idnits 2.17.1 

draft-ietf-mile-rfc5070-bis-17.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.

  -- The draft header indicates that this document obsoletes RFC5070, but the
     abstract doesn't seem to mention this, which it should.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
     or 'RECOMMENDED' is not an accepted usage according to RFC 2119.  Please
     use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
     mean).
     
     Found 'MUST not' in this paragraph:
     
     Invalid algebraic expressions while valid XML, MUST not be
     specified.

  == The document seems to contain a disclaimer for pre-RFC5378 work, but was
     first submitted on or after 10 November 2008.  The disclaimer is usually
     necessary only for documents that revise or obsolete older RFCs, and that
     take significant amounts of text from those RFCs.  If you can contact all
     authors of the source material and they are willing to grant the BCP78
     rights to the IETF Trust, you can and should remove the disclaimer. 
     Otherwise, the disclaimer is needed and you can ignore this comment. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (March 20, 2016) is 2953 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: '0-9' is mentioned on line 7075, but not defined

  == Missing Reference: '0-4' is mentioned on line 7075, but not defined

  == Missing Reference: '0-5' is mentioned on line 7075, but not defined

  == Missing Reference: 'O1' is mentioned on line 4800, but not defined

  == Missing Reference: 'O2' is mentioned on line 4801, but not defined

  == Missing Reference: 'O3' is mentioned on line 4790, but not defined

  -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217'

  ** Downref: Normative reference to an Informational RFC: RFC 2781

  -- Obsolete informational reference (is this intentional?): RFC 5070
     (Obsoleted by RFC 7970)

  -- Obsolete informational reference (is this intentional?): RFC 5226
     (Obsoleted by RFC 8126)


     Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 6 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	MILE Working Group                                            R. Danyliw
3	Internet-Draft                                                      CERT
4	Obsoletes: 5070 (if approved)                             March 20, 2016
5	Intended status: Standards Track
6	Expires: September 21, 2016

8	           The Incident Object Description Exchange Format v2
9	                     draft-ietf-mile-rfc5070-bis-17

11	Abstract

13	   The Incident Object Description Exchange Format (IODEF) defines a
14	   data representation for security incident reports and cyber
15	   indicators commonly exchanged by operational security teams for
16	   mitigation and watch and warning.  This document describes the
17	   information model for the IODEF and provides an associated data model
18	   specified with XML Schema.

20	Status of This Memo

22	   This Internet-Draft is submitted in full conformance with the
23	   provisions of BCP 78 and BCP 79.

25	   Internet-Drafts are working documents of the Internet Engineering
26	   Task Force (IETF).  Note that other groups may also distribute
27	   working documents as Internet-Drafts.  The list of current Internet-
28	   Drafts is at http://datatracker.ietf.org/drafts/current/.

30	   Internet-Drafts are draft documents valid for a maximum of six months
31	   and may be updated, replaced, or obsoleted by other documents at any
32	   time.  It is inappropriate to use Internet-Drafts as reference
33	   material or to cite them other than as "work in progress."

35	   This Internet-Draft will expire on September 21, 2016.

37	Copyright Notice

39	   Copyright (c) 2016 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents
44	   (http://trustee.ietf.org/license-info) in effect on the date of
45	   publication of this document.  Please review these documents
46	   carefully, as they describe your rights and restrictions with respect
47	   to this document.  Code Components extracted from this document must
48	   include Simplified BSD License text as described in Section 4.e of
49	   the Trust Legal Provisions and are provided without warranty as
50	   described in the Simplified BSD License.

52	   This document may contain material from IETF Documents or IETF
53	   Contributions published or made publicly available before November
54	   10, 2008.  The person(s) controlling the copyright in some of this
55	   material may not have granted the IETF Trust the right to allow
56	   modifications of such material outside the IETF Standards Process.
57	   Without obtaining an adequate license from the person(s) controlling
58	   the copyright in such materials, this document may not be modified
59	   outside the IETF Standards Process, and derivative works of it may
60	   not be created outside the IETF Standards Process, except to format
61	   it for publication as an RFC or to translate it into languages other
62	   than English.

64	Table of Contents

66	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
67	     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   6
68	     1.2.  Notations . . . . . . . . . . . . . . . . . . . . . . . .   6
69	     1.3.  About the IODEF Data Model  . . . . . . . . . . . . . . .   6
70	   2.  IODEF Data Types  . . . . . . . . . . . . . . . . . . . . . .   7
71	     2.1.  Integers  . . . . . . . . . . . . . . . . . . . . . . . .   7
72	     2.2.  Real Numbers  . . . . . . . . . . . . . . . . . . . . . .   7
73	     2.3.  Characters and Strings  . . . . . . . . . . . . . . . . .   7
74	     2.4.  Multilingual Strings  . . . . . . . . . . . . . . . . . .   7
75	     2.5.  Binary Strings  . . . . . . . . . . . . . . . . . . . . .   8
76	       2.5.1.  Base64 Bytes  . . . . . . . . . . . . . . . . . . . .   8
77	       2.5.2.  Hexadecimal Bytes . . . . . . . . . . . . . . . . . .   9
78	     2.6.  Enumerated Types  . . . . . . . . . . . . . . . . . . . .   9
79	     2.7.  Date-Time String  . . . . . . . . . . . . . . . . . . . .   9
80	     2.8.  Timezone String . . . . . . . . . . . . . . . . . . . . .   9
81	     2.9.  Port Lists  . . . . . . . . . . . . . . . . . . . . . . .   9
82	     2.10. Postal Address  . . . . . . . . . . . . . . . . . . . . .  10
83	     2.11. Telephone Number  . . . . . . . . . . . . . . . . . . . .  10
84	     2.12. Email String  . . . . . . . . . . . . . . . . . . . . . .  10
85	     2.13. Uniform Resource Locator strings  . . . . . . . . . . . .  10
86	     2.14. Identifiers and Identifier References . . . . . . . . . .  10
87	     2.15. Software  . . . . . . . . . . . . . . . . . . . . . . . .  11
88	       2.15.1.  SoftwareReference Class  . . . . . . . . . . . . . .  11
89	     2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . .  13
90	   3.  The IODEF Information Model . . . . . . . . . . . . . . . . .  16
91	     3.1.  IODEF-Document Class  . . . . . . . . . . . . . . . . . .  16
92	     3.2.  Incident Class  . . . . . . . . . . . . . . . . . . . . .  17
93	     3.3.  Common Attributes . . . . . . . . . . . . . . . . . . . .  21
94	       3.3.1.  restriction Attribute . . . . . . . . . . . . . . . .  21
95	       3.3.2.  observable-id Attribute . . . . . . . . . . . . . . .  22
96	     3.4.  IncidentID Class  . . . . . . . . . . . . . . . . . . . .  23
97	     3.5.  AlternativeID Class . . . . . . . . . . . . . . . . . . .  24
98	     3.6.  RelatedActivity Class . . . . . . . . . . . . . . . . . .  24
99	     3.7.  ThreatActor Class . . . . . . . . . . . . . . . . . . . .  26
100	     3.8.  Campaign Class  . . . . . . . . . . . . . . . . . . . . .  27
101	     3.9.  Contact Class . . . . . . . . . . . . . . . . . . . . . .  28
102	       3.9.1.  RegistryHandle Class  . . . . . . . . . . . . . . . .  31
103	       3.9.2.  PostalAddress Class . . . . . . . . . . . . . . . . .  32
104	       3.9.3.  Email Class . . . . . . . . . . . . . . . . . . . . .  33
105	       3.9.4.  Telephone Class . . . . . . . . . . . . . . . . . . .  34
106	     3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . .  35
107	       3.10.1.  DetectionPattern Class . . . . . . . . . . . . . . .  37
108	     3.11. Method Class  . . . . . . . . . . . . . . . . . . . . . .  38
109	       3.11.1.  Reference Class  . . . . . . . . . . . . . . . . . .  39
110	     3.12. Assessment Class  . . . . . . . . . . . . . . . . . . . .  40
111	       3.12.1.  SystemImpact Class . . . . . . . . . . . . . . . . .  42
112	       3.12.2.  BusinessImpact Class . . . . . . . . . . . . . . . .  44
113	       3.12.3.  TimeImpact Class . . . . . . . . . . . . . . . . . .  46
114	       3.12.4.  MonetaryImpact Class . . . . . . . . . . . . . . . .  48
115	       3.12.5.  Confidence Class . . . . . . . . . . . . . . . . . .  49
116	     3.13. History Class . . . . . . . . . . . . . . . . . . . . . .  50
117	       3.13.1.  HistoryItem Class  . . . . . . . . . . . . . . . . .  51
118	     3.14. EventData Class . . . . . . . . . . . . . . . . . . . . .  53
119	       3.14.1.  Relating the Incident and EventData Classes  . . . .  55
120	       3.14.2.  Recursive Definition of EventData  . . . . . . . . .  55
121	     3.15. Expectation Class . . . . . . . . . . . . . . . . . . . .  56
122	     3.16. Flow Class  . . . . . . . . . . . . . . . . . . . . . . .  59
123	     3.17. System Class  . . . . . . . . . . . . . . . . . . . . . .  60
124	     3.18. Node Class  . . . . . . . . . . . . . . . . . . . . . . .  63
125	       3.18.1.  Address Class  . . . . . . . . . . . . . . . . . . .  64
126	       3.18.2.  NodeRole Class . . . . . . . . . . . . . . . . . . .  65
127	       3.18.3.  Counter Class  . . . . . . . . . . . . . . . . . . .  68
128	     3.19. DomainData Class  . . . . . . . . . . . . . . . . . . . .  71
129	       3.19.1.  Nameservers Class  . . . . . . . . . . . . . . . . .  73
130	       3.19.2.  DomainContacts Class . . . . . . . . . . . . . . . .  74
131	     3.20. Service Class . . . . . . . . . . . . . . . . . . . . . .  74
132	       3.20.1.  ServiceName Class  . . . . . . . . . . . . . . . . .  76
133	       3.20.2.  ApplicationHeader Class  . . . . . . . . . . . . . .  77
134	     3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . .  77
135	     3.22. Record Class  . . . . . . . . . . . . . . . . . . . . . .  79
136	       3.22.1.  RecordData Class . . . . . . . . . . . . . . . . . .  80
137	       3.22.2.  RecordPattern Class  . . . . . . . . . . . . . . . .  81
138	     3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . .  83
139	       3.23.1.  Key Class  . . . . . . . . . . . . . . . . . . . . .  84
140	     3.24. CertificateData Class . . . . . . . . . . . . . . . . . .  85
141	       3.24.1.  Certificate Class  . . . . . . . . . . . . . . . . .  85
142	     3.25. FileData Class  . . . . . . . . . . . . . . . . . . . . .  86
143	       3.25.1.  File Class . . . . . . . . . . . . . . . . . . . . .  87
144	     3.26. HashData Class  . . . . . . . . . . . . . . . . . . . . .  88
145	       3.26.1.  Hash Class . . . . . . . . . . . . . . . . . . . . .  90
146	       3.26.2.  FuzzyHash Class  . . . . . . . . . . . . . . . . . .  90
147	     3.27. SignatureData Class . . . . . . . . . . . . . . . . . . .  91
148	     3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . .  92
149	     3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . .  92
150	       3.29.1.  IndicatorID Class  . . . . . . . . . . . . . . . . .  95
151	       3.29.2.  AlternativeIndicatorID Class . . . . . . . . . . . .  95
152	       3.29.3.  Observable Class . . . . . . . . . . . . . . . . . .  96
153	       3.29.4.  IndicatorExpression Class  . . . . . . . . . . . . . 102
154	       3.29.5.  Expressions with IndicatorExpression . . . . . . . . 103
155	       3.29.6.  ObservableReference Class  . . . . . . . . . . . . . 105
156	       3.29.7.  IndicatorReference Class . . . . . . . . . . . . . . 105
157	       3.29.8.  AttackPhase Class  . . . . . . . . . . . . . . . . . 106
158	   4.  Processing Considerations . . . . . . . . . . . . . . . . . . 107
159	     4.1.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . . 107
160	     4.2.  IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 107
161	     4.3.  Validation  . . . . . . . . . . . . . . . . . . . . . . . 108
162	     4.4.  Incompatibilities with v1 . . . . . . . . . . . . . . . . 108
163	   5.  Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 109
164	     5.1.  Extending the Enumerated Values of Attributes . . . . . . 109
165	       5.1.1.  Private Extension of Enumerated Values  . . . . . . . 109
166	       5.1.2.  Public Extension of Enumerated Values . . . . . . . . 110
167	     5.2.  Extending Classes . . . . . . . . . . . . . . . . . . . . 110
168	     5.3.  Deconflicting Private Extensions  . . . . . . . . . . . . 112
169	   6.  Internationalization Issues . . . . . . . . . . . . . . . . . 113
170	   7.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . . 114
171	     7.1.  Minimal Example . . . . . . . . . . . . . . . . . . . . . 114
172	     7.2.  Indicators from a Campaign  . . . . . . . . . . . . . . . 115
173	   8.  The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 116
174	   9.  Security Considerations . . . . . . . . . . . . . . . . . . . 155
175	   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 156
176	     10.1.  Namespace and Schema . . . . . . . . . . . . . . . . . . 156
177	     10.2.  Enumerated Value Registries  . . . . . . . . . . . . . . 156
178	   11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 159
179	   12. References  . . . . . . . . . . . . . . . . . . . . . . . . . 159
180	     12.1.  Normative References . . . . . . . . . . . . . . . . . . 159
181	     12.2.  Informative References . . . . . . . . . . . . . . . . . 161
182	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . 162

184	1.  Introduction

186	   Organizations require help from other parties to mitigate malicious
187	   activity targeting their network and to gain insight into potential
188	   threats.  This coordination might entail working with an ISP to
189	   filter attack traffic, contacting a remote site to take down a
190	   botnet, or sharing watch-lists of known malicious indicators in a
191	   consortium.

193	   The Incident Object Description Exchange Format (IODEF) is a format
194	   for representing computer security information commonly exchanged
195	   between Computer Security Incident Response Teams (CSIRTs).  It
196	   provides an XML representation for conveying:

198	   o  cyber intelligence to characterize threats;

200	   o  cyber incident reports to document particular cyber security
201	      events or relationships between events;

203	   o  cyber event mitigation activity to proactively and reactively
204	      mitigate activity; and

206	   o  meta-data so that these various classes of information can be
207	      exchanged among parties.

209	   The purpose of the IODEF is to enhance the operational capabilities
210	   of CSIRTs.  Adoption of the IODEF will improve the ability of a CSIRT
211	   to resolve security incidents; understand cyber threats; and
212	   coordinate response activities and proactive mitigations by
213	   simplifying collaboration and data sharing with its partners.  This
214	   structured format provided by the IODEF allows for:

216	   o  machine-to-machine exchange of incident and cyber intelligence
217	      data;

219	   o  automated processing of this data whereby allowing more rapid
220	      execution of appropriate courses of action; and

222	   o  the development of an ecosystem of interoperable tools enabling
223	      security operations.

225	   Sharing and coordinating with other organizations is not strictly a
226	   technical problem.  There are numerous procedural, cultural, legal
227	   and trust-related barriers to overcome.  The IODEF does not attempt
228	   to address them directly.  However, operational implementations of
229	   the IODEF will need to consider these challenges.

231	   Section 1 provides the background for the IODEF.  Sections 3 and 8
232	   specify the IODEF information and data model respectively.  The data
233	   types used in this document are described in Section 2.  Processing
234	   considerations, extending the specification, internationalization and
235	   security issues are covered in Sections 4, 5, 6 and 9 respectively.
236	   Examples are listed in Section 7.

238	1.1.  Terminology

240	   The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
241	   "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
242	   document are to be interpreted as described in [RFC2119].

244	1.2.  Notations

246	   The IODEF is specified as an Extensible Markup Language (XML)
247	   [W3C.XML] Schema [W3C.SCHEMA].  The normative IODEF data model is
248	   found in the XML schema in Section 8.  To aid in the understanding of
249	   the data elements, Section 3 also depicts the underlying information
250	   model using Unified Modeling Language (UML).  This abstract
251	   presentation of the IODEF is not normative.

253	   For clarity in this document, the term "XML document" will be used
254	   when referring generically to any instance of an XML document.  The
255	   term "IODEF document" will be used to refer to an XML document
256	   conforming to the IODEF specification.  The terms "schema" will be
257	   used to refer to Section 8 of this document.  The terms "data model"
258	   and "schema" will be used interchangeably.  The terms "class" and
259	   "element" will be used to reference either the corresponding data
260	   element in the UML-based information or XML Schema-based data models,
261	   respectively.

263	1.3.  About the IODEF Data Model

265	   A number of considerations were made in the design of the IODEF data
266	   model.

268	   o  The data model found in this document is an evolution of the one
269	      previously specified in [RFC5070].  New fields were added to
270	      represent additional information.  [RFC5070] was developed
271	      primarily to represent incident reports.  This document builds
272	      upon it by adding support for cyber indicators and revising it to
273	      reflect the current challenges faced by CSIRTs.  An attempt was
274	      made to preserve backward compatibility but this was not possible
275	      in all cases.  See Section 4.4.

277	   o  The IODEF is a transport format.  Therefore, the data model may
278	      not be the optimal archival or in-memory processing format.

280	   o  The IODEF is intended to be a framework to convey only commonly
281	      exchanged information.  It ensures that there are mechanisms for
282	      extensibility to support organization-specific information and
283	      techniques to reference information kept outside of the data
284	      model.

286	   o  Not all commonly exchanged information has a well-defined format
287	      or taxonomy.  The IODEF attempts to strike a balance between
288	      enforcing sufficient structure to allow automated processing and
289	      supporting free-form content that enables maximum flexibility.

291	   o  The IODEF fits into a broader ecosystem of standards and
292	      conventions.  An attempt was made to harmonize the data model with
293	      this context.

295	2.  IODEF Data Types

297	   The IODEF uses a number of simple and complex types.  This section
298	   describes these data types.

300	2.1.  Integers

302	   An integer is represented in the information model by the INTEGER
303	   data type.  Integer data MUST be encoded in Base 10.

305	   The INTEGER data type is implemented in the data model as a
306	   "xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES].

308	2.2.  Real Numbers

310	   A real (floating-point) number is represented in the information
311	   model by the REAL data type.  Real data MUST be encoded in Base 10.

313	   The REAL data type is implemented in the data model as a "xs:float"
314	   type per Section 3.2.4 of [W3C.SCHEMA.DTYPES].

316	2.3.  Characters and Strings

318	   A single character is represented in the information model by the
319	   CHARACTER data type.  A string is represented by the STRING data
320	   type.  Special characters MUST be encoded using entity references.
321	   See Section 4.1.

323	   The CHARACTER and STRING data types are implemented in the data model
324	   as a "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].

326	2.4.  Multilingual Strings

328	   A string that needs to be represented in a human-readable language
329	   different than the default encoding of the document is represented in
330	   the information model by the ML_STRING data type.

332	   The ML_STRING data type is implemented in the data model as the
333	   "iodef:MLStringType" type.  This type extends the "xs:string" to
334	   include two attributes.

336	   +------------------------+
337	   | iodef:MLStringType     |
338	   +------------------------+
339	   | xs:string              |
340	   |                        |
341	   | ENUM xml:lang          |
342	   | STRING translation-id  |
343	   +------------------------+

345	                   Figure 1: The iodef:MLStringType Type

347	   The content of the class is a character string of type "xs:string"
348	   whose language MAY be specified by the xml:lang attribute.

350	   The attributes of the iodef:MLStringType type are:

352	   xml:lang
353	      Optional.  ENUM.  A language identifier per Section 2.12 of
354	      [W3C.XML] whose values and format are described in [RFC5646].  The
355	      interpretation of this code is described in Section 6.

357	   translation-id
358	      Optional.  STRING.  An identifier to relate other instances of
359	      this class with the same parent as translations of this text.  The
360	      scope of this identifier is limited to all of the direct, peer
361	      child classes of a given parent class.

363	   Using this class enables representing translations of the same text
364	   in multiple languages.  Each translation is a distinct instance of
365	   this class with a common parent.  A group of classes each with a
366	   translated instance of text is related by setting a common identifier
367	   in the translation-id attribute.  The language of a given class is
368	   set by the xml:lang attribute.  See Section 6 for more details on
369	   representing translations of free-form text.

371	2.5.  Binary Strings

373	   Binary octets can be represented with two encodings.

375	2.5.1.  Base64 Bytes

377	   A binary octet encoded with Base64 is represented in the information
378	   model by the BYTE data type.  A sequence of these octets is of the
379	   BYTE[] data type.

381	   The BYTE and BYTE[] data types are implemented in the data model as a
382	   "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES].

384	2.5.2.  Hexadecimal Bytes

386	   A binary octet encoded as a character tuple consistent of two
387	   hexadecimal digits is represented in the information model by the
388	   HEXBIN data type.  A sequence of these octets is of the HEXBIN[] data
389	   type.

391	   The HEXBIN and HEXBIN[] data types are implemented in the data model
392	   as a "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES].

394	2.6.  Enumerated Types

396	   An enumerated type is represented in the information model by the
397	   ENUM data type.  It is an ordered list of acceptable string values.
398	   Each value has a representative keyword.  Within the data model, the
399	   enumerated type keywords are used as attribute values.

401	   The ENUM data type is implemented in the data model as values of a
402	   "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES].

404	2.7.  Date-Time String

406	   A date-time strings that describes a particular instant in time is
407	   represented in the information model by the DATETIME data type.
408	   Ranges are not supported.

410	   The DATETIME data type is implemented in the data model as a
411	   "xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES].

413	2.8.  Timezone String

415	   A timezone offset from UTC is represented in the information model by
416	   the TIMEZONE data type.  It is formatted according to the following
417	   regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".

419	   The TIMEZONE data type is implemented in the data model as an
420	   "iodef:TimezoneType" type.

422	2.9.  Port Lists

424	   A list of network ports is represented in the information model by
425	   the PORTLIST data type.  A PORTLIST consists of a comma-separated
426	   list of numbers and ranges (N-M means ports N through M, inclusive).
427	   It is formatted according to the following regular expression:

429	   "\d+(\-\d+)?(,\d+(\-\d+)?)*".  For example,
430	   "2,5-15,30,32,40-50,55-60".

432	   The PORTLIST data type is implemented in the data model as an
433	   "iodef:PortlistType" type.

435	2.10.  Postal Address

437	   A postal address is represented in the information model by the
438	   POSTAL data type.  The format of the POSTAL data type is documented
439	   in Section 2.23 of [RFC4519] as a free-form multi-line string
440	   separated by the "$" character.

442	   The POSTAL data type is implemented in the data model as an
443	   "iodef:MLStringType" type.

445	2.11.  Telephone Number

447	   A telephone number is represented in the information model by the
448	   PHONE data type.  The format of the PHONE data type is documented in
449	   Section 2.35 of [RFC4519].

451	   The PHONE data type is implemented in the data model as a "xs:string"
452	   type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].

454	2.12.  Email String

456	   An email address is represented in the information model by the EMAIL
457	   data type.  The format of the EMAIL data type is documented in
458	   Section 3.4.1 [RFC5322].

460	   The EMAIL data type is implemented in the data model as a "xs:string"
461	   type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].

463	2.13.  Uniform Resource Locator strings

465	   A uniform resource locator (URL) is represented in the information
466	   model by the URL data type.  The format of the URL data type is
467	   documented in [RFC3986].

469	   The URL data type is implemented as a "xs:anyURI" type per
470	   Section 3.2.17 of [W3C.SCHEMA.DTYPES].

472	2.14.  Identifiers and Identifier References

474	   An identifier unique to the IODEF document is represented in the
475	   information model by the ID data type.  A reference to this
476	   identifier is represented by the IDREF data type.  The acceptable
477	   format of ID and IDREF is documented in Section 3.3.8 and 3.3.9 of
478	   [W3C.SCHEMA.DTYPES].

480	   The ID and IDREF data types are implemented in the model as "xs:ID"
481	   and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of
482	   [W3C.SCHEMA.DTYPES].

484	2.15.  Software

486	   A particular version of software is represented in the information
487	   model by the SOFTWARE data type.  This software can be described by
488	   using a reference, a URL or with free-form text.

490	   The SOFTWARE data type is implemented in the data model as the
491	   "iodef:SoftwareType" type.

493	   +--------------------+
494	   | iodef:SoftwareType |
495	   +--------------------+
496	   |                    |<>--{0..1}--[ SoftwareReference ]
497	   |                    |<>--{0..*}--[ URL               ]
498	   |                    |<>--{0..*}--[ Description       ]
499	   +--------------------+

501	                      Figure 2: The SoftwareType Type

503	   The aggregate classes of the SoftwareType type are:

505	   SoftwareReference
506	      Zero or one.  Reference to a software application.  See
507	      Section 2.15.1.

509	   URL
510	      Zero or more.  URL.  A URL to a resource describing the software.

512	   Description
513	      Zero or more.  ML_STRING.  A free-form text description of the
514	      software.

516	   At least one of these classes MUST be present.

518	   The iodef:SoftwareType type has no attributes.

520	2.15.1.  SoftwareReference Class

522	   The SoftwareReference class is a reference to a particular version of
523	   software.

525	   +----------------------+
526	   | SoftwareReference    |
527	   +----------------------+
528	   | xs:any               |
529	   |                      |
530	   | ENUM spec-name       |
531	   | STRING ext-spec-name |
532	   | ENUM dtype           |
533	   | STRING enum-dtype    |
534	   +----------------------+

536	                   Figure 3: The SoftwareReference Class

538	   The element content varies according to the value of the spec-name
539	   attribute.  It is defined in the data model as "xs:any" per
540	   [W3C.SCHEMA].

