumeration value="other"/> </xs:simpleType>
<xs:enumeration value="unknown"/> </xs:attribute>
</xs:restriction> </xs:complexType>
</xs:element>
</xs:simpleType> <xs:element name="ObservableReference">
</xs:attribute> <xs:complexType>
<xs:attribute name="ext-domain-status" <xs:attribute name="uid-ref"
type="xs:string" use="optional"/> type="xs:IDREF" use="required"/>
<xs:attribute name="indicator-uid" </xs:complexType>
type="xs:string" use="optional"/> </xs:element>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RelatedDNS" <xs:element name="IndicatorReference">
type="iodef:RelatedDNSEntryType"/> <xs:complexType>
<xs:complexType name="RelatedDNSEntryType"> <xs:attribute name="uid-ref"
<xs:simpleContent> type="xs:IDREF" use="optional"/>
<xs:extension base="xs:string"> <xs:attribute name="euid-ref"
<xs:attribute name="record-type" use="optional"> type="xs:string" use="optional"/>
<xs:simpleType> <xs:attribute name="version"
<xs:restriction base="xs:NMTOKEN"> type="xs:string" use="optional"/>
<xs:enumeration value="A"/> </xs:complexType>
<xs:enumeration value="AAAA"/> </xs:element>
<xs:enumeration value="AFSDB"/> <!-- ==================================================================
<xs:enumeration value="APL"/> == Miscellaneous simple classes ==
<xs:enumeration value="AXFR"/> ==================================================================
<xs:enumeration value="CAA"/> -->
<xs:enumeration value="CERT"/> <xs:element name="Description"
<xs:enumeration value="CNAME"/> type="iodef:MLStringType"/>
<xs:enumeration value="DHCID"/> <xs:element name="URL"
<xs:enumeration value="DLV"/> type="xs:anyURI"/>
<xs:enumeration value="DNAME"/> <!--
<xs:enumeration value="DNSKEY"/> ==================================================================
<xs:enumeration value="DS"/> == Data Types ==
<xs:enumeration value="HIP"/> ==================================================================
<xs:enumeration value="IXFR"/> -->
<xs:enumeration value="IPSECKEY"/> <xs:simpleType name="PositiveFloatType">
<xs:enumeration value="LOC"/> <xs:restriction base="xs:float">
<xs:enumeration value="MX"/> <xs:minExclusive value="0"/>
<xs:enumeration value="NAPTR"/>
<xs:enumeration value="NS"/>
<xs:enumeration value="NSEC"/>
<xs:enumeration value="NSEC3"/>
<xs:enumeration value="NSEC3PARAM"/>
<xs:enumeration value="OPT"/>
<xs:enumeration value="PTR"/>
<xs:enumeration value="RRSIG"/>
<xs:enumeration value="RP"/>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-record-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:element name="Nameservers"> </xs:restriction>
<xs:complexType> </xs:simpleType>
<xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DomainContacts"> <xs:complexType name="MLStringType">
<xs:complexType> <xs:simpleContent>
<xs:choice> <xs:extension base="xs:string">
<xs:element name="SameDomainContact" <xs:attribute name="lang"
type="iodef:MLStringType"/> type="xs:language" use="optional"/>
<xs:element ref="iodef:Contact" </xs:extension>
maxOccurs="unbounded" minOccurs="1"/> </xs:simpleContent>
</xs:choice> </xs:complexType>
</xs:complexType>
</xs:element>
<!-- <xs:complexType name="ExtensionType" mixed="true">
==================================================================
== Record class ==
==================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:RecordData" <xs:any namespace="##any" processContents="lax"
maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string"/>
<xs:attribute name="formatid"
type="xs:string"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element>
<xs:element name="RecordData"> <xs:complexType name="ApplicationHeaderType" mixed="true">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:DateTime" <xs:any namespace="##any" processContents="lax"
minOccurs="0"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/>
<xs:element ref="iodef:HashInformation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="proto"
type="iodef:restriction-type"/> type="xs:integer" use="required"/>
<xs:attribute name="indicator-uid" <xs:attribute name="field"
type="xs:string" use="optional"/> type="xs:string" use="required"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="dtype"
type="xs:string" use="optional"/> type="iodef:proto-dtype-type"
</xs:complexType> use="required"/>
</xs:element> <xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<xs:element name="RecordPattern">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
use="optional" default="line">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<xs:element name="RecordItem"
type="iodef:ExtensionType"/>
<!--
==================================================================
== Class to describe Windows Registry Keys ==