542	   The attributes of the SoftwareReference class are:

544	   spec-name
545	      Required.  ENUM.  Identifies the format and semantics of the
546	      element body of this class.  Formal standards and specifications
547	      can be referenced as well as a free-form text description with a a
548	      user-provided data type.  These values are maintained in the
549	      "SoftwareReference-spec-id" IANA registry per Section 10.2

551	      1.  custom.  The element content is free-form and of the data type
552	          specified by the dtype attribute.  If this value is selected,
553	          then the dtype attribute MUST be set.

555	      2.  cpe.  The element content describes a Common Platform
556	          Enumeration (CPE) entry.

558	      3.  swid.  The element content describes a software identification
559	          (SWID) tag per ISO/IEC 19770-2:2009.

561	      4.  ext-value.  A value used to indicate that this attribute is
562	          extended and the actual value is provided using the
563	          corresponding ext-* attribute.  See Section 5.1.1.

565	   ext-spec-name
566	      Optional.  STRING.  A means by which to extend the spec-name
567	      attribute.  See Section 5.1.1.

569	   dtype
570	      Optional.  ENUM.  The data type of the element content.  The
571	      permitted values for this attribute are shown below.  The default
572	      value is "string".  These values are maintained in the
573	      "SoftwareReference-dtype" IANA registry per Section 10.2.

575	      1.  bytes.  The element content is of type HEXBIN.

577	      2.  integer.  The element content is of type INTEGER.

579	      3.  real.  The element content is of type REAL.

581	      4.  string.  The element content is of type STRING.

583	      5.  xml.  The element content is XML.  See Section 5.2.

585	      6.  ext-value.  A value used to indicate that this attribute is
586	          extended and the actual value is provided using the
587	          corresponding ext-* attribute.  See Section 5.1.1.

589	   ext-dtype
590	      Optional.  STRING.  A means by which to extend the dtype
591	      attribute.  See Section 5.1.1.

593	2.16.  Extension

595	   Information not otherwise represented in the IODEF can be added using
596	   the EXTENSION data type.  This data type is a generic extension
597	   mechanism.

599	   The EXTENSION data type is implemented in the data model as the
600	   "iodef:ExtensionType" type.

602	   The data type of an EXTENSION is described by the dtype attribute.
603	   For simple information, atomic data types (e.g., integers, strings)
604	   are supported.  Their semantics are further described by the meaning
605	   and formatid attributes.  Encapsulating XML documents conforming to
606	   another schema is also supported.  A detailed discussion of extending
607	   the schema can be found in Section 5.  Additional coordination may be
608	   required to ensure that a recipient of a document using this type can
609	   parse and process it.

611	   +------------------------+
612	   | iodef:ExtensionType    |
613	   +------------------------+
614	   | xs:any                 |
615	   |                        |
616	   | STRING name            |
617	   | ENUM dtype             |
618	   | STRING ext-dtype       |
619	   | STRING meaning         |
620	   | STRING formatid        |
621	   | ENUM restriction       |
622	   | STRING ext-restriction |
623	   | ID observable-id       |
624	   +------------------------+

626	                  Figure 4: The iodef:ExtensionType Type

628	   The element content of this type is the extension being added to the
629	   data model.  This content is defined in the data model as "xs:any"
630	   per [W3C.SCHEMA].

632	   The attributes of the iodef:ExtensionType type are:

634	   name
635	      Optional.  STRING.  A free-form name of the field or data element.

637	   dtype
638	      Required.  ENUM.  The data type of the element content.  The
639	      default value is "string".  These values are maintained in the
640	      "ExtensionType-dtype" IANA registry per Section 10.2.

642	      1.   boolean.  The element content is of type BOOLEAN.

644	      2.   byte.  The element content is of type BYTE.

646	      3.   bytes.  The element content is of type HEXBIN.

648	      4.   character.  The element content is of type CHARACTER.

650	      5.   date-time.  The element content is of type DATETIME.

652	      6.   ntpstamp.  Same as date-time.

654	      7.   integer.  The element content is of type INTEGER.

656	      8.   portlist.  The element content is of type PORTLIST.

658	      9.   real.  The element content is of type REAL.

660	      10.  string.  The element content is of type STRING.

662	      11.  file.  The element content is a base64 encoded binary file
663	           encoded as a BYTE[] type.

665	      12.  path.  The element content is a file-system path encoded as a
666	           STRING type.

668	      13.  frame.  The element content is a layer-2 frame encoded as a
669	           HEXBIN type.

671	      14.  packet.  The element content is a layer-3 packet encoded as a
672	           HEXBIN type.

674	      15.  ipv4-packet.  The element content is an IPv4 packet encoded
675	           as a HEXBIN type.

677	      16.  ipv6-packet.  The element content is an IPv6 packet encoded
678	           as a HEXBIN type.

680	      17.  url.  The element content is of type URL.

682	      18.  csv.  The element content is a common separated value (CSV)
683	           list per Section 2 of [RFC4180] encoded as a STRING type.

685	      19.  winreg.  The element content is a Windows registry key
686	           encoded as a STRING type.

688	      20.  xml.  The element content is XML.  See Section 5.

690	      21.  ext-value.  A value used to indicate that this attribute is
691	           extended and the actual value is provided using the
692	           corresponding ext-* attribute.  See Section 5.1.1.

694	   ext-dtype
695	      Optional.  STRING.  A means by which to extend the dtype
696	      attribute.  See Section 5.1.1.

698	   meaning
699	      Optional.  STRING.  A free-form text description of the element
700	      content.

702	   formatid
703	      Optional.  STRING.  An identifier referencing the format or
704	      semantics of the element content.

706	   restriction
707	      Optional.  ENUM.  See Section 3.3.1.

709	   ext-restriction
710	      Optional.  STRING.  A means by which to extend the restriction
711	      attribute.  See Section 5.1.1.

713	   observable-id
714	      Optional.  ID.  See Section 3.3.2.

716	3.  The IODEF Information Model

718	   The specifics of the IODEF information model are discussed in this
719	   section.  Each class and its relationships with the other classes is
720	   described.  When necessary, clarifications are made about translating
721	   this information model to the schema in Section 8.

723	3.1.  IODEF-Document Class

725	   The IODEF-Document class is the top level class in the IODEF data
726	   model.  All IODEF documents are an instance of this class.

728	   +--------------------------+
729	   | IODEF-Document           |
730	   +--------------------------+
731	   | STRING version           |<>--{1..*}--[ Incident       ]
732	   | ENUM xml:lang            |<>--{0..*}--[ AdditionalData ]
733	   | STRING format-id         |
734	   | STRING private-enum-name |
735	   | STRING private-enum-id   |
736	   +--------------------------+

738	                      Figure 5: IODEF-Document Class

740	   The aggregate classes of the IODEF-Document class are:

742	   Incident
743	      One or more.  The information related to a single incident.  See
744	      Section 3.2.

746	   AdditionalData
747	      Zero or more.  EXTENSION.  Mechanism by which to extend the data
748	      model.

750	   The attributes of the IODEF-Document class are:

752	   version
753	      Required.  STRING.  The IODEF specification version number to
754	      which this IODEF document conforms.  The value of this attribute
755	      MUST be "2.00"

757	   xml:lang
758	      Optional.  ENUM.  A language identifier per Section 2.12 of
759	      [W3C.XML] whose values and form are described in [RFC5646].  The
760	      interpretation of this code is described in Section 6.

762	   format-id
763	      Optional.  STRING.  A free-form string to convey processing
764	      instructions to the recipient of the document.  Its semantics must
765	      be negotiated out-of-band.

767	   private-enum-name
768	      Optional.  STRING.  A globally unique identifier for the CSIRT
769	      generating the document to deconflict private extensions used in
770	      the document.  The fully qualified domain name associated with the
771	      CSIRT MUST be used as the identifier.  See Section 5.3.

773	   private-enum-id
774	      Optional.  STRING.  An organizationally unique identifier for an
775	      extension used in the document.  If this attribute is set, the
776	      private-enum-name MUST also be set.  See Section 5.3.

778	3.2.  Incident Class

780	   The Incident class describes commonly exchanged information when
781	   reporting or sharing derived analysis from security incidents.

783	   +-------------------------+
784	   | Incident                |
785	   +-------------------------+
786	   | ENUM purpose            |<>----------[ IncidentID      ]
787	   | STRING ext-purpose      |<>--{0..1}--[ AlternativeID   ]
788	   | ENUM status             |<>--{0..*}--[ RelatedActivity ]
789	   | STRING ext-status       |<>--{0..1}--[ DetectTime      ]
790	   | ENUM xml:lang           |<>--{0..1}--[ StartTime       ]
791	   | ENUM restriction        |<>--{0..1}--[ EndTime         ]
792	   | STRING ext-restriction  |<>--{0..1}--{ RecoveryTime    ]
793	   | ID observable-id        |<>--{0..1}--[ ReportTime      ]
794	   |                         |<>----------[ GenerationTime  ]
795	   |                         |<>--{0..*}--[ Description     ]
796	   |                         |<>--{0..*}  [ Discovery       ]
797	   |                         |<>--{0..*}--[ Assessment      ]
798	   |                         |<>--{0..*}--[ Method          ]
799	   |                         |<>--{1..*}--[ Contact         ]
800	   |                         |<>--{0..*}--[ EventData       ]
801	   |                         |<>--{0..1}--[ IndicatorData   ]
802	   |                         |<>--{0..1}--[ History         ]
803	   |                         |<>--{0..*}--[ AdditionalData  ]
804	   +-------------------------+

806	                       Figure 6: The Incident Class

808	   The aggregate classes of the Incident class are:

810	   IncidentID
811	      One.  An incident tracking number assigned to this incident by the
812	      CSIRT that generated the IODEF document.  See Section 3.4.

814	   AlternativeID
815	      Zero or one.  The incident tracking numbers used by other CSIRTs
816	      to refer to the incident described in the document.  See
817	      Section 3.5.

819	   RelatedActivity
820	      Zero or more.  Related activity and attribution of this activity.
821	      See Section 3.6.

823	   DetectTime
824	      Zero or one.  DATETIME.  The time the incident was first detected.

826	   StartTime
827	      Zero or one.  DATETIME.  The time the incident started.

829	   EndTime
830	      Zero or one.  DATETIME.  The time the incident ended.

832	   RecoveryTime
833	      Zero or one.  DATETIME.  The time the site recovered from the
834	      incident.

836	   ReportTime
837	      Zero or one.  DATETIME.  The time the incident was reported.

839	   GenerationTime
840	      One.  DATETIME.  The time the content in this Incident class was
841	      generated.

843	   Description
844	      Zero or more.  ML_STRING.  A free-form text description of the
845	      incident.

847	   Discovery
848	      Zero or more.  The means by which this incident was detected.  See
849	      Section 3.10.

851	   Assessment
852	      Zero or more.  A characterization of the impact of the incident.
853	      See Section 3.12.

855	   Method
856	      Zero or more.  The techniques used by the threat actor in the
857	      incident.  See Section 3.11.

859	   Contact
860	      One or more.  Contact information for the parties involved in the
861	      incident.  See Section 3.9.

863	   EventData
864	      Zero or more.  Description of the events comprising the incident.
865	      See Section 3.14.

867	   IndicatorData
868	      Zero or one.  Indicators from the analysis of an incident.  See
869	      Section 3.28.

871	   History
872	      Zero or one.  A log of significant events or actions that occurred
873	      during the course of handling the incident.  See Section 3.13.

875	   AdditionalData
876	      Zero or more.  EXTENSION.  Mechanism by which to extend the data
877	      model.

879	   The attributes of the Incident class are:

881	   purpose
882	      Required.  ENUM.  The purpose attribute represents describes the
883	      rational for document the information in this class.  It is
884	      closely related to the Expectation class (Section 3.15).  These
885	      values are maintained in the "Incident-purpose" IANA registry per
886	      Section 10.2.  This attribute is defined as an enumerated list:

888	      1.  traceback.  The Incident was sent for trace-back purposes.

890	      2.  mitigation.  The Incident was sent to request aid in
891	          mitigating the described activity.

893	      3.  reporting.  The Incident was sent to comply with reporting
894	          requirements.

896	      4.  watch.  The Incident was sent to convey indicators that should
897	          be monitored.

899	      5.  other.  The Incident was sent for purposes specified in the
900	          Expectation class.

902	      6.  ext-value.  A value used to indicate that this attribute is
903	          extended and the actual value is provided using the
904	          corresponding ext-* attribute.  See Section 5.1.1.

906	   ext-purpose
907	      Optional.  STRING.  A means by which to extend the purpose
908	      attribute.  See Section 5.1.1.

910	   status
911	      Optional.  ENUM.  The status attribute conveys the state in a
912	      workflow where the incident is currently found.  These values are
913	      maintained in the "Incident-status" IANA registry per
914	      Section 10.2.  This attribute is defined as an enumerated list:

916	      1.  new.  The Incident is newly reported and has not been
917	          actioned.

919	      2.  in-progress.  The contents of this Incident are under
920	          investigation.

922	      3.  forwarded.  The Incident has been forwarded to another party
923	          for handling.

925	      4.  resolved.  The investigation into the activity in this
926	          Incident has concluded.

928	      5.  future.  The described activity has not yet been detected.

930	      6.  ext-value.  A value used to indicate that this attribute is
931	          extended and the actual value is provided using the
932	          corresponding ext-* attribute.  See Section 5.1.1.

934	   ext-status
935	      Optional.  STRING.  A means by which to extend the status
936	      attribute.  See Section 5.1.1.

938	   xml:lang
939	      Optional.  ENUM.  A language identifier per Section 2.12 of
940	      [W3C.XML] whose values and form are described in [RFC5646].  The
941	      interpretation of this code is described in Section 6.

943	   restriction
944	      Optional.  ENUM.  See Section 3.3.1.  The default value is
945	      "private".

947	   ext-restriction
948	      Optional.  STRING.  A means by which to extend the restriction
949	      attribute.  See Section 5.1.1.

951	   observable-id
952	      Optional.  ID.  See Section 3.3.2.

954	3.3.  Common Attributes

956	   There are a number of recurring attributes used in the information
957	   model.  They are documented in this section.

959	3.3.1.  restriction Attribute

961	   The restriction attribute indicates the disclosure guidelines to
962	   which the sender expects the recipient to adhere for the information
963	   represented in this class and its children.  This guideline provides
964	   no security since there are no technical means to ensure that the
965	   recipient of the document handles the information as the sender
966	   requested.

968	   The value of this attribute is logically inherited by the children of
969	   this class.  That is to say, the disclosure rules applied to this
970	   class, also apply to its children.

972	   It is possible to set a granular disclosure policy, since all of the
973	   high-level classes (i.e., children of the Incident class) have a
974	   restriction attribute.  Therefore, a child can override the
975	   guidelines of a parent class, be it to restrict or relax the
976	   disclosure rules (e.g., a child has a weaker policy than an ancestor;
977	   or an ancestor has a weak policy, and the children selectively apply
978	   more rigid controls).  The implicit value of the restriction
979	   attribute for a class that did not specify one can be found in the
980	   closest ancestor that did specify a value.

982	   This attribute is defined as an enumerated value with a default value
983	   of "private".  Note that the default value of the restriction
984	   attribute is only defined in the context of the Incident class.  In
985	   other classes where this attribute is used, no default is specified.

987	   These values are maintained in the "Restriction" IANA registry per
988	   Section 10.2.

990	   1.   public.  The information can be freely distributed without
991	        restriction.

993	   2.   partner.  The information may be shared within a closed
994	        community of peers, partners, or affected parties, but cannot be
995	        openly published.

997	   3.   need-to-know.  The information may be shared only within the
998	        organization with individuals that have a need to know.

1000	   4.   private.  The information may not be shared.

1002	   5.   default.  The information can be shared according to an
1003	        information disclosure policy pre-arranged by the communicating
1004	        parties.

1006	   6.   white.  Same as 'public'.

1008	   7.   green.  Same as 'partner'.

1010	   8.   amber.  Same as 'need-to-know'.

1012	   9.   red.  Same as 'private'.

1014	   10.  ext-value.  A value used to indicate that this attribute is
1015	        extended and the actual value is provided using the
1016	        corresponding ext-* attribute.  See Section 5.1.1.

1018	3.3.2.  observable-id Attribute

1020	   The observable-id attribute tags information in the document as an
1021	   observable so that it can be referenced later in the description of
1022	   an indicator.  The value of this attribute is a unique identifier in
1023	   the scope of the document.  It is used by the ObservableReference
1024	   class to enumerate observables when defining an indicator with the
1025	   IndicatorData class.

1027	3.4.  IncidentID Class

1029	   The IncidentID class represents a tracking number that is unique in
1030	   the context of the CSIRT.  It serves as an identifier for an incident
1031	   or a document identifier when sharing indicators.  This identifier
1032	   would serve as an index into a CSIRT's incident handling or knowledge
1033	   management system.

1035	   The combination of the name attribute and the string in the element
1036	   content MUST be a globally unique identifier describing the activity.
1037	   Documents generated by a given CSIRT MUST NOT reuse the same value
1038	   unless they are referencing the same incident.

1040	   +------------------------+
1041	   | IncidentID             |
1042	   +------------------------+
1043	   | STRING                 |
1044	   |                        |
1045	   | STRING name            |
1046	   | STRING instance        |
1047	   | ENUM restriction       |
1048	   | STRING ext-restriction |
1049	   +------------------------+

1051	                      Figure 7: The IncidentID Class

1053	   The content of the class is an incident identifier of type STRING.

1055	   The attributes of the IncidentID class are:

1057	   name
1058	      Required.  STRING.  An identifier describing the CSIRT that
1059	      created the document.  In order to have a globally unique CSIRT
1060	      name, the fully qualified domain name associated with the CSIRT
1061	      MUST be used.

1063	   instance
1064	      Optional.  STRING.  An identifier referencing a subset of the
1065	      named incident.

1067	   restriction
1068	      Optional.  ENUM.  See Section 3.3.1.

1070	   ext-restriction
1071	      Optional.  STRING.  A means by which to extend the restriction
1072	      attribute.  See Section 5.1.1.

1074	3.5.  AlternativeID Class

1076	   The AlternativeID class lists the tracking numbers used by CSIRTs,
1077	   other than the one generating the document, to refer to the identical
1078	   activity described in the IODEF document.  A tracking number listed
1079	   as an AlternativeID references the same incident detected by another
1080	   CSIRT.  The tracking numbers of the CSIRT that generated the IODEF
1081	   document must never be considered an AlternativeID.

1083	   +------------------------+
1084	   | AlternativeID          |
1085	   +------------------------+
1086	   | ENUM restriction       |<>--{1..*}--[ IncidentID ]
1087	   | STRING ext-restriction |
1088	   +------------------------+

1090	                     Figure 8: The AlternativeID Class

1092	   The aggregate class of the AlternativeID class is:

1094	   IncidentID
1095	      One or more.  The tracking number of another CSIRT.  See
1096	      Section 3.4.

1098	   The attributes of the AlternativeID class are:

1100	   restriction
1101	      Optional.  ENUM.  See Section 3.3.1.

1103	   ext-restriction
1104	      Optional.  STRING.  A means by which to extend the restriction
1105	      attribute.  See Section 5.1.1.

1107	3.6.  RelatedActivity Class

1109	   The RelatedActivity class relates the information described in the
1110	   rest of the document to previously observed incidents or activity;
1111	   and allows attribution to a specific actor or campaign.

1113	   +------------------------+
1114	   | RelatedActivity        |
1115	   +------------------------+
1116	   | ENUM restriction       |<>--{0..*}--[ IncidentID     ]
1117	   | STRING ext-restriction |<>--{0..*}--[ URL            ]
1118	   |                        |<>--{0..*}--[ ThreatActor    ]
1119	   |                        |<>--{0..*}--[ Campaign       ]
1120	   |                        |<>--{0..*}--[ IndicatorID    ]
1121	   |                        |<>--{0..1}--[ Confidence     ]
1122	   |                        |<>--{0..*}--[ Description    ]
1123	   |                        |<>--{0..*}--[ AdditionalData ]
1124	   +------------------------+

1126	                      Figure 9: RelatedActivity Class

1128	   The aggregate classes of the RelatedActivity class are:

1130	   IncidentID
1131	      Zero or more.  The tracking number of a related incident.  See
1132	      Section 3.4.

1134	   URL
1135	      Zero or more.  URL.  A URL to activity related to this incident.

1137	   ThreatActor
1138	      Zero or more.  The threat actor to whom the incident activity is
1139	      attributed.  See Section 3.7.

1141	   Campaign
1142	      Zero or more.  The campaign of a given threat actor to whom the
1143	      described activity is attributed.  See Section 3.8.

1145	   IndicatorID
1146	      Zero or more.  A reference to a related indicator.  See
1147	      Section 3.4.

1149	   Confidence
1150	      Zero or one.  An estimate of the confidence in attributing this
1151	      RelatedActivity to the events described in the document.  See
1152	      Section 3.12.5.

1154	   Description
1155	      Zero or more.  ML_STRING.  A description of how these
1156	      relationships were derived.

1158	   AdditionalData
1159	      Zero or more.  EXTENSION.  A mechanism by which to extend the data
1160	      model.

1162	   The RelatedActivity class MUST have at least one instance of any of
1163	   the following child classes: IncidentID, URL, ThreatActor, Campaign,
1164	   Description or AdditionalData.

1166	   The attributes of the RelatedActivity class are:

1168	   restriction
1169	      Optional.  ENUM.  See Section 3.3.1.

1171	   ext-restriction
1172	      Optional.  STRING.  A means by which to extend the restriction
1173	      attribute.  See Section 5.1.1.

1175	3.7.  ThreatActor Class

1177	   The ThreatActor class describes a threat actor.

1179	   +------------------------+
1180	   | ThreatActor            |
1181	   +------------------------+
1182	   | ENUM restriction       |<>--{0..*}--[ ThreatActorID  ]
1183	   | STRING ext-restriction |<>--{0..*}--[ URL            ]
1184	   |                        |<>--{0..*}--[ Description    ]
1185	   |                        |<>--{0..*}--[ AdditionalData ]
1186	   +------------------------+

1188	                       Figure 10: ThreatActor Class

1190	   The aggregate classes of the ThreatActor class are:

1192	   ThreatActorID
1193	      Zero or more.  STRING.  An identifier for the threat actor.

1195	   URL
1196	      Zero or more.  URL.  A URL to a reference describing the threat
1197	      actor.

1199	   Description
1200	      Zero or more.  ML_STRING.  A description of the threat actor.

1202	   AdditionalData
1203	      Zero or more.  EXTENSION.  A mechanism by which to extend the data
1204	      model.

1206	   The ThreatActor class MUST have at least one instance of a child
1207	   class.

1209	   The attributes of the ThreatActor class are:

1211	   restriction
1212	      Optional.  ENUM.  See Section 3.3.1.

1214	   ext-restriction
1215	      Optional.  STRING.  A means by which to extend the restriction
1216	      attribute.  See Section 5.1.1.

1218	3.8.  Campaign Class

1220	   The Campaign class describes a campaign of attacks by a threat actor.

1222	   +------------------------+
1223	   | Campaign               |
1224	   +------------------------+
1225	   | ENUM restriction       |<>--{0..*}--[ CampaignID     ]
1226	   | STRING ext-restriction |<>--{0..*}--[ URL            ]
1227	   |                        |<>--{0..*}--[ Description    ]
1228	   |                        |<>--{0..*}--[ AdditionalData ]
1229	   +------------------------+

1231	                         Figure 11: Campaign Class

1233	   The aggregate classes of the Campaign class are:

1235	   CampaignID
1236	      Zero or more.  STRING.  An identifier for the campaign.

1238	   URL
1239	      Zero or more.  URL.  A URL to a reference describing the campaign.

1241	   Description
1242	      Zero or more.  ML_STRING.  A description of the campaign.

1244	   AdditionalData
1245	      Zero or more.  EXTENSION.  A mechanism by which to extend the data
1246	      model.

1248	   The Campaign class MUST have at least one instance of a child class.

1250	   The attributes of the Campaign class are:

1252	   restriction
1253	      Optional.  ENUM.  See Section 3.3.1.

1255	   ext-restriction
1256	      Optional.  STRING.  A means by which to extend the restriction
1257	      attribute.  See Section 5.1.1.

1259	3.9.  Contact Class

1261	   The Contact class describes contact information for organizations and
1262	   personnel involved in the incident.  This class allows for the naming
1263	   of the involved party, specifying contact information for them, and
1264	   identifying their role in the incident.

1266	   People and organizations are treated interchangeably as contacts; one
1267	   can be associated with the other using the recursive definition of
1268	   the class (the Contact class is aggregated into the Contact class).
1269	   The 'type' attribute disambiguates the type of contact information
1270	   being provided.

1272	   The recursive definition of Contact provides a way to relate
1273	   information without requiring the explicit use of identifiers or
1274	   duplication of data.  A complete point of contact is derived by a
1275	   particular traversal from the root Contact class to the leaf Contact
1276	   class.  Each child Contact class logically inherits contact
1277	   information from its ancestors.

1279	   +------------------------+
1280	   | Contact                |
1281	   +------------------------+
1282	   | ENUM role              |<>--{0..*}--[ ContactName    ]
1283	   | STRING ext-role        |<>--{0..*}--[ ContactTitle   ]
1284	   | ENUM type              |<>--{0..*}--[ Description    ]
1285	   | STRING ext-type        |<>--{0..*}--[ RegistryHandle ]
1286	   | ENUM restriction       |<>--{0..1}--[ PostalAddress  ]
1287	   | STRING ext-restriction |<>--{0..*}--[ Email          ]
1288	   |                        |<>--{0..*}--[ Telephone      ]
1289	   |                        |<>--{0..1}--[ Timezone       ]
1290	   |                        |<>--{0..*}--[ Contact        ]
1291	   |                        |<>--{0..*}--[ AdditionalData ]
1292	   +------------------------+

1294	                       Figure 12: The Contact Class

1296	   The aggregate classes of the Contact class are:

1298	   ContactName
1299	      Zero or more.  ML_STRING.  The name of the contact.  The contact
1300	      may either be an organization or a person.  The type attribute
1301	      disambiguates the semantics.

1303	   ContactTitle
1304	      Zero or more.  ML_STRING.  The title for the individual named in
1305	      the ContactName.

1307	   Description
1308	      Zero or more.  ML_STRING.  A free-form text description of the
1309	      contact.

1311	   RegistryHandle
1312	      Zero or more.  A handle name into the registry of the contact.
1313	      See Section 3.9.1.

1315	   PostalAddress
1316	      Zero or more.  The postal address of the contact.  See
1317	      Section 3.9.2.

1319	   Email
1320	      Zero or more.  The email address of the contact.  See
1321	      Section 3.9.3.

1323	   Telephone
1324	      Zero or more.  The telephone number of the contact.  See
1325	      Section 3.9.4.

1327	   Timezone
1328	      Zero or one.  TIMEZONE.  The timezone in which the contact
1329	      resides.

1331	   Contact
1332	      Zero or more.  A recursive definition of the Contact class.  This
1333	      definition can be used to group common data pertaining to multiple
1334	      points of contact and is especially useful when listing multiple
1335	      contacts at the same organization.

1337	   AdditionalData
1338	      Zero or more.  EXTENSION.  A mechanism by which to extend the data
1339	      model.

1341	   At least one of the aggregate classes MUST be present in an instance
1342	   of the Contact class.

1344	   The attributes of the Contact class are:

1346	   role
1347	      Required.  ENUM.  Indicates the role the contact fulfills.  These
1348	      values are maintained in the "Contact-role" IANA registry per
1349	      Section 10.2.

1351	      1.   creator.  The entity that generate the document.

1353	      2.   reporter.  The entity that reported the information.

1355	      3.   admin.  An administrative contact or business owner for an
1356	           asset or organization.

1358	      4.   tech.  An entity responsible for the day-to-day management of
1359	           technical issues for an asset or organization.

1361	      5.   provider.  An external hosting provider for an asset.

1363	      6.   zone.  An entity with authority over a DNS zone.

1365	      7.   user.  An end-user of an asset or part of an organization.

1367	      8.   billing.  An entity responsible for billing issues for an
1368	           asset or organization.

1370	      9.   legal.  An entity responsible for legal issue related to an
1371	           asset or organization.

1373	      10.  irt.  An entity responsible for handling security issues for
1374	           an asset or organization.

1376	      11.  abuse.  An entity responsible for handling abuse originating
1377	           from an asset or organization.

1379	      12.  cc.  An entity that is to be kept informed about the events
1380	           related to an asset or organization.

1382	      13.  cc-irt.  A CSIRT or information sharing organization
1383	           coordinating activity related to an asset or organization.

1385	      14.  leo.  A law enforcement organization supporting the
1386	           investigation of activity affecting an asset or organization.

1388	      15.  vendor.  The vendor that produces an asset.

1390	      16.  vendor-support.  A vendor that provides services.

1392	      17.  victim.  A victim in the incident.

1394	      18.  victim-notified.  A victim in the incident who has been
1395	           notified.

1397	      19.  ext-value.  A value used to indicate that this attribute is
1398	           extended and the actual value is provided using the
1399	           corresponding ext-* attribute.  See Section 5.1.1.

1401	   ext-role
1402	      Optional.  STRING.  A means by which to extend the role attribute.
1403	      See Section 5.1.1.

1405	   type
1406	      Required.  ENUM.  Indicates the type of contact being described.
1407	      This attribute is defined as an enumerated list.  These values are
1408	      maintained in the "Contact-type" IANA registry per Section 10.2.

1410	      1.  person.  The information for this contact references an
1411	          individual.

1413	      2.  organization.  The information for this contact references an
1414	          organization.

1416	      3.  ext-value.  A value used to indicate that this attribute is
1417	          extended and the actual value is provided using the
1418	          corresponding ext-* attribute.  See Section 5.1.1.

1420	   ext-type
1421	      Optional.  STRING.  A means by which to extend the type attribute.
1422	      See Section 5.1.1.

1424	   restriction
1425	      Optional.  ENUM.  See Section 3.3.1.

1427	   ext-restriction
1428	      Optional.  STRING.  A means by which to extend the restriction
1429	      attribute.  See Section 5.1.1.

1431	3.9.1.  RegistryHandle Class

1433	   The RegistryHandle class represents a handle into an Internet
1434	   registry or community-specific database.

1436	   +---------------------+
1437	   | RegistryHandle      |
1438	   +---------------------+
1439	   | STRING              |
1440	   |                     |
1441	   | ENUM registry       |
1442	   | STRING ext-registry |
1443	   +---------------------+

1445	                    Figure 13: The RegistryHandle Class

1447	   The content of the class is a handle into a registry of type STRING.

1449	   The attributes of the RegistryHandle class are:

1451	   registry
1452	      Required.  ENUM.  The database to which the handle belongs.  These
1453	      values are maintained in the "RegistryHandle-registry" IANA
1454	      registry per Section 10.2.  The possible values are:

1456	      1.  internic.  Internet Network Information Center

1458	      2.  apnic.  Asia Pacific Network Information Center

1460	      3.  arin.  American Registry for Internet Numbers

1462	      4.  lacnic.  Latin-American and Caribbean IP Address Registry

1464	      5.  ripe.  Reseaux IP Europeens

1466	      6.  afrinic.  African Internet Numbers Registry

1468	      7.  local.  A database local to the CSIRT

1470	      8.  ext-value.  A value used to indicate that this attribute is
1471	          extended and the actual value is provided using the
1472	          corresponding ext-* attribute.  See Section 5.1.1.

1474	   ext-registry
1475	      Optional.  STRING.  A means by which to extend the registry
1476	      attribute.  See Section 5.1.1.

1478	3.9.2.  PostalAddress Class

1480	   The PostalAddress class specifies an postal address and associated
1481	   annotation.

1483	   +--------------------+
1484	   | PostalAddress      |
1485	   +--------------------+
1486	   | ENUM type          |<>----------[ PAddress         ]
1487	   | STRING ext-type    |<>--{0..*}--[ Description      ]
1488	   +--------------------+

1490	                    Figure 14: The PostalAddress Class

1492	   The aggregate classes of the PostalAddress class are:

1494	   PAddress
1495	      One.  POSTAL.  A postal address.

1497	   Description
1498	      Zero or more.  ML_STRING.  A free-form text description of the
1499	      address.

1501	   The attributes of the PostalAddress class are:

1503	   type
1504	      Optional.  ENUM.  Categorizes the type of address described in the
1505	      PAddress class.  These values are maintained in the
1506	      "PostalAddress-type" IANA registry per Section 10.2.

1508	      1.  street.  An address describing a physical location.

1510	      2.  mailing.  An address to which correspondence should be sent.

1512	      3.  ext-value.  A value used to indicate that this attribute is
1513	          extended and the actual value is provided using the
1514	          corresponding ext-* attribute.  See Section 5.1.1.

1516	   ext-type
1517	      Optional.  STRING.  A means by which to extend the type attribute.
1518	      See Section 5.1.1.

1520	3.9.3.  Email Class

1522	   The Email class specifies an email address and associated annotation.

1524	   +--------------------+
1525	   | Email              |
1526	   +--------------------+
1527	   | ENUM type          |<>----------[ EmailTo          ]
1528	   | STRING ext-type    |<>--{0..*}--[ Description      ]
1529	   +--------------------+

1531	                        Figure 15: The Email Class

1533	   The aggregate classes of the Email class are:

1535	   EmailTo
1536	      One.  EMAIL.  An email address.

1538	   Description
1539	      Zero or more.  ML_STRING.  A free-form text description of the
1540	      email address.

1542	   The attributes of the Email class are:

1544	   type
1545	      Optional.  ENUM.  Categorizes the type of email address described
1546	      in the EmailTo class.  These values are maintained in the "Email-
1547	      type" IANA registry per Section 10.2.

1549	      1.  direct.  A email address of an individual.

1551	      2.  hotline.  A email address regularly monitored for operational
1552	          purposes.

1554	      3.  ext-value.  A value used to indicate that this attribute is
1555	          extended and the actual value is provided using the
1556	          corresponding ext-* attribute.  See Section 5.1.1.

1558	   ext-type
1559	      Optional.  STRING.  A means by which to extend the type attribute.
1560	      See Section 5.1.1.

1562	3.9.4.  Telephone Class

1564	   The Telephone class describes a telephone number and associated
1565	   annotation.

1567	   +--------------------+
1568	   | Telephone          |
1569	   +--------------------+
1570	   | ENUM type          |<>----------[ TelephoneNumber  ]
1571	   | STRING ext-type    |<>--{0..*}--[ Description      ]
1572	   +--------------------+

1574	                      Figure 16: The Telephone Class

1576	   The aggregate classes of the Telephone class are:

1578	   TelephoneNumber
1579	      One.  PHONE.  A telephone number.

1581	   Description
1582	      Zero or more.  ML_STRING.  A free-form text description of the
1583	      phone number.

1585	   The attributes of the Telephone class are:

1587	   type
1588	      Optional.  ENUM.  Categorizes the type of telephone number
1589	      described in the TelephoneNumber class.  These values are
1590	      maintained in the "Telephone-type" IANA registry per Section 10.2.

1592	      1.  wired.  A number of a wire-line (land-line) phone.

1594	      2.  mobile.  A number of a mobile phone.

1596	      3.  fax.  A number to a fax machine.

1598	      4.  hotline.  A number to a regularly monitored operational
1599	          hotline.

1601	      5.  ext-value.  A value used to indicate that this attribute is
1602	          extended and the actual value is provided using the
1603	          corresponding ext-* attribute.  See Section 5.1.1.

1605	   ext-type
1606	      Optional.  STRING.  A means by which to extend the type attribute.
1607	      See Section 5.1.1.

1609	3.10.  Discovery Class

1611	   The Discovery class describes how an incident was detected.

1613	   +------------------------+
1614	   | Discovery              |
1615	   +------------------------+
1616	   | ENUM source            |<>--{0..*}--[ Description      ]
1617	   | STRING ext-source      |<>--{0..*}--[ Contact          ]
1618	   | ENUM restriction       |<>--{0..*}--[ DetectionPattern ]
1619	   | STRING ext-restriction |
1620	   +------------------------+

1622	                      Figure 17: The Discovery Class

1624	   The aggregate classes of the Discovery class are:

1626	   Description
1627	      Zero or more.  ML_STRING.  A free-form text description of how
1628	      this incident was detected.

1630	   Contact
1631	      Zero or more.  Contact information for the party that discovered
1632	      the incident.  See Section 3.9.

1634	   DetectionPattern
1635	      Zero or more.  Describes an application-specific configuration
1636	      that detected the incident.  See Section 3.10.1.

1638	   The attributes of the Discovery class are:

1640	   source
1641	      Optional.  ENUM.  Categorizes the techniques used to discover the
1642	      incident.  These values are partially derived from Table 3-1 of
1643	      [NIST800.61rev2].  These values are maintained in the "Discovery-
1644	      source" IANA registry per Section 10.2.

1646	      1.   nidps.  Network Intrusion Detection or Prevention system.

1648	      2.   hips.  Host-based Intrusion Prevention system.

1650	      3.   siem.  Security Information and Event Management System.

1652	      4.   av.  Antivirus or and antispam software.

1654	      5.   third-party-monitoring.  Contracted third-party monitoring
1655	           service.

1657	      6.   incident.  The activity was discovered while investigating an
1658	           unrelated incident.

1660	      7.   os-log.  Operating system logs.

1662	      8.   application-log.  Application logs.

1664	      9.   device-log.  Network device logs.

1666	      10.  network-flow.  Network flow analysis.

1668	      11.  passive-dns.  Passive DNS analysis.

1670	      12.  investigation.  Manual investigation initiated based on
1671	           notification of a new vulnerability or exploit.

1673	      13.  audit.  Security audit.

1675	      14.  internal-notification.  A party within the organization
1676	           reported the activity

1678	      15.  external-notification.  A party outside of the organization
1679	           reported the activity.

1681	      16.  leo.  A law enforcement organization notified the victim
1682	           organization.

1684	      17.  partner.  A customer or business partner reported the
1685	           activity to the victim organization.

1687	      18.  actor.  The threat actor directly or indirectly reported this
1688	           activity to the victim organization.

1690	      19.  unknown.  Unknown detection approach.

1692	      20.  ext-value.  A value used to indicate that this attribute is
1693	           extended and the actual value is provided using the
1694	           corresponding ext-* attribute.  See Section 5.1.1.

1696	   ext-source
1697	      Optional.  STRING.  A means by which to extend the source
1698	      attribute.  See Section 5.1.1.

1700	   restriction
1701	      Optional.  ENUM.  See Section 3.3.1.

1703	   ext-restriction
1704	      Optional.  STRING.  A means by which to extend the restriction
1705	      attribute.  See Section 5.1.1.

1707	3.10.1.  DetectionPattern Class

1709	   The DetectionPattern class describes a configuration or signature
1710	   that can be used by an IDS/IPS, SIEM, anti-virus, end-point
1711	   protection, network analysis, malware analysis, or host forensics
1712	   tool to identify a particular phenomenon.  This class requires the
1713	   identification of the target application and allows the configuration
1714	   to be describes in either free-form or machine readable form.

1716	   +------------------------+
1717	   | DetectionPattern       |
1718	   +------------------------+
1719	   | ENUM restriction       |<>----------[ Application            ]
1720	   | STRING ext-restriction |<>--{0..*}--[ Description            ]
1721	   |                        |<>--{0..*}--[ DetectionConfiguration ]
1722	   +------------------------+

1724	                   Figure 18: The DetectionPattern Class

1726	   The aggregate classes of the DetectionPattern class are:

1728	   Application
1729	      One.  SOFTWARE.  The application for which the
1730	      DetectionConfiguration or Description is being provided.

1732	   Description
1733	      Zero or more.  ML_STRING.  A free-form text description of how to
1734	      use the Application or provided DetectionConfiguration.

1736	   DetectionConfiguration
1737	      Zero or more.  STRING.  A machine consumable configuration to find
1738	      a pattern of activity.

1740	   Either an instance of the Description or DetectionConfiguration class
1741	   MUST be present.

1743	   The attributes of the DetectionPattern class are:

1745	   restriction
1746	      Optional.  ENUM.  See Section 3.3.1.

1748	   ext-restriction
1749	      Optional.  STRING.  A means by which to extend the restriction
1750	      attribute.  See Section 5.1.1.

1752	3.11.  Method Class

1754	   The Method class describes the tactics, techniques, procedures or
1755	   weakness used by the threat actor in an incident.  This class
1756	   consists of both a list of references describing the attack methods
1757	   and weaknesses and a free-form text description.

1759	   +------------------------+
1760	   | Method                 |
1761	   +------------------------+
1762	   | ENUM restriction       |<>--{0..*}--[ Reference         ]
1763	   | STRING ext-restriction |<>--{0..*}--[ Description       ]
1764	   |                        |<>--{0..*}--[ sci:AttackPattern ]
1765	   |                        |<>--{0..*}--[ sci:Vulnerability ]
1766	   |                        |<>--{0..*}--[ sci:Weakness      ]
1767	   |                        |<>--{0..*}--[ AdditionalData    ]
1768	   +------------------------+

1770	                        Figure 19: The Method Class

1772	   The aggregate classes of the Method class are:

1774	   Reference
1775	      Zero or more.  A reference to a vulnerability, malware sample,
1776	      advisory, or analysis of an attack technique.  See Section 3.11.1.

1778	   Description
1779	      Zero or more.  ML_STRING.  A free-form text description of
1780	      techniques, tactics, or procedures used by the threat actor.

1782	   sci:AttackPattern
1783	      Zero or more.  A reference to an pattern of attack or exploitation
1784	      per [RFC-SCI]

1786	   sci:Vulnerability
1787	      Zero or more.  A reference to a vulnerability per [RFC-SCI]

1789	   sci:Weakness
1790	      Zero or more.  A reference to the exploited weakness per [RFC-SCI]

1792	   AdditionalData
1793	      Zero or more.  EXTENSION.  A mechanism by which to extend the data
1794	      model.

1796	   An instance of one of these child MUST be present.

1798	   The attributes of the Method class are:

1800	   restriction
1801	      Optional.  ENUM.  See Section 3.3.1.

1803	   ext-restriction
1804	      Optional.  STRING.  A means by which to extend the restriction
1805	      attribute.  See Section 5.1.1.

1807	3.11.1.  Reference Class

1809	   The Reference class is an external reference to relevant information
1810	   such a vulnerability, IDS alert, malware sample, advisory, or attack
1811	   technique.

1813	   +-------------------------+
1814	   | Reference               |
1815	   +-------------------------+
1816	   | ID observable-id        |<>--{0..1}--[ enum:ReferenceName ]
1817	   |                         |<>--{0..*}--[ URL                ]
1818	   |                         |<>--{0..*}--[ Description        ]
1819	   +-------------------------+

1821	                      Figure 20: The Reference Class

1823	   The aggregate classes of the Reference class are:

1825	   enum:ReferenceName
1826	      Zero or one.  Reference identifier per [RFC-ENUM].

1828	   URL
1829	      Zero or more.  URL.  A URL to a reference.

1831	   Description
1832	      Zero or more.  ML_STRING.  A free-form text description of this
1833	      reference.

1835	   At least one of these classes MUST be present.

1837	   The attribute of the Reference class is:

1839	   observable-id
1840	      Optional.  ID.  See Section 3.3.2.

1842	3.12.  Assessment Class

1844	   The Assessment class describes the repercussions of the incident to
1845	   the victim.

1847	   +-------------------------+
1848	   | Assessment              |
1849	   +-------------------------+
1850	   | ENUM occurrence         |<>--{0..*}--[ IncidentCategory ]
1851	   | ENUM restriction        |<>--{0..*}--[ SystemImpact     ]
1852	   | STRING ext-restriction  |<>--{0..*}--[ BusinessImpact   ]
1853	   | ID observable-id        |<>--{0..*}--[ TimeImpact       ]
1854	   |                         |<>--{0..*}--[ MonetaryImpact   ]
1855	   |                         |<>--{0..*}--[ IntendedImpact   ]
1856	   |                         |<>--{0..*}--[ Counter          ]
1857	   |                         |<>--{0..*}--[ MitigatingFactor ]
1858	   |                         |<>--{0..*}--[ Cause            ]
1859	   |                         |<>--{0..1}--[ Confidence       ]
1860	   |                         |<>--{0..*}--[ AdditionalData   ]
1861	   +-------------------------+

1863	                        Figure 21: Assessment Class

1865	   The aggregate classes of the Assessment class are:

1867	   IncidentCategory
1868	      Zero or more.  ML_STRING.  A free-form text description
1869	      categorizing the type of Incident.

1871	   SystemImpact
1872	      Zero or more.  A technical characterization of the impact of the
1873	      incident activity on the victim's enterprise.  See Section 3.12.1.

1875	   BusinessImpact
1876	      Zero or more.  Impact of the incident activity on the business
1877	      functions of the victim organization.  See Section 3.12.2.

1879	   TimeImpact
1880	      Zero or more.  A characterization of the victim organization due
1881	      to the incident activity as a function of time.  See
1882	      Section 3.12.3.

1884	   MonetaryImpact
1885	      Zero or more.  The financial loss due to the incident activity.
1886	      See Section 3.12.4.

1888	   IntendedImpact
1889	      Zero or more.  The intended outcome to the victim sought by the
1890	      threat actor.  Defined identically to the BusinessImpact defined
1891	      in Section 3.12.2, but describes intent rather than the realized
1892	      impact.

1894	   Counter
1895	      Zero or more.  A counter with which to summarize the magnitude of
1896	      the activity.  See Section 3.18.3.

1898	   MitigatingFactor
1899	      Zero or more.  ML_STRING.  A description of a mitigating factor
1900	      relative to the impact on the victim organization.

1902	   Cause
1903	      Zero or more.  ML_STRING.  A description of an underlying cause of
1904	      the impact.

1906	   Confidence
1907	      Zero or one.  An estimate of confidence in the impact assessment.
1908	      See Section 3.12.5.

1910	   AdditionalData
1911	      Zero or more.  EXTENSION.  A mechanism by which to extend the data
1912	      model.

1914	   A least one instance of the possible five impact classes (i.e.,
1915	   SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or
1916	   IntendedImpact) MUST be present.

1918	   The attributes of the Assessment class are:

1920	   occurrence
1921	      Optional.  ENUM.  Specifies whether the assessment is describing
1922	      actual or potential outcomes.

1924	      1.  actual.  This assessment describes activity that has occurred.

1926	      2.  potential.  This assessment describes potential activity that
1927	          might occur.

1929	   restriction
1930	      Optional.  ENUM.  See Section 3.3.1.

1932	   ext-restriction
1933	      Optional.  STRING.  A means by which to extend the restriction
1934	      attribute.  See Section 5.1.1.

1936	   observable-id
1937	      Optional.  ID.  See Section 3.3.2.

1939	3.12.1.  SystemImpact Class

1941	   The SystemImpact class describes the technical impact of the incident
1942	   to the systems on the network.

1944	   +-----------------------+
1945	   | SystemImpact          |
1946	   +-----------------------+
1947	   | ENUM severity         |<>--{0..*}--[ Description ]
1948	   | ENUM completion       |
1949	   | ENUM type             |
1950	   | STRING ext-type       |
1951	   +-----------------------+

1953	                       Figure 22: SystemImpact Class

1955	   The aggregate class of the SystemImpact class is:

1957	   Description
1958	      Zero or more.  ML_STRING.  A free-form text description of the
1959	      impact to the system.

1961	   The attributes of the SystemImpact class are:

1963	   severity
1964	      Optional.  ENUM.  An estimate of the relative severity of the
1965	      activity.  The permitted values are shown below.  There is no
1966	      default value.

1968	      1.  low.  Low severity

1970	      2.  medium.  Medium severity

1972	      3.  high.  High severity

1974	   completion
1975	      Optional.  ENUM.  An indication whether the described activity was
1976	      successful.  The permitted values are shown below.  There is no
1977	      default value.

1979	      1.  failed.  The attempted activity was not successful.

1981	      2.  succeeded.  The attempted activity succeeded.

1983	   type
1984	      Required.  ENUM.  Classifies the impact.  The permitted values are
1985	      shown below.  The default value is "unknown".  These values are
1986	      maintained in the "SystemImpact-type" IANA registry per
1987	      Section 10.2.

1989	      1.   takeover-account.  Control was taken of a given account.

1991	      2.   takeover-service.  Control was taken of a given service.

1993	      3.   takeover-system.  Control was taken of a given system.

1995	      4.   cps-manipulation.  A cyber physical system was manipulated.

1997	      5.   cps-damage.  A cyber physical system was damaged.

1999	      6.   availability-data.  Access to particular data was degraded or
2000	           denied.

2002	      7.   availability-account.  Access to an account was degraded or
2003	           denied.

2005	      8.   availability-service.  Access to a service was degraded or
2006	           denied.

2008	      9.   availability-system.  Access to a system was degraded or
2009	           denied.

2011	      10.  damaged-system.  Hardware on a system was irreparably
2012	           damaged.

2014	      11.  damaged-data.  Data on a system was deleted.