==================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element name="Key" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<!-- Allows for the value to be optional for cases
such as, the registry key was deleted -->
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value"
type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Classes that describe hash types, file information ==
== with certificate properties and digital signature info ==
== provided through the W3C digital signature schema ==
== so it does not need to be maintained here. ==
==================================================================
-->
<xs:element name="HashInformation">
<xs:complexType>
<xs:sequence>
<xs:element name="FileName" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="FileSize" type="xs:integer"
minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE: Represent file hash information via digsig schema
and the Reference class. You may need any of the other classes
and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5),
which has been added. KeyName, KeyValue, SignatureProperties
classes may be useful, so Signature was added, but you can use
KeyInfo and Reference directly to avoid some bloat. -->
<xs:element ref="ds:Signature"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:KeyInfo"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type" use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="PKI-email-ds"/>
<xs:enumeration value="PKI-file-ds"/>
<xs:enumeration value="PKI-email-ds-watchlist"/>
<xs:enumeration value="PKI-file-ds-watchlist"/>
<xs:enumeration value="PGP-email-ds"/>
<xs:enumeration value="PGP-file-ds"/>
<xs:enumeration value="PGP-email-ds-watchlist"/>
<xs:enumeration value="PGP-file-ds-watchlist"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="file-hash-watchlist"/>
<xs:enumeration value="email-hash-watchlist"/>
<!-- QUESTION: Are values needed to differentiate the
key information shared when the ds:KeyInfo class
is referenced? -->
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="valid"
type="xs:boolean" use="optional" />
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Classes that describe software ==
==================================================================
-->
<xs:complexType name="SoftwareType">
<xs:sequence>
<xs:element ref="iodef:URL"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="swid"
type="xs:string" default="0"/>
<xs:attribute name="configid"
type="xs:string" default="0"/>
<xs:attribute name="vendor"
type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<!-- CHANGE: Should UserAgent or HTTPUserAgent fit in
SoftwareTypes? This is typically intended to mean
servers, but the category seems more appropriate
than others.
-->
<xs:attribute name="user-agent"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType>
<xs:element name="Application"
type="iodef:SoftwareType"/>
<xs:element name="OperatingSystem"
type="iodef:SoftwareType"/>
<!--
==================================================================
== Miscellaneous simple classes ==
==================================================================
-->
<xs:element name="Description"
type="iodef:MLStringType"/>
<xs:element name="URL"
type="xs:anyURI"/>
<!--
==================================================================
== Data Types ==
==================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType"> <!--
<xs:simpleContent> ==================================================================
<xs:extension base="xs:string"> == Global attribute type declarations ==
<xs:attribute name="lang" ==================================================================
type="xs:language" use="optional"/> -->
</xs:extension> <xs:simpleType name="yes-no-type">
</xs:simpleContent> <xs:restriction base="xs:NMTOKEN">
</xs:complexType> <xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
<xs:complexType name="ExtensionType" mixed="true"> </xs:restriction>
<xs:sequence> </xs:simpleType>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string"/>
<xs:attribute name="formatid"
type="xs:string"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
<xs:complexType name="ApplicationHeaderType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="proto"
type="xs:integer" use="required"/>
<xs:attribute name="field"
type="xs:string" use="required"/>
<xs:attribute name="dtype"
type="iodef:proto-dtype-type"
use="required"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
<!--
==================================================================
== Global attribute type declarations ==
==================================================================