2016	      12.  breach-proprietary.  Sensitive or proprietary information was
2017	           accessed or exfiltrated.

2019	      13.  breach-privacy.  Personally identifiable information was
2020	           accessed or exfiltrated.

2022	      14.  breach-credential.  Credential information was accessed or
2023	           exfiltrated.

2025	      15.  breach-configuration.  System configuration or data inventory
2026	           was access or exfiltrated.

2028	      16.  integrity-data.  Data on the system was modified.

2030	      17.  integrity-configuration.  Application or system configuration
2031	           was modified.

2033	      18.  integrity-hardware.  Firmware of a hardware component was
2034	           modified.

2036	      19.  traffic-redirection.  Network traffic on the system was
2037	           redirected

2039	      20.  monitoring-traffic.  Network traffic emerging from a host or
2040	           enclave was monitored.

2042	      21.  monitoring-host.  System activity (e.g., running processes,
2043	           keystrokes) were monitored.

2045	      22.  policy.  Activity violated the system owner's acceptable use
2046	           policy.

2048	      23.  unknown.  The impact is unknown.

2050	      24.  ext-value.  A value used to indicate that this attribute is
2051	           extended and the actual value is provided using the
2052	           corresponding ext-* attribute.  See Section 5.1.1.

2054	   ext-type
2055	      Optional.  STRING.  A means by which to extend the type attribute.
2056	      See Section 5.1.1.

2058	3.12.2.  BusinessImpact Class

2060	   The BusinessImpact class describes and characterizes the degree to
2061	   which the function of the organization was impacted by the Incident.

2063	   +-------------------------+
2064	   | BusinessImpact          |
2065	   +-------------------------+
2066	   | ENUM severity           |<>--{0..*}--[ Description ]
2067	   | STRING ext-severity     |
2068	   | ENUM type               |
2069	   | STRING ext-type         |
2070	   +-------------------------+

2072	                      Figure 23: BusinessImpact Class

2074	   The aggregate class of the BusinessImpact class is:

2076	   Description
2077	      Zero or more.  ML_STRING.  A free-form text description of the
2078	      impact to the organization.

2080	   The attributes of the BusinessImpact class are:

2082	   severity
2083	      Optional.  ENUM.  Characterizes the severity of the incident on
2084	      business functions.  The permitted values are shown below.  They
2085	      were derived from Table 3-2 of [NIST800.61rev2].  The default
2086	      value is "unknown".  These values are maintained in the
2087	      "BusinessImpact-severity" IANA registry per Section 10.2.

2089	      1.  none.  No effect to the organization's ability to provide all
2090	          services to all users.

2092	      2.  low.  Minimal effect as the organization can still provide all
2093	          critical services to all users but has lost efficiency.

2095	      3.  medium.  The organization has lost the ability to provide a
2096	          critical service to a subset of system users.

2098	      4.  high.  The organization is no longer able to provide some
2099	          critical services to any users.

2101	      5.  unknown.  The impact is not known.

2103	      6.  ext-value.  A value used to indicate that this attribute is
2104	          extended and the actual value is provided using the
2105	          corresponding ext-* attribute.  See Section 5.1.1.

2107	   ext-severity
2108	      Optional.  STRING.  A means by which to extend the severity
2109	      attribute.  See Section 5.1.1.

2111	   type
2112	      Required.  ENUM.  Characterizes the effect this incident had on
2113	      the business.  The permitted values are shown below.  The default
2114	      value is "unknown".  These values are maintained in the
2115	      "BusinessImpact-type" IANA registry per Section 10.2.

2117	      1.   breach-proprietary.  Sensitive or proprietary information was
2118	           accessed or exfiltrated.

2120	      2.   breach-privacy.  Personally identifiable information was
2121	           accessed or exfiltrated.

2123	      3.   breach-credential.  Credential information was accessed or
2124	           exfiltrated.

2126	      4.   loss-of-integrity.  Sensitive or proprietary information was
2127	           changed or deleted.

2129	      5.   loss-of-service.  Service delivery was disrupted.

2131	      6.   theft-financial.  Money was stolen.

2133	      7.   theft-service.  Services were misappropriated.

2135	      8.   degraded-reputation.  The reputation of the organization's
2136	           brand was diminished.

2138	      9.   asset-damage.  A cyber-physical system was damaged.

2140	      10.  asset-manipulation.  A cyber-physical system was manipulated.

2142	      11.  legal.  The incident resulted in legal or regulatory action.

2144	      12.  extortion.  The incident resulted in actors extorting the
2145	           victim organization.

2147	      13.  unknown.  The impact is unknown.

2149	      14.  ext-value.  A value used to indicate that this attribute is
2150	           extended and the actual value is provided using the
2151	           corresponding ext-* attribute.  See Section 5.1.1.

2153	   ext-type
2154	      Optional.  STRING.  A means by which to extend the type attribute.
2155	      See Section 5.1.1.

2157	3.12.3.  TimeImpact Class

2159	   The TimeImpact class describes the impact of the incident on an
2160	   organization as a function of time.  It provides a way to convey down
2161	   time and recovery time.

2163	   +---------------------+
2164	   | TimeImpact          |
2165	   +---------------------+
2166	   | REAL                |
2167	   |                     |
2168	   | ENUM severity       |
2169	   | ENUM metric         |
2170	   | STRING ext-metric   |
2171	   | ENUM duration       |
2172	   | STRING ext-duration |
2173	   +---------------------+

2175	                        Figure 24: TimeImpact Class

2177	   The content of the class is of type REAL and specifies an amount of
2178	   time.  The duration attribute provides units for this content; and
2179	   the metric attribute explains what this content is measuring.

2181	   The attributes of the TimeImpact class are:

2183	   severity
2184	      Optional.  ENUM.  An estimate of the relative severity of the
2185	      activity.  The permitted values are shown below.  There is no
2186	      default value.

2188	      1.  low.  Low severity

2190	      2.  medium.  Medium severity

2192	      3.  high.  High severity

2194	   metric
2195	      Required.  ENUM.  Defines the meaning of the value in the element
2196	      content.  These values are maintained in the "TimeImpact-metric"
2197	      IANA registry per Section 10.2.

2199	      1.  labor.  Total staff-time to recovery from the activity (e.g.,
2200	          2 employees working 4 hours each would be 8 hours).

2202	      2.  elapsed.  Elapsed time from the beginning of the recovery to
2203	          its completion (i.e., wall-clock time).

2205	      3.  downtime.  Duration of time for which some provided service(s)
2206	          was not available.

2208	      4.  ext-value.  A value used to indicate that this attribute is
2209	          extended and the actual value is provided using the
2210	          corresponding ext-* attribute.  See Section 5.1.1.

2212	   ext-metric
2213	      Optional.  STRING.  A means by which to extend the metric
2214	      attribute.  See Section 5.1.1.

2216	   duration
2217	      Optional.  ENUM.  Defines the unit of time for the value in the
2218	      element content.  The default value is "hour".  These values are
2219	      maintained in the "TimeImpact-duration" IANA registry per
2220	      Section 10.2.

2222	      1.  second.  The unit of the element content is seconds.

2224	      2.  minute.  The unit of the element content is minutes.

2226	      3.  hour.  The unit of the element content is hours.

2228	      4.  day.  The unit of the element content is days.

2230	      5.  month.  The unit of the element content is months.

2232	      6.  quarter.  The unit of the element content is quarters.

2234	      7.  year.  The unit of the element content is years.

2236	      8.  ext-value.  A value used to indicate that this attribute is
2237	          extended and the actual value is provided using the
2238	          corresponding ext-* attribute.  See Section 5.1.1.

2240	   ext-duration
2241	      Optional.  STRING.  A means by which to extend the duration
2242	      attribute.  See Section 5.1.1.

2244	3.12.4.  MonetaryImpact Class

2246	   The MonetaryImpact class describes the financial impact of the
2247	   activity on an organization.  For example, this impact may consider
2248	   losses due to the cost of the investigation or recovery, diminished
2249	   productivity of the staff, or a tarnished reputation that will affect
2250	   future opportunities.

2252	   +------------------+
2253	   | MonetaryImpact   |
2254	   +------------------+
2255	   | REAL             |
2256	   |                  |
2257	   | ENUM severity    |
2258	   | STRING currency  |
2259	   +------------------+

2261	                      Figure 25: MonetaryImpact Class

2263	   The content of the class is of type REAL and specifies a quantity of
2264	   money.  The currency attribute defines the currently of this value.

2266	   The attributes of the MonetaryImpact class are:

2268	   severity
2269	      Optional.  ENUM.  An estimate of the relative severity of the
2270	      activity.  The permitted values are shown below.  There is no
2271	      default value.

2273	      1.  low.  Low severity

2275	      2.  medium.  Medium severity

2277	      3.  high.  High severity

2279	   currency
2280	      Optional.  STRING.  Defines the currency in which the value in the
2281	      element content is expressed.  The permitted values are defined in
2282	      "Codes for the representation of currencies and funds" of
2283	      [ISO4217].  There is no default value.

2285	3.12.5.  Confidence Class

2287	   The Confidence class represents an estimate of the validity and
2288	   accuracy of data expressed in the document.  This estimate can be
2289	   expressed as a category or a numeric calculation.

2291	   +-------------------+
2292	   | Confidence        |
2293	   +-------------------+
2294	   | REAL              |
2295	   |                   |
2296	   | ENUM rating       |
2297	   | STRING ext-rating |
2298	   +-------------------+

2300	                        Figure 26: Confidence Class

2302	   The content of the class is of type REAL and specifies a numerical
2303	   assessment in the confidence of the data when the value of the rating
2304	   attribute is "numeric".  Otherwise, this element MUST be empty.

2306	   The attributes of the Confidence class are:

2308	   rating
2309	      Required.  ENUM.  A qualitative assessment of confidence.

2311	      1.  low.  Low confidence.

2313	      2.  medium.  Medium confidence.

2315	      3.  high.  High confidence.

2317	      4.  numeric.  The element content contains a number that conveys
2318	          the confidence of the data.  The semantics of this number
2319	          outside the scope of this specification.

2321	      5.  unknown.  The confidence rating value is not known.

2323	      6.  ext-value.  A value used to indicate that this attribute is
2324	          extended and the actual value is provided using the
2325	          corresponding ext-* attribute.  See Section 5.1.1.

2327	   ext-rating
2328	      Optional.  STRING.  A means by which to extend the rating
2329	      attribute.  See Section 5.1.1.

2331	3.13.  History Class

2333	   The History class is a log of the significant events or actions
2334	   performed by the involved parties during the course of handling the
2335	   incident.

2337	   The level of detail maintained in this log is left up to the
2338	   discretion of those handling the incident.

2340	   +------------------------+
2341	   | History                |
2342	   +------------------------+
2343	   | ENUM restriction       |<>--{1..*}--[ HistoryItem ]
2344	   | STRING ext-restriction |
2345	   +------------------------+

2347	                       Figure 27: The History Class

2349	   The aggregate classes of the History class are:

2351	   HistoryItem
2352	      One or more.  An entry in the history log of significant events or
2353	      actions performed by the involved parties.  See Section 3.13.1.

2355	   The attributes of the History class are:

2357	   restriction
2358	      Optional.  ENUM.  See Section 3.3.1.

2360	   ext-restriction
2361	      Optional.  STRING.  A means by which to extend the restriction
2362	      attribute.  See Section 5.1.1.

2364	3.13.1.  HistoryItem Class

2366	   The HistoryItem class is an entry in the History (Section 3.13) log
2367	   that documents a particular action or event that occurred in the
2368	   course of handling the incident.  The details of the entry are a
2369	   free-form text description, but each can be categorized with the type
2370	   attribute.

2372	   +-------------------------+
2373	   | HistoryItem             |
2374	   +-------------------------+
2375	   | ENUM action             |<>----------[ DateTime       ]
2376	   | STRING ext-action       |<>--{0..1}--[ IncidentID     ]
2377	   | ENUM restriction        |<>--{0..1}--[ Contact        ]
2378	   | STRING ext-restriction  |<>--{0..*}--[ Description    ]
2379	   | ID observable-id        |<>--{0..*}--[ DefinedCOA     ]
2380	   |                         |<>--{0..*}--[ AdditionalData ]
2381	   +-------------------------+

2383	                       Figure 28: HistoryItem Class

2385	   The aggregate classes of the HistoryItem class are:

2387	   DateTime
2388	      One.  DATETIME.  A timestamp of this entry in the history log.

2390	   IncidentID
2391	      Zero or One.  In a history log created by multiple parties, the
2392	      IncidentID provides a mechanism to specify which CSIRT created a
2393	      particular entry and references this organization's tracking
2394	      number.  When a single organization is maintaining the log, this
2395	      class can be ignored.  See Section 3.4.

2397	   Contact
2398	      Zero or One.  Provides contact information for the entity that
2399	      performed the action documented in this class.  See Section 3.9.

2401	   Description
2402	      Zero or more.  ML_STRING.  A free-form text description of the
2403	      action or event.

2405	   DefinedCOA
2406	      Zero or more.  STRING.  An identifier meaningful to the sender and
2407	      recipient of this document that references a course of action.
2408	      This class MUST be present if the action attribute is set to
2409	      "defined-coa".

2411	   AdditionalData
2412	      Zero or more.  EXTENSION.  A mechanism by which to extend the data
2413	      model.

2415	   The attributes of the HistoryItem class are:

2417	   action
2418	      Required.  ENUM.  Classifies a performed action or occurrence
2419	      documented in this history log entry.  As activity will likely
2420	      have been instigated either through a previously conveyed
2421	      expectation or internal investigation.  This attribute is
2422	      identical to the action attribute of the Expectation class.  The
2423	      difference is only one of tense.  When an action is in this class,
2424	      it has been completed.  See Section 3.15.

2426	   ext-action
2427	      Optional.  STRING.  A means by which to extend the action
2428	      attribute.  See Section 5.1.1.

2430	   restriction
2431	      Optional.  ENUM.  See Section 3.3.1.

2433	   ext-restriction
2434	      Optional.  STRING.  A means by which to extend the restriction
2435	      attribute.  See Section 5.1.1.

2437	   observable-id
2438	      Optional.  ID.  See Section 3.3.2.

2440	3.14.  EventData Class

2442	   The EventData class is a container class to organize data about
2443	   events that occurred during an incident.

2445	   +-------------------------+
2446	   | EventData               |
2447	   +-------------------------+
2448	   | ENUM restriction        |<>--{0..*}--[ Description    ]
2449	   | STRING ext-restriction  |<>--{0..1}--[ DetectTime     ]
2450	   | ID observable-id        |<>--{0..1}--[ StartTime      ]
2451	   |                         |<>--{0..1}--[ EndTime        ]
2452	   |                         |<>--{0..1}--[ RecoveryTime   ]
2453	   |                         |<>--{0..1}--[ ReportTime     ]
2454	   |                         |<>--{0..*}--[ Contact        ]
2455	   |                         |<>--{0..*}--[ Discovery      ]
2456	   |                         |<>--{0..1}--[ Assessment     ]
2457	   |                         |<>--{0..*}--[ Method         ]
2458	   |                         |<>--{0..*}--[ Flow           ]
2459	   |                         |<>--{0..*}--[ Expectation    ]
2460	   |                         |<>--{0..1}--[ Record         ]
2461	   |                         |<>--{0..*}--[ EventData      ]
2462	   |                         |<>--{0..*}--[ AdditionalData ]
2463	   +-------------------------+

2465	                      Figure 29: The EventData Class

2467	   The aggregate classes of the EventData class are:

2469	   Description
2470	      Zero or more.  ML_STRING.  A free-form text description of the
2471	      event.

2473	   DetectTime
2474	      Zero or one.  DATETIME.  The time the event was detected.

2476	   StartTime
2477	      Zero or one.  DATETIME.  The time the event started.

2479	   EndTime
2480	      Zero or one.  DATETIME.  The time the event ended.

2482	   RecoveryTime
2483	      Zero or one.  DATETIME.  The time the site recovered from the
2484	      event.

2486	   ReportTime
2487	      One.  DATETIME.  The time the event was reported.

2489	   Contact
2490	      Zero or more.  Contact information for the parties involved in the
2491	      event.  See Section 3.9.

2493	   Discovery
2494	      Zero or more.  The means by which the event was detected.  See
2495	      Section 3.10.

2497	   Assessment
2498	      Zero or one.  The impact of the event on the victim and the
2499	      actions taken.  See Section 3.12.

2501	   Method
2502	      Zero or more.  The technique used by the threat actor in the
2503	      event.  See Section 3.11.

2505	   Flow
2506	      Zero or more.  A description of the systems or networks involved.
2507	      See Section 3.16.

2509	   Expectation
2510	      Zero or more.  The expected action to be performed by the
2511	      recipient for the described event.  See Section 3.15.

2513	   Record
2514	      Zero or one.  Supportive data (e.g., log files) that provides
2515	      additional information about the event.  See Section 3.22.

2517	   EventData
2518	      Zero or more.  A recursive definition of the EventData class.  See
2519	      Section 3.14.2 for an explanation on using this class.

2521	   AdditionalData
2522	      Zero or more.  EXTENSION.  An extension mechanism for data not
2523	      explicitly represented in the data model.

2525	   At least one of the aggregate classes MUST be present in an instance
2526	   of the EventData class.

2528	   The attributes of the EventData class are:

2530	   restriction
2531	      Optional.  ENUM.  See Section 3.3.1.  The default value is
2532	      "default".

2534	   ext-restriction
2535	      Optional.  STRING.  A means by which to extend the restriction
2536	      attribute.  See Section 5.1.1.

2538	   observable-id
2539	      Optional.  ID.  See Section 3.3.2.

2541	3.14.1.  Relating the Incident and EventData Classes

2543	   There is substantial overlap in the child classes aggregated in the
2544	   Incident and EventData classes.  Nevertheless, the semantics of these
2545	   classes are quite different.  The Incident class provides summary
2546	   information about the entire incident, while the EventData class
2547	   provides information about the individual events comprising the
2548	   incident.  In the common case, the EventData class will provide more
2549	   specific information for the general description provided in the
2550	   Incident class.  However, in the case where the summarized
2551	   information in the Incident class conflicts the detailed information
2552	   in an EventData class the more specific EventData class MUST
2553	   supersede the more generic information provided in Incident class.

2555	3.14.2.  Recursive Definition of EventData

2557	   The EventData class is container for the properties of an event in an
2558	   incident.  These properties include: the hosts involved, impact of
2559	   the incident activity on the hosts, forensic logs, etc.  The
2560	   recursive definition of EvenData allows for the grouping of related
2561	   information with common properties.  This approach eliminates the
2562	   need for explicit identifiers to relate information or duplicate it.
2563	   Instead, the relative depth (nesting) of a class is used to group
2564	   (relate) information.

2566	   For example, consider a case where two hosts experience different
2567	   impacts during an incident.  However, these two hosts have common
2568	   contact information.  A depiction of how this situation would be
2569	   represented can be found in Figure 30.  EventData (2) and (3) group
2570	   each of the two hosts with their unique impact.  EventData (1)
2571	   describes the common Contact class these two hosts share.

2573	   +------------------+
2574	   | EventData (1)    |
2575	   +------------------+
2576	   |                  |<>----[ Contact    ]
2577	   |                  |
2578	   |                  |<>----[ EventData (2) ]<>----[ Flow       ]
2579	   |                  |      [               ]<>----[ Assessment ]
2580	   |                  |
2581	   |                  |<>----[ EventData (3) ]<>----[ Flow       ]
2582	   |                  |      [               ]<>----[ Assessment ]
2583	   +------------------+

2585	                Figure 30: Recursion in the EventData Class

2587	3.15.  Expectation Class

2589	   The Expectation class conveys to the recipient of the IODEF document
2590	   the actions the sender is requesting.

2592	   +-------------------------+
2593	   | Expectation             |
2594	   +-------------------------+
2595	   | ENUM action             |<>--{0..*}--[ Description ]
2596	   | STRING ext-action       |<>--{0..*}--[ DefinedCOA  ]
2597	   | ENUM severity           |<>--{0..1}--[ StartTime   ]
2598	   | ENUM restriction        |<>--{0..1}--[ EndTime     ]
2599	   | STRING ext-restriction  |<>--{0..1}--[ Contact     ]
2600	   | ID observable-id        |
2601	   +-------------------------+

2603	                     Figure 31: The Expectation Class

2605	   The aggregate classes of the Expectation class are:

2607	   Description
2608	      Zero or more.  ML_STRING.  A free-form text description of the
2609	      desired action(s).

2611	   DefinedCOA
2612	      Zero or more.  STRING.  A unique identifier meaningful to the
2613	      sender and recipient of this document that references a course of
2614	      action.  This class MUST be present if the action attribute is set
2615	      to "defined-coa".

2617	   StartTime
2618	      Zero or one.  DATETIME.  The time at which the sender would like
2619	      the action performed.  A timestamp that is earlier than the
2620	      ReportTime specified in the Incident class denotes that the sender
2621	      would like the action performed as soon as possible.  The absence
2622	      of this element indicates no expectations of when the recipient
2623	      would like the action performed.

2625	   EndTime
2626	      Zero or one.  DATETIME.  The time by which the sender expects the
2627	      recipient to complete the action.  If the recipient cannot
2628	      complete the action before EndTime, the recipient MUST NOT carry
2629	      out the action.  Because of transit delays and clock drift the
2630	      sender MUST be prepared for the recipient to have carried out the
2631	      action, even if it completes past EndTime.

2633	   Contact
2634	      Zero or one.  The entity expected to perform the action.  See
2635	      Section 3.9.

2637	   The attributes of the Expectation class are:

2639	   action
2640	      Optional.  ENUM.  Classifies the type of action requested.  The
2641	      default value of "other".  These values are maintained in the
2642	      "Expectation-action" IANA registry per Section 10.2.

2644	      1.   nothing.  No action is requested.  Do nothing with the
2645	           information.

2647	      2.   contact-source-site.  Contact the site(s) identified as the
2648	           source of the activity.

2650	      3.   contact-target-site.  Contact the site(s) identified as the
2651	           target of the activity.

2653	      4.   contact-sender.  Contact the originator of the document.

2655	      5.   investigate.  Investigate the systems(s) listed in the event.

2657	      6.   block-host.  Block traffic from the machine(s) listed as
2658	           sources the event.

2660	      7.   block-network.  Block traffic from the network(s) lists as
2661	           sources in the event.

2663	      8.   block-port.  Block the port listed as sources in the event.

2665	      9.   rate-limit-host.  Rate-limit the traffic from the machine(s)
2666	           listed as sources in the event.

2668	      10.  rate-limit-network.  Rate-limit the traffic from the
2669	           network(s) lists as sources in the event.

2671	      11.  rate-limit-port.  Rate-limit the port(s) listed as sources in
2672	           the event.

2674	      12.  redirect-traffic.  Redirect traffic from the intended
2675	           recipient for further analysis.

2677	      13.  honeypot.  Redirect traffic from systems listed in the event
2678	           to a honeypot for further analysis.

2680	      14.  upgrade-software.  Upgrade or patch the software or firmware
2681	           on an asset listed in the event.

2683	      15.  rebuild-asset.  Reinstall the operating system or
2684	           applications on an asset listed in the event.

2686	      16.  harden-asset.  Change the configuration an asset listed in
2687	           the event to reduce the attack surface.

2689	      17.  remediate-other.  Remediate the activity in a way other than
2690	           by rate limiting or blocking.

2692	      18.  status-triage.  Confirm receipt and begin triaging the
2693	           incident.

2695	      19.  status-new-info.  Notify the sender when new information is
2696	           received for this incident.

2698	      20.  watch-and-report.  Watch for the described activity or
2699	           indicators; and notify the sender when seen.

2701	      21.  training.  Train user to identify or mitigate the described
2702	           threat.

2704	      22.  defined-coa.  Perform a predefined course of action (COA).
2705	           The COA is named in the DefinedCOA class.

2707	      23.  other.  Perform a custom action described in the Description
2708	           class.

2710	      24.  ext-value.  A value used to indicate that this attribute is
2711	           extended and the actual value is provided using the
2712	           corresponding ext-* attribute.  See Section 5.1.1.

2714	   ext-action
2715	      Optional.  STRING.  A means by which to extend the action
2716	      attribute.  See Section 5.1.1.

2718	   severity
2719	      Optional.  ENUM.  Indicates the desired priority of the action.
2720	      This attribute is an enumerated list with no default value, and
2721	      the semantics of these relative measures are context dependent.

2723	      1.  low.  Low priority

2725	      2.  medium.  Medium priority

2727	      3.  high.  High priority

2729	   restriction
2730	      Optional.  ENUM.  See Section 3.3.1.  The default value is
2731	      "default".

2733	   ext-restriction
2734	      Optional.  STRING.  A means by which to extend the restriction
2735	      attribute.  See Section 5.1.1.

2737	   observable-id
2738	      Optional.  ID.  See Section 3.3.2.

2740	3.16.  Flow Class

2742	   The Flow class describes the systems and networks involved in the
2743	   incident; and the relationships between them.

2745	   +------------------+
2746	   | Flow             |
2747	   +------------------+
2748	   |                  |<>--{1..*}--[ System   ]
2749	   +------------------+

2751	                         Figure 32: The Flow Class

2753	   The aggregate class of the Flow class is:

2755	   System
2756	      One or More.  A host or network involved in an event.  See
2757	      Section 3.17.

2759	   The Flow class has no attributes.

2761	3.17.  System Class

2763	   The System class describes a system or network involved in an event.

2765	   +------------------------+
2766	   | System                 |
2767	   +------------------------+
2768	   | ENUM category          |<>----------[ Node            ]
2769	   | STRING ext-category    |<>--{0..*}--[ NodeRole        ]
2770	   | STRING interface       |<>--{0..*}--[ Service         ]
2771	   | ENUM spoofed           |<>--{0..*}--[ OperatingSystem ]
2772	   | ENUM virtual           |<>--{0..*}--[ Counter         ]
2773	   | ENUM ownership         |<>--{0..*}--[ AssetID         ]
2774	   | STRING ext-ownership   |<>--{0..*}--[ Description     ]
2775	   | ENUM restriction       |<>--{0..*}--[ AdditionalData  ]
2776	   | STRING ext-restriction |
2777	   +------------------------+

2779	                        Figure 33: The System Class

2781	   The aggregate classes of the System class are:

2783	   Node
2784	      One.  A host or network involved in the incident.  See
2785	      Section 3.18.

2787	   NodeRole
2788	      Zero or more.  The intended purpose of the system.  See
2789	      Section 3.18.2.

2791	   Service
2792	      Zero or more.  A network service running on the system.  See
2793	      Section 3.20.

2795	   OperatingSystem
2796	      Zero or more.  SOFTWARE.  The operating system running on the
2797	      system.

2799	   Counter
2800	      Zero or more.  A counter with which to summarize properties of
2801	      this host or network.  See Section 3.18.3.

2803	   AssetID
2804	      Zero or more.  STRING.  An asset identifier for the System.

2806	   Description
2807	      Zero or more.  ML_STRING.  A free-form text description of the
2808	      System.

2810	   AdditionalData
2811	      Zero or more.  EXTENSION.  A mechanism by which to extend the data
2812	      model.

2814	   The attributes of the System class are:

2816	   category
2817	      Optional.  ENUM.  Classifies the role the host or network played
2818	      in the incident.  These values are maintained in the "System-
2819	      category" IANA registry per Section 10.2.

2821	      1.  source.  The System was the source of the event.

2823	      2.  target.  The System was the target of the event.

2825	      3.  intermediate.  The System was an intermediary in the event.

2827	      4.  sensor.  The System was a sensor monitoring the event.

2829	      5.  infrastructure.  The System was an infrastructure node of
2830	          IODEF document exchange.

2832	      6.  ext-value.  A value used to indicate that this attribute is
2833	          extended and the actual value is provided using the
2834	          corresponding ext-* attribute.  See Section 5.1.1.

2836	   ext-category
2837	      Optional.  STRING.  A means by which to extend the category
2838	      attribute.  See Section 5.1.1.

2840	   interface
2841	      Optional.  STRING.  Specifies the interface on which the event(s)
2842	      on this System originated.  If the Node class specifies a network
2843	      rather than a host, this attribute has no meaning.

2845	   spoofed
2846	      Optional.  ENUM.  An indication of confidence in whether this
2847	      System was the true target or attacking host.  The permitted
2848	      values for this attribute are shown below.  The default value is
2849	      "unknown".

2851	      1.  unknown.  The accuracy of the category attribute value is
2852	          unknown.

2854	      2.  yes.  The category attribute value is likely incorrect.  In
2855	          the case of a source, the System is likely a decoy; with a
2856	          target, the System was likely not the intended victim.

2858	      3.  no.  The category attribute value is believed to be correct.

2860	   virtual
2861	      Optional.  ENUM.  Indicates whether this System is a virtual or
2862	      physical device.  The default value is "unknown".

2864	      1.  yes.  The System is a virtual device.

2866	      2.  no.  The System is a physical device.

2868	      3.  unknown.  It is not known if the System is virtual.

2870	   ownership
2871	      Optional.  ENUM.  Describes the ownership of this System relative
2872	      to the victim in the incident.  These values are maintained in the
2873	      "System-ownership" IANA registry per Section 10.2.

2875	      1.  organization.  Corporate or enterprise-owned.

2877	      2.  personal.  Personally-owned by an employee or affiliate of the
2878	          corporation or enterprise.

2880	      3.  partner.  Owned by a partner of the corporation or enterprise.

2882	      4.  customer.  Owned by a customer of the corporation or
2883	          enterprise.

2885	      5.  no-relationship.  Owned by an entity that has no known
2886	          relationship with victim organization.

2888	      6.  unknown.  Ownership is unknown.

2890	      7.  ext-value.  A value used to indicate that this attribute is
2891	          extended and the actual value is provided using the
2892	          corresponding ext-* attribute.  See Section 5.1.1.

2894	   ext-ownership
2895	      Optional.  STRING.  A means by which to extend the ownership
2896	      attribute.  See Section 5.1.1.

2898	   restriction
2899	      Optional.  ENUM.  See Section 3.3.1.

2901	   ext-restriction
2902	      Optional.  STRING.  A means by which to extend the restriction
2903	      attribute.  See Section 5.1.1.

2905	3.18.  Node Class

2907	   The Node class identifies a system, asset or network; and its
2908	   location.

2910	   +---------------+
2911	   | Node          |
2912	   +---------------+
2913	   |               |<>--{0..*}--[ DomainData    ]
2914	   |               |<>--{0..*}--[ Address       ]
2915	   |               |<>--{0..1}--[ PostalAddress ]
2916	   |               |<>--{0..*}--[ Location      ]
2917	   |               |<>--{0..*}--[ Counter       ]
2918	   +---------------+

2920	                         Figure 34: The Node Class

2922	   The aggregate classes of the Node class are:

2924	   DomainData
2925	      Zero or more.  The domain (DNS) information associated with this
2926	      Node.  If an Address is not provided, at least one DomainData MUST
2927	      be specified.  See Section 3.19.

2929	   Address
2930	      Zero or more.  The hardware, network, or application address of
2931	      the Node.  If a DomainData is not provided, at least one Address
2932	      MUST be specified.  See Section 3.18.1.

2934	   PostalAddress
2935	      Zero or one.  POSTAL.  The postal address of the node.

2937	   Location
2938	      Zero or more.  ML_STRING.  A free-form text description of the
2939	      physical location of the Node.  This description may provide a
2940	      more detailed description of where in the PostalAddress this Node
2941	      is found (e.g., room number, rack number, slot number in a
2942	      chassis).

2944	   Counter
2945	      Zero or more.  A counter with which to summarizes properties of
2946	      this host or network.  See Section 3.18.3.

2948	   The Node class has no attributes.

2950	3.18.1.  Address Class

2952	   The Address class represents a hardware (layer-2), network (layer-3),
2953	   or application (layer-7) address.

2955	   +-------------------------+
2956	   | Address                 |
2957	   +-------------------------+
2958	   | STRING                  |
2959	   |                         |
2960	   | ENUM category           |
2961	   | STRING ext-category     |
2962	   | STRING vlan-name        |
2963	   | INTEGER vlan-num        |
2964	   | ID observable-id        |
2965	   +-------------------------+

2967	                       Figure 35: The Address Class

2969	   The content of the class is an address of type STRING whose semantics
2970	   are determined by the category attribute.

2972	   The attributes of the Address class are:

2974	   category
2975	      Required.  ENUM.  The type of address represented.  The default
2976	      value is "ipv6-addr".  These values are maintained in the
2977	      "Address-category" IANA registry per Section 10.2.

2979	      1.   asn.  Autonomous System Number.

2981	      2.   atm.  Asynchronous Transfer Mode (ATM) address.

2983	      3.   e-mail.  Email address (RFC 822).

2985	      4.   ipv4-addr.  IPv4 host address in dotted-decimal notation
2986	           (a.b.c.d).

2988	      5.   ipv4-net.  IPv4 network address in dotted-decimal notation,
2989	           slash, significant bits (i.e., a.b.c.d/nn).

2991	      6.   ipv4-net-mask.  IPv4 network address in dotted-decimal
2992	           notation, slash, network mask in dotted-decimal notation
2993	           (i.e., a.b.c.d/w.x.y.z).

2995	      7.   ipv6-addr.  IPv6 host address.

2997	      8.   ipv6-net.  IPv6 network address, slash, significant bits.

2999	      9.   ipv6-net-mask.  IPv6 network address, slash, network mask.

3001	      10.  mac.  Media Access Control (MAC) address (i.e., a:b:c:d:e:f).

3003	      11.  site-uri.  A URL or URI for a resource.

3005	      12.  ext-value.  A value used to indicate that this attribute is
3006	           extended and the actual value is provided using the
3007	           corresponding ext-* attribute.  See Section 5.1.1.

3009	   ext-category
3010	      Optional.  STRING.  A means by which to extend the category
3011	      attribute.  See Section 5.1.1.

3013	   vlan-name
3014	      Optional.  STRING.  The name of the Virtual LAN to which the
3015	      address belongs.

3017	   vlan-num
3018	      Optional.  STRING.  The number of the Virtual LAN to which the
3019	      address belongs.

3021	   observable-id
3022	      Optional.  ID.  See Section 3.3.2.

3024	3.18.2.  NodeRole Class

3026	   The NodeRole class describes the function performed by or role of a
3027	   particular system, asset or network.

3029	   +-----------------------+
3030	   | NodeRole              |
3031	   +-----------------------+
3032	   | ENUM category         |<>--{0..*}--[ Description ]
3033	   | STRING ext-category   |
3034	   +-----------------------+

3036	                       Figure 36: The NodeRole Class

3038	   The aggregate class of the NodeRole class is:

3040	   Description
3041	      Zero or more.  ML_STRING.  A free-form text description of the
3042	      role of the system.

3044	   The attributes of the NodeRole class are:

3046	   category
3047	      Required.  ENUM.  Function or role of a node.  These values are
3048	      maintained in the "NodeRole-category" IANA registry per
3049	      Section 10.2.

3051	      1.   client.  Client computer.

3053	      2.   client-enterprise.  Client computer on the enterprise
3054	           network.

3056	      3.   client-partner.  Client computer on network of a partner.

3058	      4.   client-remote.  Client computer remotely connected to the
3059	           enterprise network.

3061	      5.   client-kiosk.  Client computer serving as a kiosk.

3063	      6.   client-mobile.  Mobile device.

3065	      7.   server-internal.  Server with internal services.

3067	      8.   server-public.  Server with public services.

3069	      9.   www.  WWW server.

3071	      10.  mail.  Mail server.

3073	      11.  webmail.  Web mail server.

3075	      12.  messaging.  Messaging server (e.g., NNTP, IRC, IM).

3077	      13.  streaming.  Streaming-media server.

3079	      14.  voice.  Voice server (e.g., SIP, H.323).

3081	      15.  file.  File server.

3083	      16.  ftp.  FTP server.

3085	      17.  p2p.  Peer-to-peer node.

3087	      18.  name.  Name server (e.g., DNS, WINS).

3089	      19.  directory.  Directory server (e.g., LDAP, finger, whois).

3091	      20.  credential.  Credential server (e.g., domain controller,
3092	           Kerberos).

3094	      21.  print.  Print server.

3096	      22.  application.  Application server.

3098	      23.  database.  Database server.

3100	      24.  backup.  Backup server.

3102	      25.  dhcp.  DHCP server.

3104	      26.  assessment.  Assessment server (e.g., vulnerability scanner,
3105	           end-point assessment).

3107	      27.  source-control.  Source code control server.

3109	      28.  config-management.  Configuration management server.

3111	      29.  monitoring.  Security monitoring server (e.g., IDS).

3113	      30.  infra.  Infrastructure server (e.g., router, firewall, DHCP).

3115	      31.  infra-firewall.  Firewall.

3117	      32.  infra-router.  Router.

3119	      33.  infra-switch.  Switch.

3121	      34.  camera.  Camera and video system.

3123	      35.  proxy.  Proxy server.

3125	      36.  remote-access.  Remote access server.

3127	      37.  log.  Log server (e.g., syslog).

3129	      38.  virtualization.  Server running virtual machines.

3131	      39.  pos.  Point-of-sale device.

3133	      40.  scada.  Supervisory control and data acquisition (SCADA)
3134	           system.

3136	      41.  scada-supervisory.  Supervisory system for a SCADA.

3138	      42.  sinkhole.  Traffic sinkhole destination.

3140	      43.  honeypot.  Honeypot server.

3142	      44.  anonymization.  Anonymization server (e.g., Tor node).

3144	      45.  c2-server.  Malicious command and control server.

3146	      46.  malware-distribution.  Server that distributes malware

3148	      47.  drop-server.  Server to which exfiltrated content is
3149	           uploaded.

3151	      48.  hop-point.  Intermediary server used to get to a victim.

3153	      49.  reflector.  A system used in a reflector attack.

3155	      50.  phishing-site.  Site hosting phishing content.

3157	      51.  spear-phishing-site.  Site hosting spear-phishing content.

3159	      52.  recruiting-site.  Site to recruit.

3161	      53.  fraudulent-site.  Fraudulent site.

3163	      54.  ext-value.  A value used to indicate that this attribute is
3164	           extended and the actual value is provided using the
3165	           corresponding ext-* attribute.  See Section 5.1.1.

3167	   ext-category
3168	      Optional.  STRING.  A means by which to extend the category
3169	      attribute.  See Section 5.1.1.

3171	3.18.3.  Counter Class

3173	   The Counter class summarizes multiple occurrences of an event or
3174	   conveys counts or rates of various features.

3176	   The complete semantics of this class are context dependent based on
3177	   the class in which it is aggregated.

3179	   +---------------------+
3180	   | Counter             |
3181	   +---------------------+
3182	   | REAL                |
3183	   |                     |
3184	   | ENUM type           |
3185	   | STRING ext-type     |
3186	   | ENUM unit           |
3187	   | STRING ext-unit     |
3188	   | STRING meaning      |
3189	   | ENUM duration       |
3190	   | STRING ext-duration |
3191	   +---------------------+

3193	                       Figure 37: The Counter Class

3195	   The content of the class is a value of type REAL whose meaning and
3196	   units are determined by the type and duration attributes,
3197	   respectively.  If the duration attribute is present, the element
3198	   content is a rather.  Otherwise, it is a simple counter.

3200	   The attributes of the Counter class are:

3202	   type
3203	      Required.  ENUM.  Specifies the type of counter specified in the
3204	      element content.  These values are maintained in the "Counter-
3205	      type" IANA registry per Section 10.2.

3207	      1.  count.  The Counter class value is a counter.

3209	      2.  peak.  The Counter class value is a peak value.

3211	      3.  average.  The Counter class value is an average.

3213	      4.  ext-value.  A value used to indicate that this attribute is
3214	          extended and the actual value is provided using the
3215	          corresponding ext-* attribute.  See Section 5.1.1.

3217	   ext-type
3218	      Optional.  STRING.  A means by which to extend the type attribute.
3219	      See Section 5.1.1.

3221	   unit
3222	      Required.  ENUM.  Specifies the units of the element content.
3223	      These values are maintained in the "Counter-unit" IANA registry
3224	      per Section 10.2.

3226	      1.   byte.  Bytes transferred.

3228	      2.   mbit.  Megabits (Mbits) transfered.

3230	      3.   packet.  Packets.

3232	      4.   flow.  Network flow records.

3234	      5.   session.  Sessions.

3236	      6.   alert.  Notifications generated by another system (e.g., IDS
3237	           or SIM).

3239	      7.   message.  Messages (e.g., mail messages).

3241	      8.   event.  Events.

3243	      9.   host.  Hosts.

3245	      10.  site.  Site.

3247	      11.  organization.  Organizations.

3249	      12.  ext-value.  A value used to indicate that this attribute is
3250	           extended and the actual value is provided using the
3251	           corresponding ext-* attribute.  See Section 5.1.1.

3253	   ext-unit
3254	      Optional.  STRING.  A means by which to extend the unit attribute.
3255	      See Section 5.1.1.

3257	   meaning
3258	      Optional.  STRING.  A free-form text description of the metric
3259	      represented by the Counter.

3261	   duration
3262	      Optional.  ENUM.  If present, the Counter class represents a rate.
3263	      This attribute specifies unit of time over which the rate whose
3264	      units are specified in the unit attribute is being conveyed.  This
3265	      attribute is the the denominator of the rate (where the unit
3266	      attribute specified the nominator).  The possible values of this
3267	      attribute are defined in the duration attribute of Section 3.12.3

3269	   ext-duration
3270	      Optional.  STRING.  A means by which to extend the duration
3271	      attribute.  See Section 5.1.1.

3273	3.19.  DomainData Class

3275	   The DomainData class describes a domain name and meta-data associated
3276	   with this domain.

3278	   +--------------------------+
3279	   | DomainData               |
3280	   +--------------------------+
3281	   | ENUM system-status       |<>----------[ Name                 ]
3282	   | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
3283	   | ENUM domain-status       |<>--{0..1}--[ RegistrationDate     ]
3284	   | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate       ]
3285	   | ID observable-id         |<>--{0..*}--[ RelatedDNS           ]
3286	   |                          |<>--{0..*}--[ Nameservers          ]
3287	   |                          |<>--{0..1}--[ DomainContacts       ]
3288	   +--------------------------+

3290	                      Figure 38: The DomainData Class

3292	   The aggregate classes of the DomainData class are:

3294	   Name
3295	      One.  STRING.  The domain name of a system.

3297	   DateDomainWasChecked
3298	      Zero or one.  DATETIME.  A timestamp of when the domain listed in
3299	      the Name class was resolved.

3301	   RegistrationDate
3302	      Zero or one.  DATETIME.  A timestamp of when domain listed in Name
3303	      class was registered.

3305	   ExpirationDate
3306	      Zero or one.  DATETIME.  A timestamp of when the domain listed in
3307	      Name class is set to expire.

3309	   RelatedDNS
3310	      Zero or more.  EXTENSION.  Additional DNS records associated with
3311	      this domain.

3313	   Nameservers
3314	      Zero or more.  The name servers identified for the domain listed
3315	      in Name class.  See Section 3.19.1.

3317	   DomainContacts
3318	      Zero or one.  Contact information for the domain listed in Name
3319	      class supplied by the registrar or through a whois query.

3321	   The attributes of the DomainData class are:

3323	   system-status
3324	      Required.  ENUM.  Assesses the domain's involvement in the event.
3325	      These values are maintained in the "DomainData-system-status" IANA
3326	      registry per Section 10.2.

3328	      1.  spoofed.  This domain was spoofed.

3330	      2.  fraudulent.  This domain was operated with fraudulent
3331	          intentions.

3333	      3.  innocent-hacked.  This domain was compromised by a third
3334	          party.

3336	      4.  innocent-hijacked.  This domain was deliberately hijacked.

3338	      5.  unknown.  No categorization for this domain known.

3340	      6.  ext-value.  A value used to indicate that this attribute is
3341	          extended and the actual value is provided using the
3342	          corresponding ext-* attribute.  See Section 5.1.1.

3344	   ext-system-status
3345	      Optional.  STRING.  A means by which to extend the system-status
3346	      attribute.  See Section 5.1.1.

3348	   domain-status
3349	      Required.  ENUM.  Categorizes the registry status of the domain at
3350	      the time the document was generated.  These values and their
3351	      associated descriptions are derived from Section 3.2.2 of
3352	      [RFC3982].  These values are maintained in the "DomainData-domain-
3353	      status" IANA registry per Section 10.2.

3355	      1.   reservedDelegation.  The domain is permanently inactive.

3357	      2.   assignedAndActive.  The domain is in a normal state.

3359	      3.   assignedAndInactive.  The domain has an assigned registration
3360	           but the delegation is inactive.

3362	      4.   assignedAndOnHold.  The domain is in dispute.

3364	      5.   revoked.  The domain is in the process of being purged from
3365	           the database.

3367	      6.   transferPending.  The domain is pending a change in
3368	           authority.

3370	      7.   registryLock.  The domain is on hold by the registry.

3372	      8.   registrarLock.  Same as "registryLock".

3374	      9.   other.  The domain has a known status but it is not one of
3375	           the redefined enumerated values.

3377	      10.  unknown.  The domain has an unknown status.

3379	      11.  ext-value.  A value used to indicate that this attribute is
3380	           extended and the actual value is provided using the
3381	           corresponding ext-* attribute.  See Section 5.1.1.

3383	   ext-domain-status
3384	      Optional.  STRING.  A means by which to extend the domain-status
3385	      attribute.  See Section 5.1.1.

3387	   observable-id
3388	      Optional.  ID.  See Section 3.3.2.

3390	3.19.1.  Nameservers Class

3392	   The Nameservers class describes the name servers associated with a
3393	   given domain.

3395	   +--------------------+
3396	   | Nameservers        |
3397	   +--------------------+
3398	   |                    |<>----------[ Server  ]
3399	   |                    |<>--{1..*}--[ Address ]
3400	   +--------------------+

3402	                     Figure 39: The Nameservers Class

3404	   The aggregate classes of the Nameservers class are:

3406	   Server
3407	      One.  STRING.  The domain name of the name server.

3409	   Address
3410	      One or more.  The address of the name server.  The value of the
3411	      category attribute MUST be either "ipv4-addr" or "ipv6-addr".  See
3412	      Section 3.18.1.

3414	   The Nameservers class has no attributes.

3416	3.19.2.  DomainContacts Class

3418	   The DomainContacts class describes the contact information for a
3419	   given domain provided either by the registrar or through a whois
3420	   query.

3422	   This contact information can be explicitly described through a
3423	   Contact class or a reference can be provided to a domain with
3424	   identical contact information.  Either a single SameDomainContact
3425	   MUST be present or one or more Contact classes.

3427	   +--------------------+
3428	   | DomainContacts     |
3429	   +--------------------+
3430	   |                    |<>--{0..1}--[ SameDomainContact ]
3431	   |                    |<>--{1..*}--[ Contact ]
3432	   +--------------------+

3434	                    Figure 40: The DomainContacts Class

3436	   The aggregate classes of the DomainContacts class are:

3438	   SameDomainContact
3439	      Zero or one.  STRING.  A domain name already cited in this
3440	      document or through previous exchange that contains the identical
3441	      contact information as the domain name in question.  The domain
3442	      contact information associated with this domain should be used
3443	      instead of an explicit definition with the Contact class.

3445	   Contact
3446	      One or more.  Contact information for the domain.  See
3447	      Section 3.9.

3449	   The DomainContacts class has no attributes.

3451	3.20.  Service Class

3453	   The Service class describes a network service.  The service is
3454	   described by protocol, port, protocol header field and application
3455	   providing or using the service.

3457	   +-------------------------+
3458	   | Service                 |
3459	   +-------------------------+
3460	   | INTEGER ip-protocol     |<>--{0..1}--[ ServiceName       ]
3461	   | ID observable-id        |<>--{0..1}--[ Port              ]
3462	   |                         |<>--{0..1}--[ Portlist          ]
3463	   |                         |<>--{0..1}--[ ProtoCode         ]
3464	   |                         |<>--{0..1}--[ ProtoType         ]
3465	   |                         |<>--{0..1}--[ ProtoField        ]
3466	   |                         |<>--{0..1}--[ ApplicationHeader ]
3467	   |                         |<>--{0..1}--[ EmailData         ]
3468	   |                         |<>--{0..1}--[ Application       ]
3469	   +-------------------------+

3471	                       Figure 41: The Service Class

3473	   The aggregate classes of the Service class are:

3475	   ServiceName
3476	      Zero or one.  A protocol name.

3478	   Port
3479	      Zero or one.  INTEGER.  A port number.

3481	   Portlist
3482	      Zero or one.  PORTLIST.  A list of port numbers.

3484	   ProtoCode
3485	      Zero or one.  INTEGER.  A transport layer (layer 4) protocol-
3486	      specific code field (e.g., ICMP code field).

3488	   ProtoType
3489	      Zero or one.  INTEGER.  A transport layer (layer 4) protocol
3490	      specific type field (e.g., ICMP type field).

3492	   ProtoField
3493	      Zero or one.  INTEGER.  A transport layer (layer 4) protocol
3494	      specific flag field (e.g., TCP flag field).

3496	   ApplicationHeader
3497	      Zero or one.  A protocol header.  See Section 3.20.2.

3499	   EmailData
3500	      Zero or one.  Headers associated with an email message.  See
3501	      Section 3.21.

3503	   Application
3504	      Zero or one.  SOFTWARE.  The application acting as either the
3505	      client or server for the service.