-->
<xs:simpleType name="yes-no-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="restriction-type"> <xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/> <xs:enumeration value="yes"/>
<xs:enumeration value="public"/> <xs:enumeration value="no"/>
<xs:enumeration value="partner"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="need-to-know"/> </xs:restriction>
<xs:enumeration value="private"/> </xs:simpleType>
<xs:enumeration value="white"/>
<xs:enumeration value="green"/>
<xs:enumeration value="amber"/>
<xs:enumeration value="red"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type"> <xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/> <xs:enumeration value="default"/>
<xs:enumeration value="medium"/> <xs:enumeration value="public"/>
<xs:enumeration value="high"/> <xs:enumeration value="partner"/>
</xs:restriction> <xs:enumeration value="need-to-know"/>
</xs:simpleType> <xs:enumeration value="private"/>
<xs:simpleType name="duration-type"> <xs:enumeration value="white"/>
<xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="green"/>
<xs:enumeration value="second"/> <xs:enumeration value="amber"/>
<xs:enumeration value="minute"/> <xs:enumeration value="red"/>
<xs:enumeration value="hour"/> </xs:restriction>
<xs:enumeration value="day"/> </xs:simpleType>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type"> <xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/> <xs:enumeration value="low"/>
<xs:enumeration value="contact-source-site"/> <xs:enumeration value="medium"/>
<xs:enumeration value="contact-target-site"/> <xs:enumeration value="high"/>
<xs:enumeration value="contact-sender"/> </xs:restriction>
<xs:enumeration value="investigate"/> </xs:simpleType>
<xs:enumeration value="block-host"/> <xs:simpleType name="duration-type">
<xs:enumeration value="block-network"/> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="block-port"/> <xs:enumeration value="second"/>
<xs:enumeration value="rate-limit-host"/> <xs:enumeration value="minute"/>
<xs:enumeration value="rate-limit-network"/> <xs:enumeration value="hour"/>
<xs:enumeration value="rate-limit-port"/> <xs:enumeration value="day"/>
<xs:enumeration value="upgrade-software"/> <xs:enumeration value="month"/>
<xs:enumeration value="rebuild-asset"/> <xs:enumeration value="quarter"/>
<xs:enumeration value="remediate-other"/> <xs:enumeration value="year"/>
<xs:enumeration value="status-triage"/> <xs:enumeration value="ext-value"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type"> </xs:restriction>
<xs:restriction base="xs:NMTOKEN"> </xs:simpleType>
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType> <xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="proto-dtype-type"> <xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/> <xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/> <xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/> <xs:enumeration value="bytes"/>
<xs:enumeration value="character"/> <xs:enumeration value="character"/>
<xs:enumeration value="date-time"/> <xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/> <xs:enumeration value="integer"/>
<xs:enumeration value="real"/> <xs:enumeration value="ntpstamp"/>
<xs:enumeration value="string"/> <xs:enumeration value="portlist"/>
<xs:enumeration value="xml"/> <xs:enumeration value="real"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="string"/>
</xs:restriction> <xs:enumeration value="file"/>
</xs:simpleType> <xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="att-type"> <xs:simpleType name="proto-dtype-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="c2-server"/> <xs:enumeration value="boolean"/>
<xs:enumeration value="sink-hole"/> <xs:enumeration value="byte"/>
<xs:enumeration value="malware-distribution"/> <xs:enumeration value="bytes"/>
<xs:enumeration value="phishing"/> <xs:enumeration value="character"/>
<xs:enumeration value="spear-phishing"/> <xs:enumeration value="date-time"/>
<xs:enumeration value="recruiting"/> <xs:enumeration value="integer"/>
<xs:enumeration value="fraudulent-site"/> <xs:enumeration value="real"/>
<xs:enumeration value="dns-spoof"/> <xs:enumeration value="string"/>
<xs:enumeration value="other"/> <xs:enumeration value="xml"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:schema>
<xs:simpleType name="att-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="c2-server"/>
<xs:enumeration value="sink-hole"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="phishing"/>
<xs:enumeration value="spear-phishing"/>
<xs:enumeration value="recruiting"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="dns-spoof"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>