3507	   Either a Port or Portlist class MUST be specified for a given
3508	   instance of a Service class.

3510	   When a given System classes with category="source" and another with
3511	   category="target" are aggregated into a single Flow class, and each
3512	   of these System classes has a Service and Portlist class, an implicit
3513	   relationship between these Portlists exists.  If N ports are listed
3514	   for a System@category="source", and M ports are listed for
3515	   System@category="target", the number of ports in N must be equal to
3516	   M.  Likewise, the ports MUST be listed in an identical sequence such
3517	   that the n-th port in the source corresponds to the n-th port of the
3518	   target.  If N is greater than 1, a given instance of a Flow class
3519	   MUST only have a single instance of a System@category="source" and
3520	   System@category="target".

3522	   The attributes of the Service class are:

3524	   ip-protocol
3525	      Required.  INTEGER.  The IANA assigned IP protocol number per
3526	      [IANA.Protocols].

3528	   observable-id
3529	      Optional.  ID.  See Section 3.3.2.

3531	3.20.1.  ServiceName Class

3533	   The ServiceName class identifies an application protocol.  It can be
3534	   described by referencing an IANA registered protocol, a URL or with
3535	   free-form text.

3537	   +--------------------+
3538	   | ServiceName        |
3539	   +--------------------+
3540	   |                    |<>--{0..1}--[ IANAService       ]
3541	   |                    |<>--{0..*}--[ URL               ]
3542	   |                    |<>--{0..*}--[ Description       ]
3543	   +--------------------+

3545	                     Figure 42: The ServiceName Class

3547	   The aggregate classes of the ServiceName class are:

3549	   IANAService
3550	      Zero or one.  STRING.  The name of the service per the "Service
3551	      Name" field of the [IANA.Ports] registry.

3553	   URL
3554	      Zero or more.  URL.  A URL to a resource describing the service.

3556	   Description
3557	      Zero or more.  ML_STRING.  A free-form text description of the
3558	      service.

3560	   At least one of these classes MUST be present.

3562	   The ServiceName class has no attributes.

3564	3.20.2.  ApplicationHeader Class

3566	   The ApplicationHeader class describes arbitrary fields from a
3567	   protocol header and its corresponding value.

3569	   +--------------------------+
3570	   | ApplicationHeader        |
3571	   +--------------------------+
3572	   |                          |<>--{1..*}--[ ApplicationHeaderField ]
3573	   +--------------------------+

3575	                  Figure 43: The ApplicationHeader Class

3577	   The aggregate class of the ApplicationHeader class is:

3579	   ApplicationHeaderField
3580	      One or more.  EXTENSION.  A field name and value in a protocol
3581	      header.  The 'name' attribute MUST be set to the field name.  The
3582	      field value MUST be set in the element content.

3584	   The ApplicationHeader class has no attributes.

3586	3.21.  EmailData Class

3588	   The EmailData class describes headers from an email message and
3589	   cryptographic hash and signatures applied to it.

3591	   +-------------------------+
3592	   | EmailData               |
3593	   +-------------------------+
3594	   | ID observable-id        |<>--{0..*}--[ EmailTo          ]
3595	   |                         |<>--{0..1}--[ EmailFrom        ]
3596	   |                         |<>--{0..1}--[ EmailSubject     ]
3597	   |                         |<>--{0..1}--[ EmailX-Mailer    ]
3598	   |                         |<>--{0..*}--[ EmailHeaderField ]
3599	   |                         |<>--{0..1}--[ EmailHeaders     ]
3600	   |                         |<>--{0..1}--[ EmailBody        ]
3601	   |                         |<>--{0..1}--[ EmailMessage     ]
3602	   |                         |<>--{0..*}--[ HashData         ]
3603	   |                         |<>--{0..*}--[ SignatureData    ]
3604	   +-------------------------+

3606	                        Figure 44: EmailData Class

3608	   The aggregate classes of the EmailData class are:

3610	   EmailTo
3611	      Zero or more.  EMAIL.  The value of the "To:" header field
3612	      (Section 3.6.3 of [RFC5322]) in an email.

3614	   EmailFrom
3615	      Zero or one.  EMAIL.  The value of the "From:" header field
3616	      (Section 3.6.2 of [RFC5322]) in an email.

3618	   EmailSubject
3619	      Zero or one.  STRING.  The value of the "Subject:" header field in
3620	      an email.  See Section 3.6.4 of [RFC5322].

3622	   EmailX-Mailer
3623	      Zero or one.  STRING.  The value of the "X-Mailer:" header field
3624	      in an email.

3626	   EmailHeaderField
3627	      Zero or more.  EXTENSION.  The header name and value of an
3628	      arbitrary header field of the email message.  The 'name' attribute
3629	      MUST be set to header name.  The header value MUST be set in the
3630	      element body.  The dtype attribute MUST be set to "string".

3632	   EmailHeaders
3633	      Zero or one.  STRING.  The headers of an email message.

3635	   EmailBody
3636	      Zero or one.  STRING.  The body of an email message.

3638	   EmailMessage
3639	      Zero or one.  STRING.  The headers and body of an email message.

3641	   HashData
3642	      Zero or One.  Hash(es) associated with this email message.  See
3643	      Section 3.26.

3645	   SignatureData
3646	      Zero or One.  Signature(s) associated with this email message.
3647	      See Section 3.27.

3649	   The attribute of the EmailData class is:

3651	   observable-id
3652	      Optional.  ID.  See Section 3.3.2.

3654	3.22.  Record Class

3656	   The Record class is a container class for log and audit data that
3657	   provides supportive information about the events in an incident.  The
3658	   source of this data will often be the output of monitoring tools.
3659	   These logs substantiate the activity described in the document.

3661	   +------------------------+
3662	   | Record                 |
3663	   +------------------------+
3664	   | ENUM restriction       |<>--{1..*}--[ RecordData ]
3665	   | STRING ext-restriction |
3666	   +------------------------+

3668	                          Figure 45: Record Class

3670	   The aggregate classes of the Record class are:

3672	   RecordData
3673	      One or more.  Log or audit data generated by a particular tool.
3674	      Separate instances of the RecordData class SHOULD be used for each
3675	      type of log.  See Section 3.22.1.

3677	   The attributes of the Record class are:

3679	   restriction
3680	      Optional.  ENUM.  See Section 3.3.1.

3682	   ext-restriction
3683	      Optional.  STRING.  A means by which to extend the restriction
3684	      attribute.  See Section 5.1.1.

3686	3.22.1.  RecordData Class

3688	   The RecordData class describes or references log or audit data from a
3689	   given type of tool and provides a means to annotate the output.

3691	   +------------------------+
3692	   | RecordData             |
3693	   +------------------------+
3694	   | ENUM restriction       |<>--{0..1}--[ DateTime               ]
3695	   | STRING ext-restriction |<>--{0..*}--[ Description            ]
3696	   | ID observable-id       |<>--{0..1}--[ Application            ]
3697	   |                        |<>--{0..*}--[ RecordPattern          ]
3698	   |                        |<>--{0..*}--[ RecordItem             ]
3699	   |                        |<>--{0..*}--[ URL                    ]
3700	   |                        |<>--{0..*}--[ FileData               ]
3701	   |                        |<>--{0..*}--
3702	   |                        |       [ WindowsRegistryKeysModified ]
3703	   |                        |<>--{0..*}--[ CertificateData        ]
3704	   |                        |<>--{0..*}--[ AdditionalData         ]
3705	   +------------------------+

3707	                      Figure 46: The RecordData Class

3709	   The aggregate classes of the RecordData class are:

3711	   DateTime
3712	      Zero or one.  DATETIME.  A timestamp of the data found in the
3713	      RecordItem or URL classes.

3715	   Description
3716	      Zero or more.  ML_STRING.  A free-form text description of the
3717	      data provided in the RecordItem or URL classes.

3719	   Application
3720	      Zero or one.  SOFTWARE.  Identifies the tool used to generate the
3721	      data in the RecordItem or URL classes.

3723	   RecordPattern
3724	      Zero or more.  A search string to precisely find the relevant data
3725	      in the RecordItem or URL classes.  See Section 3.22.2.

3727	   RecordItem
3728	      Zero or more.  EXTENSION.  Log, audit, or forensic data to support
3729	      the conclusions made during the course of analyzing the incident.

3731	   URL
3732	      Zero or more.  URL.  A URL reference to a log or audit data.

3734	   FileData
3735	      Zero or one.  The files involved in the incident.  See
3736	      Section 3.25.

3738	   WindowsRegistryKeysModified
3739	      Zero or more.  The registry keys that were involved in the
3740	      incident.  See Section 3.23.

3742	   CertificateData
3743	      Zero or more.  The certificates that were involved in the
3744	      incident.  See Section 3.24.

3746	   AdditionalData
3747	      Zero or more.  EXTENSION.  An extension mechanism for data not
3748	      explicitly represented in the data model.

3750	   The attributes of the RecordData class are:

3752	   restriction
3753	      Optional.  ENUM.  See Section 3.3.1.

3755	   ext-restriction
3756	      Optional.  STRING.  A means by which to extend the restriction
3757	      attribute.  See Section 5.1.1.

3759	   observable-id
3760	      Optional.  ID.  See Section 3.3.2.

3762	3.22.2.  RecordPattern Class

3764	   The RecordPattern class describes where in the log data provided or
3765	   referenced in RecordData class relevant information can be found.  It
3766	   provides a way to reference subsets of information, identified by a
3767	   pattern, in a large log file, audit trail, or forensic data.

3769	   +-----------------------+
3770	   | RecordPattern         |
3771	   +-----------------------+
3772	   | STRING                |
3773	   |                       |
3774	   | ENUM type             |
3775	   | STRING ext-type       |
3776	   | INTEGER offset        |
3777	   | ENUM offsetunit       |
3778	   | STRING ext-offsetunit |
3779	   | INTEGER instance      |
3780	   +-----------------------+

3782	                    Figure 47: The RecordPattern Class

3784	   The content of the class is of type STRING and specifies a search
3785	   pattern.

3787	   The attributes of the RecordPattern class are:

3789	   type
3790	      Required.  ENUM.  Describes the type of pattern being specified in
3791	      the element content.  The default is "regex".  These values are
3792	      maintained in the "RecordPattern-type" IANA registry per
3793	      Section 10.2.

3795	      1.  regex.  regular expression as defined by POSIX Extended
3796	          Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].

3798	      2.  binary.  Binhex encoded binary pattern, per the HEXBIN data
3799	          type.

3801	      3.  xpath.  XML Path (XPath) [W3C.XPATH]

3803	      4.  ext-value.  A value used to indicate that this attribute is
3804	          extended and the actual value is provided using the
3805	          corresponding ext-* attribute.  See Section 5.1.1.

3807	   ext-type
3808	      Optional.  STRING.  A means by which to extend the type attribute.
3809	      See Section 5.1.1.

3811	   offset
3812	      Optional.  INTEGER.  Amount of units (determined by the offsetunit
3813	      attribute) to seek into the RecordItem data before matching the
3814	      pattern.

3816	   offsetunit
3817	      Optional.  ENUM.  Describes the units of the offset attribute.
3818	      The default is "line".  These values are maintained in the
3819	      "RecordPattern-offsetunit" IANA registry per Section 10.2.

3821	      1.  line.  Offset is a count of lines.

3823	      2.  byte.  Offset is a count of bytes.

3825	      3.  ext-value.  A value used to indicate that this attribute is
3826	          extended and the actual value is provided using the
3827	          corresponding ext-* attribute.  See Section 5.1.1.

3829	   ext-offsetunit
3830	      Optional.  STRING.  A means by which to extend the offsetunit
3831	      attribute.  See Section 5.1.1.

3833	   instance
3834	      Optional.  INTEGER.  Number of times to apply the specified
3835	      pattern.

3837	3.23.  WindowsRegistryKeysModified Class

3839	   The WindowsRegistryKeysModified class describes Windows operating
3840	   system registry keys and the operations that were performed on them.
3841	   This class was derived from [RFC5901].

3843	   +-----------------------------+
3844	   | WindowsRegistryKeysModified |
3845	   +-----------------------------+
3846	   | ID observable-id            |<>--{1..*}--[ Key ]
3847	   +-----------------------------+

3849	             Figure 48: The WindowsRegistryKeysModified Class

3851	   The aggregate classes of the WindowsRegistryKeysModified class are:

3853	   Key
3854	      One or more.  The Window registry key.  See Section 3.23.1.

3856	   The attribute of the WindowsRegistryKeysModified class is:

3858	   observable-id
3859	      Optional.  ID.  See Section 3.3.2.

3861	3.23.1.  Key Class

3863	   The Key class describes a Windows operating system registry key name
3864	   and value pair, and the operation performed on it.

3866	   +---------------------------+
3867	   | Key                       |
3868	   +---------------------------+
3869	   | ENUM registryaction       |<>----------[ KeyName ]
3870	   | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
3871	   | ID observable-id          |
3872	   +---------------------------+

3874	                         Figure 49: The Key Class

3876	   The aggregate classes of the Key class are:

3878	   KeyName
3879	      One.  STRING.  The name of a Windows operating system registry key
3880	      (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])

3882	   KeyValue
3883	      Zero or one.  STRING.  The value of the registry key identified in
3884	      the KeyName class encoded per the .reg file format [KB310516].

3886	   The attributes of the Key class are:

3888	   registryaction
3889	      Optional.  ENUM.  The type of action taken on the registry key.
3890	      These values are maintained in the "Key-registryaction" IANA
3891	      registry per Section 10.2.

3893	      1.  add-key.  Registry key added.

3895	      2.  add-value.  Value added to a registry key.

3897	      3.  delete-key.  Registry key deleted.

3899	      4.  delete-value.  Value deleted from a registry key.

3901	      5.  modify-key.  Registry key modified.

3903	      6.  modify-value.  Value modified in a registry key.

3905	      7.  ext-value.  A value used to indicate that this attribute is
3906	          extended and the actual value is provided using the
3907	          corresponding ext-* attribute.  See Section 5.1.1.

3909	   ext-registryaction
3910	      Optional.  STRING.  A means by which to extend the registryaction
3911	      attribute.  See Section 5.1.1.

3913	   observable-id
3914	      Optional.  ID.  See Section 3.3.2.

3916	3.24.  CertificateData Class

3918	   The CertificateData class describes X.509 certificates.

3920	   +------------------------+
3921	   | CertificateData        |
3922	   +------------------------+
3923	   | ENUM restriction       |<>--{1..*}--[ Certificate    ]
3924	   | STRING ext-restriction |
3925	   | ID observable-id       |
3926	   +------------------------+

3928	                   Figure 50: The CertificateData Class

3930	   The aggregate classes of the CertificateData class are:

3932	   Certificate
3933	      One or more.  A description of an X.509 certificate or certificate
3934	      chain.  See Section 3.24.1.

3936	   The attributes of the CertificateData class are:

3938	   restriction
3939	      Optional.  ENUM.  See Section 3.3.1.

3941	   ext-restriction
3942	      Optional.  STRING.  A means by which to extend the restriction
3943	      attribute.  See Section 5.1.1.

3945	   observable-id
3946	      Optional.  ID.  See Section 3.3.2.

3948	3.24.1.  Certificate Class

3950	   The Certificate class describes a given X.509 certificate or
3951	   certificate chain.

3953	   +--------------------------+
3954	   | Certificate              |
3955	   +--------------------------+
3956	   | ID observable-id         |<>----------[ ds: X509Data   ]
3957	   |                          |<>--{0..*}--[ Description    ]
3958	   +--------------------------+

3960	                     Figure 51: The Certificate Class

3962	   The aggregate classes of the Certificate class are:

3964	   ds:X509Data
3965	      One.  A given X.509 certificate or chain.  See Section 4.4.4 of
3966	      [W3C.XMLSIG].

3968	   Description
3969	      Zero or more.  ML_STRING.  A free-form text description explaining
3970	      the context of this certificate.

3972	   The attributes of the Certificate class are:

3974	   observable-id
3975	      Optional.  ID.  See Section 3.3.2.

3977	3.25.  FileData Class

3979	   The FileData class describes a file or set of files.

3981	   +------------------------+
3982	   | FileData               |
3983	   +------------------------+
3984	   | ENUM restriction       |<>--{1..*}--[ File      ]
3985	   | STRING ext-restriction |
3986	   | ID observable-id       |
3987	   +------------------------+

3989	                       Figure 52: The FileData Class

3991	   The aggregate classes of the FileData class are:

3993	   File
3994	      One or more.  A description of a file.  See Section 3.25.1.

3996	   The attributes of the FileData class are:

3998	   restriction
3999	      Optional.  ENUM.  See Section 3.3.1.

4001	   ext-restriction
4002	      Optional.  STRING.  A means by which to extend the restriction
4003	      attribute.  See Section 5.1.1.

4005	   observable-id
4006	      Optional.  ID.  See Section 3.3.2.

4008	3.25.1.  File Class

4010	   The File class describes a file; its associated meta data; and
4011	   cryptographic hashes and signatures applied to it.

4013	   +-----------------------+
4014	   | File                  |
4015	   +-----------------------+
4016	   | ID observable-id      |<>--{0..1}--[ FileName           ]
4017	   |                       |<>--{0..1}--[ FileSize           ]
4018	   |                       |<>--{0..1}--[ FileType           ]
4019	   |                       |<>--{0..*}--[ URL                ]
4020	   |                       |<>--{0..1}--[ HashData           ]
4021	   |                       |<>--{0..1}--[ SignatureData      ]
4022	   |                       |<>--{0..1}--[ AssociatedSoftware ]
4023	   |                       |<>--{0..*}--[ FileProperties     ]
4024	   +-----------------------+

4026	                         Figure 53: The File Class

4028	   The aggregate classes of the File class are:

4030	   FileName
4031	      Zero or One.  STRING.  The name of the file.

4033	   FileSize
4034	      Zero or One.  INTEGER.  The size of the file in bytes.

4036	   FileType
4037	      Zero or One.  STRING.  The type of file per the IANA Media Types
4038	      Registry [IANA.Media].  Valid values correspond to the text in the
4039	      "Template" column (e.g., "application/pdf").

4041	   URL
4042	      Zero or more.  URL.  A URL reference to the file.

4044	   HashData
4045	      Zero or One.  Hash(es) associated with this file.  See
4046	      Section 3.26.

4048	   SignatureData
4049	      Zero or One.  Signature(s) associated with this file.  See
4050	      Section 3.27.

4052	   AssociatedSoftware
4053	      Zero or One.  SOFTWARE.  The software application or operating
4054	      system to which this file belongs or by which it can be processed.

4056	   FileProperties
4057	      Zero or more.  EXTENSION.  Mechanism by which to extend the data
4058	      model to describe properties of the file.

4060	   The attributes of the File class are:

4062	   observable-id
4063	      Optional.  ID.  See Section 3.3.2.

4065	3.26.  HashData Class

4067	   The HashData class describes different types of hashes on an given
4068	   object (e.g., file, part of a file, email).

4070	   +--------------------------+
4071	   | HashData                 |
4072	   +--------------------------+
4073	   | ENUM scope               |<>--{0..1}--[ HashTargetID ]
4074	   |                          |<>--{0..*}--[ Hash         ]
4075	   |                          |<>--{0..*}--[ FuzzyHash    ]
4076	   +--------------------------+

4078	                       Figure 54: The HashData Class

4080	   The aggregate classes of the HashData class are:

4082	   HashTargetID
4083	      Zero or One.  STRING.  An identifier that references a subset of
4084	      the object being hashed.  The semantics of this identifier are
4085	      specified by the scope attribute.

4087	   Hash
4088	      Zero or more.  The hash of an object.  See Section 3.26.1.

4090	   FuzzyHash
4091	      Zero or more.  The fuzzy hash of an object.  See Section 3.26.2.

4093	   A single instance of Hash or FuzzyHash MUST be present.

4095	   The attribute of the HashData class is:

4097	   scope
4098	      Required.  ENUM.  Describes on which part of the object the hash
4099	      should be applied.  These values are maintained in the "HashData-
4100	      scope" IANA registry per Section 10.2.

4102	      1.  file-contents.  A hash computed over the entire contents of a
4103	          file.

4105	      2.  file-pe-section.  A hash computed on a given section of a
4106	          Windows Portable Executable (PE) file.  If set to this value,
4107	          the HashTargetID class MUST identify the section being hashed.
4108	          A section is identified by an ordinal number (starting at 1)
4109	          corresponding to the the order in which the given section
4110	          header was defined in the Section Table of the PE file header.

4112	      3.  file-pe-iat.  A hash computed on the Import Address
4113	          Table (IAT) of a PE file.  As IAT hashes are often tool
4114	          dependent, if this value is set, the Application class of
4115	          either the Hash or FuzzyHash classes MUST specify the tool
4116	          used to generate the hash.

4118	      4.  file-pe-resource.  A hash computed on a given resource in a PE
4119	          file.  If set to this value, the HashTargetID class MUST
4120	          identify the resource being hashed.  A resource is identified
4121	          by an ordinal number (starting at 1) corresponding to the
4122	          order in which the given resource is declared in the Resource
4123	          Directory of the Data Dictionary in the PE file header.

4125	      5.  file-pdf-object.  A hash computed on a given object in a
4126	          Portable Document Format (PDF) file.  If set to this value,
4127	          the HashTargetID class MUST identify the object being hashed.
4128	          This object is identified by its offset in the PDF file.

4130	      6.  email-hash.  A hash computed over the headers and body of an
4131	          email message.

4133	      7.  email-headers-hash.  A hash computed over all of the headers
4134	          of an email message.

4136	      8.  email-body-hash.  A hash computed over the body of an email
4137	          message.

4139	      9.  ext-value.  A value used to indicate that this attribute is
4140	          extended and the actual value is provided using the
4141	          corresponding ext-* attribute.  See Section 5.1.1.

4143	   ext-scope
4144	      Optional.  STRING.  A means by which to extend the scope
4145	      attribute.  See Section 5.1.1.

4147	3.26.1.  Hash Class

4149	   The Hash class describes a cryptographic hash value; the algorithm
4150	   and application used to generate it; and the canonicalization method
4151	   applied to the object being hashed.

4153	   +----------------+
4154	   | Hash           |
4155	   +----------------+
4156	   |                |<>----------[ ds:DigestMethod            ]
4157	   |                |<>----------[ ds:DigestValue             ]
4158	   |                |<>--{0..1}--[ ds:CanonicalizationMethod ]
4159	   |                |<>--{0..1}--[ Application                ]
4160	   +----------------+

4162	                         Figure 55: The Hash Class

4164	   The aggregate classes of the Hash class are:

4166	   ds:DigestMethod
4167	      One.  The hash algorithm used to generate the hash.  See
4168	      Section 4.3.3.5 of [W3C.XMLSIG]

4170	   ds:DigestValue
4171	      One.  The computed hash value.  See Section 4.3.3.6 of
4172	      [W3C.XMLSIG].

4174	   ds:CanonicalizationMethod
4175	      Zero or one.  The canonicalization method used on the object being
4176	      hashed.  See Section 4.3.1 of [W3C.XMLSIG].

4178	   Application
4179	      Zero or One.  SOFTWARE.  The application used to calculate the
4180	      hash.

4182	   The HashData class has no attributes.

4184	3.26.2.  FuzzyHash Class

4186	   The FuzzyHash class describes a fuzzy hash and the application used
4187	   to generate it.

4189	   +--------------------------+
4190	   | FuzzyHash                |
4191	   +--------------------------+
4192	   |                          |<>--{1..*}--[ FuzzyHashValue ]
4193	   |                          |<>--{0..1}--[ Application    ]
4194	   |                          |<>--{0..*}--[ AdditionalData ]
4195	   +--------------------------+

4197	                      Figure 56: The FuzzyHash Class

4199	   The aggregate classes of the FuzzyHash class are:

4201	   FuzzyHashValue
4202	      One or more.  EXTENSION.  The computed fuzzy hash value.

4204	   Application
4205	      Zero or One. SOFTWARE.  The application used to calculate the
4206	      hash.

4208	   AdditionalData
4209	      Zero or more.  EXTENSION.  Mechanism by which to extend the data
4210	      model.

4212	   The FuzzyData class has no attributes.

4214	3.27.  SignatureData Class

4216	   The SignatureData class describes different types of digital
4217	   signatures on an object.

4219	   +--------------------------+
4220	   | SignatureData            |
4221	   +--------------------------+
4222	   |                          |<>--{1..*}--[ ds:Signature ]
4223	   +--------------------------+

4225	                    Figure 57: The SignatureData Class

4227	   The aggregate class of the SignatureData class is:

4229	   Signature
4230	      One or more.  An given signature.  See Section 4.2 of [W3C.XMLSIG]

4232	   The SignatureData class has no attributes.

4234	3.28.  IndicatorData Class

4236	   The IndicatorData class describes cyber indicators and meta-data
4237	   associated with them.

4239	   +--------------------------+
4240	   | IndicatorData            |
4241	   +--------------------------+
4242	   |                          |<>--{1..*}--[ Indicator      ]
4243	   +--------------------------+

4245	                    Figure 58: The IndicatorData Class

4247	   The aggregate class of the IndicatorData class is:

4249	   Indicator
4250	      One or more.  A description of an indicator.  See Section 3.29.

4252	   The IndicatorData class has no attributes.

4254	3.29.  Indicator Class

4256	   The Indicator class describes a cyber indicator.  An indicator
4257	   consists of observable features and phenomenon that aid in the
4258	   forensic or proactive detection of malicious activity; and associated
4259	   meta-data.  An indicator can be described outright; by referencing or
4260	   composing previously defined indicators; or by referencing
4261	   observables described in the incident report found in this document.

4263	   +------------------------+
4264	   | Indicator              |
4265	   +------------------------+
4266	   | ENUM restriction       |<>----------[ IndicatorID            ]
4267	   | STRING ext-restriction |<>--{0..1}--[ AlternativeIndicatorID ]
4268	   |                        |<>--{0..*}--[ Description            ]
4269	   |                        |<>--{0..1}--[ StartTime              ]
4270	   |                        |<>--{0..1}--[ EndTime                ]
4271	   |                        |<>--{0..1}--[ Confidence             ]
4272	   |                        |<>--{0..*}--[ Contact                ]
4273	   |                        |<>--{0..1}--[ Observable             ]
4274	   |                        |<>--{0..1}--[ ObservableReference    ]
4275	   |                        |<>--{0..1}--[ IndicatorExpression    ]
4276	   |                        |<>--{0..1}--[ IndicatorReference     ]
4277	   |                        |<>--{0..*}--[ NodeRole               ]
4278	   |                        |<>--{0..*}--[ AttackPhase            ]
4279	   |                        |<>--{0..*}--[ AdditionalData         ]
4280	   +------------------------+

4282	                      Figure 59: The Indicator Class

4284	   The aggregate classes of the Indicator class are:

4286	   IndicatorID
4287	      One.  An identifier for this indicator.  See Section 3.29.1

4289	   AlternativeIndicatorID
4290	      Zero or one.  An alternative identifier for this indicator.  See
4291	      Section 3.29.2

4293	   Description
4294	      Zero or more.  ML_STRING.  A free-form text description of the
4295	      indicator.

4297	   StartTime
4298	      Zero or one.  DATETIME.  A timestamp of the start of the time
4299	      period during which this indicator is valid.

4301	   EndTime
4302	      Zero or one.  DATETIME.  A timestamp of the end of the time period
4303	      during which this indicator is valid.

4305	   Confidence
4306	      Zero or one.  An estimate of the confidence in the quality of the
4307	      indicator.  See Section 3.12.5.

4309	   Contact
4310	      Zero or more.  Contact information for this indicator.  See
4311	      Section 3.9.

4313	   Observable
4314	      Zero or one.  An observable feature or phenomenon of this
4315	      indicator.  See Section 3.29.3.

4317	   ObservableReference
4318	      Zero or one.  A reference to an observable feature or phenomenon
4319	      defined elsewhere in the document.  See Section 3.29.6.

4321	   IndicatorExpression
4322	      Zero or one.  A composition of observables.  See Section 3.29.4.

4324	   IndicatorReference
4325	      Zero or one.  A reference to an indicator.  See Section 3.29.7.

4327	   NodeRole
4328	      Zero or many.  The role of the system in the attack should this
4329	      indicator be matched to it.  See Section 3.18.2.

4331	   AttackPhase
4332	      Zero or many.  The phase in an attack lifecycle during which this
4333	      indicator might be seen.  See Section 3.29.8.

4335	   AdditionalData
4336	      Zero or more.  EXTENSION.  Mechanism by which to extend the data
4337	      model.

4339	   The Indicator class MUST have exactly one instance of an Observable,
4340	   IndicatorExpression, ObservableReference, or IndicatorReference
4341	   class.

4343	   The StartTime and EndTime classes can be used to define an interval
4344	   during which the indicator is valid.  If both classes are present,
4345	   the indicator is consider valid only during the described interval.
4346	   If neither class is provided, the indicator is considered valid
4347	   during any time interval.  If only a StartTime is provided, the
4348	   indicator is valid anytime after this timestamp.  If only an EndTime
4349	   is provided, the indicator is valid anytime prior to this timestamp.

4351	   The attributes of the Indicator class are:

4353	   restriction
4354	      Optional.  ENUM.  See Section 3.3.1.

4356	   ext-restriction
4357	      Optional.  STRING.  A means by which to extend the restriction
4358	      attribute.  See Section 5.1.1.

4360	3.29.1.  IndicatorID Class

4362	   The IndicatorID class identifies an indicator with a globally unique
4363	   identifier.  The combination of the name and version attributes, and
4364	   the element content form this identifier.  Indicators generated by
4365	   given CSIRT MUST NOT reuse the same value unless they are referencing
4366	   the same indicator.

4368	   +------------------+
4369	   | IndicatorID      |
4370	   +------------------+
4371	   | ID               |
4372	   |                  |
4373	   | STRING name      |
4374	   | STRING version   |
4375	   +------------------+

4377	                     Figure 60: The IndicatorID Class

4379	   The content of the class is of type ID and specifies an identifier
4380	   for an indicator.

4382	   The attributes of the IndicatorID class are:

4384	   name
4385	      Required.  STRING.  An identifier describing the CSIRT that
4386	      created the indicator.  In order to have a globally unique CSIRT
4387	      name, the fully qualified domain name associated with the CSIRT
4388	      MUST be used.  This format is identical to the IncidentID@name
4389	      attribute in Section 3.4.

4391	   version
4392	      Required.  STRING.  A version number of an indicator.

4394	3.29.2.  AlternativeIndicatorID Class

4396	   The AlternativeIndicatorID class lists alternative identifiers for an
4397	   indicator.

4399	   +-------------------------+
4400	   | AlternativeIndicatorID  |
4401	   +-------------------------+
4402	   | ENUM restriction        |<>--{1..*}--[ IndicatorReference ]
4403	   | STRING ext-restriction  |
4404	   +-------------------------+

4406	                Figure 61: The AlternativeIndicatorID Class

4408	   The aggregate class of the AlternativeIndicatorID class is:

4410	   IndicatorReference
4411	      One or more.  A reference to an indicator.  See Section 3.29.7

4413	   The attributes of the AlternativeIndicatorID class are:

4415	   restriction
4416	      Optional.  ENUM.  See Section 3.3.1.

4418	   ext-restriction
4419	      Optional.  STRING.  A means by which to extend the restriction
4420	      attribute.  See Section 5.1.1.

4422	3.29.3.  Observable Class

4424	   The Observable class describes a feature and phenomenon that can be
4425	   observed or measured for the purposes of detecting malicious
4426	   behavior.

4428	   +-------------------+
4429	   | Observable        |
4430	   +-------------------+
4431	   |                   |<>--{0..1}--[ Address                     ]
4432	   |                   |<>--{0..1}--[ DomainData                  ]
4433	   |                   |<>--{0..1}--[ Service                     ]
4434	   |                   |<>--{0..1}--[ EmailData                   ]
4435	   |                   |<>--{0..1}--[ Service                     ]
4436	   |                   |<>--{0..1}--[ WindowsRegistryKeysModified ]
4437	   |                   |<>--{0..1}--[ FileData                    ]
4438	   |                   |<>--{0..1}--[ CertificateData             ]
4439	   |                   |<>--{0..1]--[ RegistryHandle              ]
4440	   |                   |<>--{0..1}--[ RecordData                  ]
4441	   |                   |<>--{0..1}--[ EventData                   ]
4442	   |                   |<>--{0..1}--[ Incident                    ]
4443	   |                   |<>--{0..*}--[ Expectation                 ]
4444	   |                   |<>--{0..*}--[ Reference                   ]
4445	   |                   |<>--{0..1}--[ Assessment                  ]
4446	   |                   |<>--{0..1}--[ HistoryItem                 ]
4447	   |                   |<>--{0..1}--[ BulkObservable              ]
4448	   |                   |<>--{0..*}--[ AdditionalData              ]
4449	   +-------------------+

4451	                      Figure 62: The Observable Class

4453	   The aggregate classes of the Observable class are:

4455	   Address
4456	      Zero or One.  An Address observable.  See Section 3.18.1.

4458	   DomainData
4459	      Zero or One.  A DomainData observable.  See Section 3.19.

4461	   Service
4462	      Zero or One.  A Service observable.  See Section 3.20.

4464	   EmailData
4465	      Zero or One.  A EmailData observable.  See Section 3.21.

4467	   WindowsRegistryKeysModified
4468	      Zero or One.  A WindowsRegistryKeysModified observable.  See
4469	      Section 3.23.

4471	   FileData
4472	      Zero or One.  A FileData observable.  See Section 3.25.

4474	   CertificateData
4475	      Zero or One.  A CertificateData observable.  See Section 3.24.

4477	   RegistryHandle
4478	      Zero or One.  A RegistryHandle observable.  See Section 3.9.1.

4480	   RecordData
4481	      Zero or One.  A RecordData observable.  See Section 3.22.1.

4483	   EventData
4484	      Zero or One.  An EventData observable.  See Section 3.14.

4486	   Incident
4487	      Zero or One.  An Incident observable.  See Section 3.2.

4489	   EventData
4490	      Zero or One.  An EventData observable.  See Section 3.14.

4492	   Expectation
4493	      Zero or One.  An Expectation observable.  See Section 3.15.

4495	   Reference
4496	      Zero or One.  A Reference observable.  See Section 3.11.1.

4498	   Assessment
4499	      Zero or One.  An Assessment observable.  See Section 3.12.

4501	   HistoryItem
4502	      Zero or One.  A HistoryItem observable.  See Section 3.13.1.

4504	   BulkObservable
4505	      Zero or One.  A bulk list of observables.  See Section 3.29.3.1.

4507	   AdditionalData
4508	      Zero or more.  EXTENSION.  Mechanism by which to extend the data
4509	      model.

4511	   The Observable class MUST have exactly one of the possible child
4512	   classes.

4514	   The Observable class has no attributes.

4516	3.29.3.1.  BulkObservable Class

4518	   The BulkObservable class allows the enumeration of a single type of
4519	   observables without requiring each one to be encoded individually in
4520	   multiple instances of the same class.

4522	   The type attribute describes the type of observable listed in the
4523	   child BulkObservableList class.  The BulkObservableFormat class
4524	   optionally provides additional meta-data.

4526	   +---------------------------+
4527	   | BulkObservable            |
4528	   +---------------------------+
4529	   | ENUM type                 |<>--{0..1}--[ BulkObservableFormat ]
4530	   | STRING ext-type           |<>----------[ BulkObservableList   ]
4531	   |                           |<>--{0..*}--[ AdditionalData       ]
4532	   +---------------------------+

4534	                    Figure 63: The BulkObservable Class

4536	   The aggregate classes of the BulkObservable class are:

4538	   BulkObservableFormat
4539	      Zero or one.  Provides additional meta-data about the observables
4540	      enumerated in the BulkObservableList class.  See
4541	      Section 3.29.3.1.1.

4543	   BulkObservableList
4544	      One.  STRING.  A list of observables, one per line.  Each line is
4545	      separated with either a LF character or CR-and-LF characters.  The
4546	      type attribute specifies which observables will be listed.

4548	   AdditionalData
4549	      Zero or more.  EXTENSION.  Mechanism by which to extend the data
4550	      model.

4552	   The attributes of the BulkObservable class are:

4554	   type
4555	      Optional.  ENUM.  The type of the observable listed in the child
4556	      ObservableList class.  These values are maintained in the
4557	      "BulkObservable-type" IANA registry per Section 10.2.

4559	      1.   asn.  Autonomous System Number (per the Address@category
4560	           attribute).

4562	      2.   atm.  Asynchronous Transfer Mode (ATM) address (per the
4563	           Address@category attribute).

4565	      3.   e-mail.  Electronic mail address (RFC 822) (per the
4566	           Address@category attribute).

4568	      4.   ipv4-addr.  IPv4 host address in dotted-decimal notation
4569	           (e.g., 192.0.2.1) (per the Address@category attribute).

4571	      5.   ipv4-net.  IPv4 network address in dotted-decimal notation,
4572	           slash, significant bits (e.g., 192.0.2.0/24) (per the
4573	           Address@category attribute).

4575	      6.   ipv4-net-mask.  IPv4 network address in dotted-decimal
4576	           notation, slash, network mask in dotted-decimal notation
4577	           (i.e., 192.0.2.0/255.255.255.0) (per the Address@category
4578	           attribute).

4580	      7.   ipv6-addr.  IPv6 host address (e.g., 2001:DB8::3) (per the
4581	           Address@category attribute).

4583	      8.   ipv6-net.  IPv6 network address, slash, significant bits
4584	           (e.g., 2001:DB8::/32) (per the Address@category attribute).

4586	      9.   ipv6-net-mask.  IPv6 network address, slash, network mask
4587	           (per the Address@category attribute).

4589	      10.  mac.  Media Access Control (MAC) address (i.e., a:b:c:d:e:f)
4590	           (per the Address@category attribute).

4592	      11.  site-uri.  A URL or URI for a resource (per the
4593	           Address@category attribute).

4595	      12.  domain-name.  A fully qualified domain name or part of a
4596	           name. (e.g., fqdn.example.com, example.com).

4598	      13.  domain-to-ipv4.  A fqdn-to-IPv4 address mapping specified as
4599	           a comma separated list (e.g., "fqdn.example.com, 192.0.2.1").

4601	      14.  domain-to-ipv6.  A fqdn-to-IPv6 address mapping specified as
4602	           a comma separated list (e.g., "fqdn.example.com,
4603	           2001:DB8::3").

4605	      15.  domain-to-ipv4-timestamp.  Same as domain-to-ipv4 but with a
4606	           timestamp (in the DATETIME format) of the resolution (e.g.,
4607	           "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00").

4609	      16.  domain-to-ipv6-timestamp.  Same as domain-to-ipv6 but with a
4610	           timestamp (in the DATETIME format) of the resolution (e.g.,
4611	           "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00").

4613	      17.  ipv4-port.  An IPv4 address, port and protocol tuple (e.g.,
4614	           192.0.2.1, 80, tcp).  The protocol name corresponds to the
4615	           "Keyword" column in the [IANA.Protocols] registry.

4617	      18.  ipv6-port.  An IPv6 address, port and protocol tuple (e.g.,
4618	           2001:DB8::3, 80, tcp).  The protocol name corresponds to the
4619	           "Keyword" column in the [IANA.Protocols] registry.

4621	      19.  windows-reg-key.  A Microsoft Windows Registry key.

4623	      20.  file-hash.  A file hash.  The format of this hash is
4624	           described in the Hash class that MUST be present in a sibling
4625	           BulkObservableFormat class.

4627	      21.  email-x-mailer.  An X-Mailer field from an email.

4629	      22.  email-subject.  An email subject line.

4631	      23.  http-user-agent.  A User Agent field from an HTTP request
4632	           header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0)
4633	           Gecko/20100101 Firefox/38.0").

4635	      24.  http-request-uri.  The Request URI from an HTTP request
4636	           header.

4638	      25.  mutex.  The name of a system mutex.

4640	      26.  file-path.  A file path (e.g., "/tmp/local/file",
4641	           "c:\windows\system32\file.sys")

4643	      27.  user-name.  A username.

4645	      28.  ext-value.  A value used to indicate that this attribute is
4646	           extended and the actual value is provided using the
4647	           corresponding ext-* attribute.  See Section 5.1.1.

4649	   ext-type
4650	      Optional.  STRING.  A means by which to extend the type attribute.
4651	      See Section 5.1.1.

4653	3.29.3.1.1.  BulkObservableFormat Class

4655	   The ObservableFormat class specifies meta-data about the format of an
4656	   observable enumerated in a sibling BulkObservableList class.

4658	   +---------------------------+
4659	   | BulkObservableFormat      |
4660	   +---------------------------+
4661	   |                           |<>--{0..1}--[ Hash             ]
4662	   |                           |<>--{0..*}--[ AdditionalData   ]
4663	   +---------------------------+

4665	                 Figure 64: The BulkObservableFormat Class

4667	   The aggregate classes of the BulkObservableFormat class are:

4669	   Hash
4670	      Zero or one.  Describes the format of a hash.  See Section 3.26.1.

4672	   AdditionalData
4673	      Zero or more.  EXTENSION.  Mechanism by which to extend the data
4674	      model.

4676	   The BulkObservableFormat class has no attributes.

4678	   Either Hash or AdditionalData MUST be present.

4680	3.29.4.  IndicatorExpression Class

4682	   The IndicatorExpression describes an expression composed of observed
4683	   phenomenon or features, or indicators.  Elements of the expression
4684	   can be described directly, reference relevant data from other parts
4685	   of a given IODEF document, or reference previously defined
4686	   indicators.

4688	   All child classes of a given instance of IndicatorExpression form a
4689	   boolean algebraic expression where the operator between them is
4690	   determined by the operator attribute.

4692	   +--------------------------+
4693	   | IndicatorExpression      |
4694	   +--------------------------+
4695	   | ENUM operator            |<>--{0..*}--[ IndicatorExpression  ]
4696	   | STRING ext-operator      |<>--{0..*}--[ Observable           ]
4697	   |                          |<>--{0..*}--[ ObservableReference  ]
4698	   |                          |<>--{0..*}--[ IndicatorReference   ]
4699	   |                          |<>--{0..*}--[ AdditionalData       ]
4700	   +--------------------------+

4702	                 Figure 65: The IndicatorExpression Class

4704	   The aggregate classes of the IndicatorExpression class are:

4706	   IndicatorExpression
4707	      Zero or more.  An expression composed of other observables or
4708	      indicators.  See Section 3.29.4.

4710	   Observable
4711	      Zero or more.  A description of an observable.  See
4712	      Section 3.29.3.

4714	   ObservableReference
4715	      Zero or more.  A reference to an observable.  See Section 3.29.6.

4717	   IndicatorReference
4718	      Zero or more.  A reference to an indicator.  See Section 3.29.7.

4720	   AdditionalData
4721	      Zero or more.  EXTENSION.  Mechanism by which to extend the data
4722	      model.

4724	   The attributes of the IndicatorExpression class are:

4726	   operator
4727	      Optional.  ENUM.  The operator to be applied between the child
4728	      elements.  See Section 3.29.5 for parsing guidance.  The default
4729	      value is "and".  These values are maintained in the
4730	      "IndicatorExpression-operator" IANA registry per Section 10.2.

4732	      1.  not.  negation operator.

4734	      2.  and.  conjunction operator.

4736	      3.  or.  disjunction operator.

4738	      4.  xor.  exclusive disjunction operator.

4740	   ext-operator
4741	      Optional.  STRING.  A means by which to extend the operator
4742	      attribute.  See Section 5.1.1.

4744	3.29.5.  Expressions with IndicatorExpression

4746	   Boolean algebraic expressions can be used to specify relationships
4747	   between observables and indicator.  These expressions are constructed
4748	   through the use of the operator attribute and parent-child
4749	   relationships in IndicatorExpressions.  These expressions should be
4750	   parsed as follows:

4752	   1.  The operator specified by the operator attribute is applied
4753	       between each of the child elements of the immediate parent
4754	       IndicatorExpression element.  If no operator attribute is
4755	       specified, it should be assumed to be the conjunction operator
4756	       (i.e., operator="and").

4758	   2.  A nested IndicatorExpression element with a parent
4759	       IndicatorExpression is the equivalent of a parentheses in the
4760	       expression.

4762	   The following four examples in Figure 66 through Figure 69 illustrate
4763	   these parsing rules:

4765	   1     : <IndicatorExpression>
4766	   2 [O1]:    <Observable>..</Observable>
4767	   3 [O2]:    <Observable>..</Observable>
4768	   4     : </IndicatorExpression>

4770	   Equivalent expression: (O1 AND O2)

4772	      Figure 66: Nested elements in an IndicatorExpression without an
4773	                       operator attribute specified

4775	   1     : <IndicatorExpression operator="or">
4776	   2 [O1]:    <Observable>..</Observable>
4777	   3 [O2]:    <Observable>..</Observable>
4778	   4     : </IndicatorExpression>

4780	   Equivalent expression: (O1 OR O2)

4782	   Figure 67: Nested elements in an IndicatorExpression with an operator
4783	                            attribute specified

4785	   1     : <IndicatorExpression operator="or">
4786	   2     :    <IndicatorExpression operator="or">
4787	   2 [O1]:      <Observable>..</Observable>
4788	   3 [O2]:      <Observable>..</Observable>
4789	   4     :    </IndicatorExpression>
4790	   2 [O3]:    <Observable>..</Observable>
4791	   4     : </IndicatorExpression>

4793	   Equivalent expression: ((O1 OR O2) OR O3)

4795	   Figure 68: Nested elements with a recursive IndicatorExpression with
4796	                      an operator attribute specified

4798	   1     : <IndicatorExpression operator="not">
4799	   2     :    <IndicatorExpression operator="and">
4800	   2 [O1]:      <Observable>..</Observable>
4801	   3 [O2]:      <Observable>..</Observable>
4802	   4     :    </IndicatorExpression>
4803	   4     : </IndicatorExpression>

4805	   Equivalent expression: (NOT (O1 AND O2))

4807	   Figure 69: A recursive IndicatorExpression with an operator attribute
4808	                                 specified

4810	   Invalid algebraic expressions while valid XML, MUST not be specified.

4812	3.29.6.  ObservableReference Class

4814	   The ObservableReference describes a reference to an observable
4815	   feature or phenomenon described elsewhere in the document.

4817	   This class has no content.

4819	   +-------------------------+
4820	   | ObservableReference     |
4821	   +-------------------------+
4822	   | EMPTY                   |
4823	   |                         |
4824	   | IDREF uid-ref           |
4825	   +-------------------------+

4827	                 Figure 70: The ObservableReference Class

4829	   The ObservableReference class has no content.

4831	   The attribute of the ObservableReference class is:

4833	   uid-ref
4834	      Required.  IDREF.  An identifier that serves as a reference to a
4835	      class in the IODEF document.  The referenced class will have this
4836	      identifier set in its observable-id attribute.

4838	3.29.7.  IndicatorReference Class

4840	   The IndicatorReference describes a reference to an indicator.  This
4841	   reference may be to an indicator described in this IODEF document or
4842	   in a previously exchanged IODEF document.

4844	   +--------------------------+
4845	   | IndicatorReference       |
4846	   +--------------------------+
4847	   | EMPTY                    |
4848	   |                          |
4849	   | IDREF uid-ref            |
4850	   | STRING euid-ref          |
4851	   | STRING version           |
4852	   +--------------------------+

4854	                  Figure 71: The IndicatorReference Class

4856	   The IndicatorReference class has no content.

4858	   The attributes of the IndicatorReference class are:

4860	   uid-ref
4861	      Optional.  IDREF.  An identifier that references an Indicator
4862	      class in the IODEF document.  The referenced Indicator class will
4863	      have this identifier set in its IndicatorID class.

4865	   euid-ref
4866	      Optional.  STRING.  An identifier that references an IndicatorID
4867	      not in this IODEF document.

4869	   version
4870	      Optional.  STRING.  A version number of an indicator.

4872	   Either the uid-ref or the euid-ref attribute MUST be set.

4874	3.29.8.  AttackPhase Class

4876	   The AttackPhase class describes a particular phase of an attack
4877	   lifecycle.

4879	   +------------------------+
4880	   | AttackPhase            |
4881	   +------------------------+
4882	   |                        |<>--{0..*}--[ AttackPhaseID  ]
4883	   |                        |<>--{0..*}--[ URL            ]
4884	   |                        |<>--{0..*}--[ Description    ]
4885	   |                        |<>--{0..*}--[ AdditionalData ]
4886	   +------------------------+

4888	                       Figure 72: AttackPhase Class

4890	   The aggregate classes of the AttackPhase class are:

4892	   AttackPhaseID
4893	      Zero or more.  STRING.  An identifier for the phase of the attack.

4895	   URL
4896	      Zero or more.  URL.  A URL to a resource describing this phase of
4897	      the attack.

4899	   Description
4900	      Zero or more.  ML_STRING.  A free-form text description of this
4901	      phase of the attack.

4903	   AdditionalData
4904	      Zero or more.  EXTENSION.  A mechanism by which to extend the data
4905	      model.

4907	   AttackPhase MUST have at least one instance of a child class.

4909	   The AttackPhase class has no attributes.

4911	4.  Processing Considerations

4913	   This section provides additional requirements and guidance on
4914	   creating and processing IODEF documents.

4916	4.1.  Encoding

4918	   Every IODEF document MUST begin with an XML declaration and MUST
4919	   specify the XML version used.  The character encoding MUST also be
4920	   explicitly specified.  UTF-8 [RFC3629] SHOULD be used unless UTF-16
4921	   [RFC2781] is necessary.  Encodings other than UTF-8 and UTF-16 SHOULD
4922	   NOT be used.  The IODEF conforms to all XML data encoding conventions
4923	   and constraints.

4925	   The XML declaration with no character encoding will read as follows:

4927	   <?xml version="1.0" ?>

4929	   When a character encoding is specified, the XML declaration will read
4930	   as follows:

4932	   <?xml version="1.0" encoding="charset" ?>

4934	   Where "charset" is the name of the character encoding as registered
4935	   with the Internet Assigned Numbers Authority (IANA), see [RFC2978].

4937	   The following characters have special meaning in XML and MUST be
4938	   escaped with their entity reference equivalent: "&", "<", ">", "\""
4939	   (double quotation mark), and "'" (apostrophe).  These entity
4940	   references are "&amp;", "&lt;", "&gt;", "&quot;", and "&apos;"
4941	   respectively.

4943	4.2.  IODEF Namespace

4945	   The IODEF schema declares a namespace of
4946	   "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS].
4947	   Each IODEF document MUST include a valid reference to the IODEF
4948	   schema using the "xsi:schemaLocation" attribute.  An example of such
4949	   a declaration would look as follows:

4951	   <IODEF-Document
4952	      version="2.00" lang="en-US"
4953	      xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
4954	      xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-2.0" ...>

4956	4.3.  Validation

4958	   IODEF documents MUST be well-formed XML.  It is RECOMMENDED that
4959	   recipients validate the document against the schema described in
4960	   Section 8.  However, mere conformance to this schema is not
4961	   sufficient for a semantically valid IODEF document.  The text of
4962	   Section 3 describes further formatting and constraints; some that
4963	   cannot be conveniently encoded in the schema.  These MUST must also
4964	   be considered by an IODEF implementation.  Furthermore, the
4965	   enumerated values present in this document are a static list that
4966	   will be incomplete over time as select attributes can be extended by
4967	   a corresponding IANA registry per Section 10.2.  Therefore, the
4968	   schema to validate a given document MUST be dynamically generated
4969	   from these registry values.

4971	4.4.  Incompatibilities with v1

4973	   The IODEF data model in this document makes a number of changes to
4974	   [RFC5070].  These changes were largely additive -- classes and
4975	   enumerated values were added.  However, some incompatibilities
4976	   between [RFC5070] and this new specification were introduced.  These
4977	   incompatibilities are as follows:

4979	   o  The IODEF-Document@version attribute is set to "2.0".

4981	   o  Attributes with enumerated values can now also be extended with
4982	      IANA registries.

4984	   o  All iodef:MLStringType classes use xml:lang.  IODEF-Document also
4985	      uses xml:lang.

4987	   o  The Service@ip_protocol attribute was renamed to @ip-protocol.

4989	   o  The Node/NodeName class was removed in favor of representing
4990	      domain names with Node/DomainData/Name class.  The Node/DataTime
4991	      class was also removed so that the Node/DomainData/
4992	      DateDomainWasChecked class can represent the time at which the
4993	      name to address resolution occurred.

4995	   o  The Node/NodeRole class was moved to System/NodeRole.

4997	   o  The Reference class is now defined by [RFC-ENUM].

4999	   o  The data previously represented in the Impact class is now in the
5000	      SystemImpact and IncidentCategory classes.  The Impact class has
5001	      been removed.

5003	   o  The semantics of Counter@type are now represented in Counter@unit.

5005	   o  The IODEF-Document@formatid attribute has been renamed to @format-
5006	      id.

5008	   o  Incident/ReportTime is no longer mandatory.  However,
5009	      GenerationTime is.

5011	   o  The Fax class was removed and is now represented by a generic
5012	      Telephone class.

5014	   o  The Telephone, Email and PostalAddress classes were redefined from
5015	      improved internationalization.

5017	5.  Extending the IODEF

5019	   In order to support the dynamic nature of security operations, the
5020	   IODEF data model will need to continue to evolve.  This section
5021	   discusses how new data elements can be incorporated into the IODEF.
5022	   There is support to ad additional enumerated values and new classes.
5023	   Adding additional attributes to existing classes is not supported.

5025	   These extension mechanisms are designed so that adding new data
5026	   elements is possible without requiring a modifications to this
5027	   document.  Extensions can be implemented publicly or privately.  With
5028	   proven value, well documented extensions can be incorporated into
5029	   future versions of the specification.

5031	5.1.  Extending the Enumerated Values of Attributes

5033	   Additional enumerated values can be added to select attributes either
5034	   through the use of specially marked attributes with the "ext-" prefix
5035	   or through a set of corresponding IANA registries.  The former
5036	   approach allows for the extension to remain private.  The latter
5037	   approach is public.

5039	5.1.1.  Private Extension of Enumerated Values

5041	   The data model supports adding new enumerated values to an attribute
5042	   without public registration.  For each attribute that supports this
5043	   extension technique, there is a corresponding attribute in the same
5044	   element whose name is identical but with a prefix of "ext-".  This
5045	   special attribute is referred to as the extension attribute.  The
5046	   attribute being extended is referred to as an extensible attribute.
5047	   For example, an extensible attribute named "foo" will have a
5048	   corresponding extension attribute named "ext-foo".  An element may
5049	   have many extensible attributes.

5051	   In addition to a corresponding extension attribute, each extensible
5052	   attribute has "ext-value" as one its possible enumerated values.

5054	   Selection of this particular value in an extensible attribute signals
5055	   that the extension attribute contains data.  Otherwise, this "ext-
5056	   value" value has no meaning.

5058	   In order to add a new enumerated value to an extensible attribute,
5059	   the value of this attribute MUST be set to "ext-value", and the new
5060	   desired value MUST be set in the corresponding extension attribute.
5061	   For example, extending the type attribute of the SystemImpact class
5062	   would look as follows:

5064	    <SystemImpact type="ext-value" ext-type="new-attack-type">

5066	   A given extension attribute MUST NOT be set unless the corresponding
5067	   extensible attribute has been set to "ext-value".

5069	5.1.2.  Public Extension of Enumerated Values

5071	   The data model also supports publicly extending select enumerated
5072	   attributes.  A new entry can be added by registering a new entry in
5073	   the appropriate IANA registry.  Section 10.2 provides a mapping
5074	   between the extensible attributes and their corresponding registry.
5075	   Section 4.3 discusses the XML Validation implications of this type of
5076	   extension.  All extensible attributes that support private extensions
5077	   also support public extensions.

5079	5.2.  Extending Classes

5081	   Classes of the EXTENSION (iodef:ExtensionType) type can extend the
5082	   data model.  They provide the ability to have new atomic or XML-
5083	   encoded data elements in all of the top-level classes of the Incident
5084	   class and a few of the complex subordinate classes.  As there are
5085	   multiple instances of the extensible classes in the data model, there
5086	   is discretion on where to add a new data element.  It is RECOMMENDED
5087	   that the extension be placed in the most closely related class to the
5088	   new information.

5090	   Extensions using the atomic data types (i.e., all values of the dtype
5091	   attributes other than "xml") MUST:

5093	   1.  Set the element content to the desired value, and

5095	   2.  Set the dtype attribute to correspond to the data type of the
5096	       element content.

5098	   The following guidelines exist for extensions using XML (i.e.,
5099	   dtype="xml"):

5101	   1.  The element content of the extensible class MUST be set to the
5102	       desired value and the dtype attribute MUST be set to "xml".

5104	   2.  The extension schema MUST declare a separate namespace.  It is
5105	       RECOMMENDED that these extensions have the prefix "iodef-".  This
5106	       recommendation makes readability of the document easier by
5107	       allowing the reader to infer which namespaces relate to IODEF by
5108	       inspection.

5110	   3.  It is RECOMMENDED that extension schemas follow the naming
5111	       convention of the IODEF data model.  This too improves the
5112	       readability of extended IODEF documents.  The names of all
5113	       elements SHOULD be capitalized.  For elements with composed
5114	       names, a capital letter SHOULD be used for each word.  Attribute
5115	       names SHOULD be in lower case.  Attributes with composed names
5116	       SHOULD be separated by a hyphen.

5118	   4.  Implementations that encounter an unrecognized element in a
5119	       supported namespace MUST reject the document as a syntax error.

5121	   5.  There are security and performance implications in requiring
5122	       implementations to dynamically download schemas at run time.
5123	       Therefore, implementations SHOULD NOT download schemas at runtime
5124	       unless the appropriate precautions are taken.  Implementations
5125	       also need to contend with the potential of significant network
5126	       and processing issues.

5128	   6.  Some adopters of the IODEF may have private schema definitions
5129	       that are not publicly available.  Thus implementations may
5130	       encounter IODEF documents with references to private schemas that
5131	       may not be resolvable.  Hence, IODEF document recipients MUST be
5132	       prepared for a schema definition in an IODEF document never to
5133	       resolve.

5135	   The following schema and XML document excerpt provide a template for
5136	   an extension schema and its use in the IODEF document.

5138	   This example schema defines a namespace of "iodef-extension1" and a
5139	   single element named "newdata".

5141	     <xs:schema
5142	        targetNamespace="iodef-extension1.xsd"
5143	        xmlns:iodef-extension1="iodef-extension1.xsd"
5144	        xmlns:xs="http://www.w3.org/2001/XMLSchema">
5145	        attributeFormDefault="unqualified"
5146	        elementFormDefault="qualified">
5147	      <xs:import
5148	           namespace="urn:ietf:params:xml:ns:iodef-2.0"
5149	           schemaLocation=" urn:ietf:params:xml:schema:iodef-2.0"/>

5151	        <xs:element name="newdata" type="xs:string" />
5152	     </xs:schema>

5154	   The following XML excerpt demonstrates the use of the above schema as
5155	   an extension to the IODEF.

5157	        <IODEF-Document
5158	             version="2.00" lang="en-US"
5159	             xmlns="urn:ietf:params:xml:ns:iodef-2.0"
5160	             xmlns:iodef=" urn:ietf:params:xml:ns:iodef-2.0"
5161	             xmlns:iodef-extension1="iodef-extension1.xsd"
5162	             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5163	             xsi:schemaLocation="iodef-extension1.xsd">
5164	            <Incident purpose="reporting">
5165	            ...
5166	              <AdditionalData dtype="xml" meaning="xml">
5167	                <iodef-extension1:newdata>
5168	                 Field that could not be represented elsewhere
5169	                </iodef-extension1:newdata>
5170	              </AdditionalData>
5171	            </Incident>
5172	      </IODEF-Document

5174	5.3.  Deconflicting Private Extensions

5176	   To disambiguate which private extension is used in an IODEF document,
5177	   the data model provides a means to identify the source of an
5178	   extension.  Two attributes in the IODEF-Document class, private-enum-
5179	   name and private-enum-id, are used to specify this attribution.  Only
5180	   a single private extension can be identified in a given IODEF-
5181	   Document.

5183	   If an implementor has a single private extension, then only the
5184	   private-enum-name attribute needs to be specified.  Multiple distinct
5185	   private extensions or versioning of a single extension can be
5186	   attributed by also setting the corresponding private-num-id
5187	   attribute.

5189	   The following XML excerpt demonstrates the specification of a private
5190	   extension from "example.com" with an identifier of "13".

5192	        <IODEF-Document
5193	             version="2.00" lang="en-US"
5194	             private-enum-name="example.com"
5195	             private-enum-id="13"
5196	            ...
5197	      </IODEF-Document>

5199	   If an unrecognized private extension is encountered in processing,
5200	   the recipient MAY reject the entire document as a syntax error.

5202	6.  Internationalization Issues

5204	   Internationalization and localization is of specific concern to the
5205	   IODEF as it facilitates operational coordination with a diverse set
5206	   of partners.  The IODEF implements internationalization by relying on
5207	   XML constructs and through explicit design choices in the data model.

5209	   Since the IODEF is implemented as an XML Schema, it supports
5210	   different character encodings, such as UTF-8 and UTF-16, possible
5211	   with XML.  Additionally, each IODEF document MUST specify the
5212	   language in which its content is encoded.  The language can be
5213	   specified with the attribute "xml:lang" (per Section 2.12 of
5214	   [W3C.XML]) in the top-level element (i.e., IODEF-Document) and
5215	   letting all other elements inherit that definition.  All IODEF
5216	   classes with a free-form text definition (i.e., all those defined
5217	   with type iodef:MLStringType) can also specify a language different
5218	   from the rest of the document.

5220	   The data model supports multiple translations of free-form text.  All
5221	   ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality
5222	   to their parent.  This allows the identical text translated into
5223	   different languages to be encoded in different instances of the same
5224	   class with a common parent.  This design also enables the creation of
5225	   a single document containing all the translations.  The IODEF
5226	   implementation SHOULD extract the appropriate language relevant to
5227	   the recipient.

5229	   Related instances of a given iodef:MLStringType class that are
5230	   translations of each other are identified by a common identifier set
5231	   in the translation-id attribute.  The example below shows three
5232	   instances of a Description class expressed in three different
5233	   languages.  The relationship between these three instances of the
5234	   Description class is conveyed by the common value of "1" in the
5235	   translation-id attribute.

5237	   <IODEF-Document version="2.00" xml:lang="en" ...
5238	     <Incident purpose="reporting">
5239	       ...
5240	       <Description translation-id="1"
5241	                    xml:lang="en">English</Description>
5242	       <Description translation-id="1"
5243	                    xml:lang="de">Englisch</Description>
5244	       <Description translation-id="1"
5245	                    xml:lang="fr">Anglais</Description>

5247	   The IODEF balances internationalization support with the need for
5248	   interoperability.  While the IODEF supports different languages, the
5249	   data model also relies heavily on standardized enumerated attributes
5250	   that can crudely approximate the contents of the document.  With this
5251	   approach, a CSIRT should be able to make some sense of an IODEF
5252	   document it receives even if the free-form text data elements are
5253	   written in a language unfamiliar to the recipient.

5255	7.  Examples

5257	   This section provides example of IODEF documents.  These examples do
5258	   not represent the full capabilities of the data model or the the only
5259	   way to encode particular information.

5261	7.1.  Minimal Example

5263	   A document containing only the mandatory elements and attributes.

5265	   <?xml version="1.0" encoding="UTF-8"?>
5266	   <!-- Minimum IODEF document -->
5267	   <IODEF-Document version="2.00" xml:lang="en"
5268	      xmlns="urn:ietf:params:xml:ns:iodef-2.0"
5269	      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5270	      xsi:schemaLocation=
5271	   "http://www.iana.org/assignments/xmlregistry/schema/
5272	   iodef-2.0.xsd">
5273	     <Incident purpose="reporting" restriction="private">
5274	       <IncidentID name="csirt.example.com">492382</IncidentID>
5275	       <GenerationTime>2015-07-18T09:00:00-05:00</GenerationTime>
5276	       <Contact type="organization" role="creator">
5277	         <Email>
5278	           <EmailTo>contact@csirt.example.com</EmailTo>
5279	         </Email>
5280	       </Contact>
5281	       <!-- Add more fields to make the document useful -->
5282	     </Incident>
5283	   </IODEF-Document>

5285	7.2.  Indicators from a Campaign

5287	   An example of C2 domains from a given campaign.

5289	   <?xml version="1.0" encoding="UTF-8"?>
5290	   <!-- A list of C2 domains associated with a campaign -->
5291	   <IODEF-Document version="2.00" xml:lang="en"
5292	      xmlns="urn:ietf:params:xml:ns:iodef-2.0"
5293	      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5294	      xsi:schemaLocation=
5295	      "http://www.iana.org/assignments/xml-registry/schema/
5296	       iodef-2.0.xsd">
5297	     <Incident purpose="watch" restriction="green">
5298	       <IncidentID name="csirt.example.com">897923</IncidentID>
5299	         <RelatedActivity>
5300	           <ThreatActor>
5301	             <ThreatActorID>
5302	             TA-12-AGGRESSIVE-BUTTERFLY
5303	             </ThreatActorID>
5304	             <Description>Aggressive Butterfly</Description>
5305	           </ThreatActor>
5306	           <Campaign>
5307	             <CampaignID>C-2015-59405</CampaignID>
5308	             <Description>Orange Giraffe</Description>
5309	           </Campaign>
5310	         </RelatedActivity>
5311	         <GenerationTime>2015-10-02T11:18:00-05:00</GenerationTime>
5312	         <Description>Summarizes the Indicators of Compromise
5313	           for the Orange Giraffe campaign of the Aggressive
5314	           Butterfly crime gang.
5315	         </Description>
5316	         <Assessment>
5317	           <BusinessImpact type="breach-proprietary"/>
5318	         </Assessment>
5319	         <Contact type="organization" role="creator">
5320	           <ContactName>CSIRT for example.com</ContactName>
5321	           <Email>
5322	             <EmailTo>contact@csirt.example.com</EmailTo>
5323	           </Email>
5324	         </Contact>
5325	         <IndicatorData>
5326	           <Indicator>
5327	             <IndicatorID name="csirt.example.com" version="1">
5328	             G90823490
5329	             </IndicatorID>
5330	             <Description>C2 domains</Description>
5331	             <StartTime>2014-12-02T11:18:00-05:00</StartTime>
5332	             <Observable>
5333	               <BulkObservable type="fqdn">
5334	               <BulkObservableList>
5335	                 kj290023j09r34.example.com
5336	                 09ijk23jfj0k8.example.net
5337	                 klknjwfjiowjefr923.example.org
5338	                 oimireik79msd.example.org
5339	               </BulkObservableList>
5340	             </BulkObservable>
5341	           </Observable>
5342	         </Indicator>
5343	       </IndicatorData>
5344	     </Incident>
5345	   </IODEF-Document>

5347	8.  The IODEF Data Model (XML Schema)

5349	  <?xml version="1.0"?>
5350	  <xs:schema xmlns="urn:ietf:params:xml:ns:iodef-2.0"
5351	             xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
5352	             xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0"
5353	             xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0"
5354	             xmlns:xs="http://www.w3.org/2001/XMLSchema"
5355	             xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
5356	             targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
5357	             elementFormDefault="qualified"
5358	             attributeFormDefault="unqualified">
5359	    <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
5360	               schemaLocation="http://www.w3.org/TR/2002/
5361	  REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
5362	    <xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0"
5363	               schemaLocation="http://www.iana.org/assignments/
5364	  xml-registry/schema/iodef-enum-1.0.xsd"/>
5365	    <xs:import namespace="urn:ietf:params:xml:ns:iodef-sci-1.0"
5366	               schemaLocation="http://www.iana.org/assignments/
5367	  xml-registry/schema/iodef-sci-1.0.xsd"/>
5368	    <xs:import namespace="http://www.w3.org/XML/1998/namespace"
5369	               schemaLocation="http://www.w3c.org/2001/xml.xsd"/>
5370	    <xs:annotation>
5371	      <xs:documentation>
5372	         Incident Object Description Exchange Format v2.0, RFC5070bis
5373	      </xs:documentation>
5374	    </xs:annotation>
5375	    <!--
5376	     ===================================================================
5377	     == IODEF-Document class                                          ==
5378	     ===================================================================
5379	    -->
5380	    <xs:element name="IODEF-Document">
5381	      <xs:complexType>
5382	        <xs:sequence>
5383	          <xs:element ref="iodef:Incident" maxOccurs="unbounded"/>
5384	          <xs:element ref="iodef:AdditionalData"
5385	                      minOccurs="0" maxOccurs="unbounded"/>
5386	        </xs:sequence>
5387	        <xs:attribute name="version" type="xs:string" fixed="2.00"/>
5388	        <xs:attribute ref="xml:lang"/>
5389	        <xs:attribute name="format-id" type="xs:string" use="optional"/>
5390	        <xs:attribute name="private-enum-name"
5391	                      type="xs:string" use="optional"/>
5392	        <xs:attribute name="private-enum-id"
5393	                      type="xs:string" use="optional"/>
5394	      </xs:complexType>
5395	    </xs:element>
5396	    <!--
5397	     ===================================================================
5398	     == Incident class                                                ==
5399	     ===================================================================
5400	    -->
5401	    <xs:element name="Incident">
5402	      <xs:complexType>
5403	        <xs:sequence>
5404	          <xs:element ref="iodef:IncidentID"/>
5405	          <xs:element ref="iodef:AlternativeID" minOccurs="0"/>
5406	          <xs:element ref="iodef:RelatedActivity"
5407	                      minOccurs="0" maxOccurs="unbounded"/>
5408	          <xs:element ref="iodef:DetectTime" minOccurs="0"/>
5409	          <xs:element ref="iodef:StartTime" minOccurs="0"/>
5410	          <xs:element ref="iodef:EndTime" minOccurs="0"/>
5411	          <xs:element ref="iodef:RecoveryTime" minOccurs="0"/>
5412	          <xs:element ref="iodef:ReportTime" minOccurs="0"/>
5413	          <xs:element ref="iodef:GenerationTime"/>
5414	          <xs:element ref="iodef:Description"
5415	                      minOccurs="0" maxOccurs="unbounded"/>
5416	          <xs:element ref="iodef:Discovery"
5417	                      minOccurs="0" maxOccurs="unbounded"/>
5418	          <xs:element ref="iodef:Assessment"
5419	                      minOccurs="0" maxOccurs="unbounded"/>
5420	          <xs:element ref="iodef:Method"
5421	                      minOccurs="0" maxOccurs="unbounded"/>
5422	          <xs:element ref="iodef:Contact" maxOccurs="unbounded"/>
5423	          <xs:element ref="iodef:EventData"
5424	                      minOccurs="0" maxOccurs="unbounded"/>
5425	          <xs:element ref="iodef:IndicatorData" minOccurs="0"/>
5426	          <xs:element ref="iodef:History" minOccurs="0"/>
5427	          <xs:element ref="iodef:AdditionalData"
5428	                      minOccurs="0" maxOccurs="unbounded"/>
5429	        </xs:sequence>
5430	        <xs:attribute name="purpose"
5431	                      type="incident-purpose-type" use="required"/>
5432	        <xs:attribute name="ext-purpose"
5433	                      type="xs:string" use="optional"/>
5434	        <xs:attribute name="status" type="incident-status-type"/>
5435	        <xs:attribute name="ext-status"
5436	                      type="xs:string" use="optional"/>
5437	        <xs:attribute ref="xml:lang"/>
5438	        <xs:attribute name="restriction"
5439	                      type="iodef:restriction-type" default="private"
5440	                      use="optional"/>
5441	        <xs:attribute name="ext-restriction"
5442	                      type="xs:string" use="optional"/>
5443	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
5444	      </xs:complexType>
5445	    </xs:element>
5446	    <xs:simpleType name="incident-purpose-type">
5447	      <xs:restriction base="xs:NMTOKEN">
5448	        <xs:enumeration value="traceback"/>
5449	        <xs:enumeration value="mitigation"/>
5450	        <xs:enumeration value="reporting"/>
5451	        <xs:enumeration value="watch"/>
5452	        <xs:enumeration value="other"/>
5453	        <xs:enumeration value="ext-value"/>
5454	      </xs:restriction>
5455	    </xs:simpleType>
5456	    <xs:simpleType name="incident-status-type">
5457	      <xs:restriction base="xs:NMTOKEN">
5458	        <xs:enumeration value="new"/>
5459	        <xs:enumeration value="in-progress"/>
5460	        <xs:enumeration value="forwarded"/>
5461	        <xs:enumeration value="resolved"/>
5462	        <xs:enumeration value="future"/>
5463	        <xs:enumeration value="ext-value"/>
5464	      </xs:restriction>
5465	    </xs:simpleType>
5466	    <!--
5467	     ===================================================================
5468	     ==  IncidentID class                                             ==
5469	     ===================================================================
5470	    -->
5471	    <xs:element name="IncidentID" type="iodef:IncidentIDType"/>
5472	    <xs:complexType name="IncidentIDType">
5473	      <xs:simpleContent>
5474	        <xs:extension base="xs:string">
5475	          <xs:attribute name="name" type="xs:string" use="required"/>
5476	          <xs:attribute name="instance"
5477	                        type="xs:string" use="optional"/>
5478	          <xs:attribute name="restriction"
5479	                        type="iodef:restriction-type" use="optional"/>
5480	          <xs:attribute name="ext-restriction"
5481	                        type="xs:string" use="optional"/>
5482	        </xs:extension>
5483	      </xs:simpleContent>
5484	    </xs:complexType>
5485	    <!--
5486	     ==================================================================
5487	     ==  AlternativeID class                                         ==
5488	     ==================================================================
5489	    -->
5490	    <xs:element name="AlternativeID">
5491	      <xs:complexType>
5492	        <xs:sequence>
5493	          <xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/>
5494	        </xs:sequence>
5495	        <xs:attribute name="restriction"
5496	                      type="iodef:restriction-type" use="optional"/>
5497	        <xs:attribute name="ext-restriction"
5498	                      type="xs:string" use="optional"/>
5499	      </xs:complexType>
5500	    </xs:element>
5501	    <!--
5502	     ===================================================================
5503	     ==  RelatedActivity class                                        ==
5504	     ===================================================================
5505	    -->
5506	    <xs:element name="RelatedActivity">
5507	      <xs:complexType>
5508	        <xs:sequence>
5509	          <xs:element ref="iodef:IncidentID"
5510	                      minOccurs="0" maxOccurs="unbounded"/>
5511	          <xs:element ref="iodef:URL"
5512	                      minOccurs="0" maxOccurs="unbounded"/>
5513	          <xs:element ref="iodef:ThreatActor"
5514	                      minOccurs="0" maxOccurs="unbounded"/>
5515	          <xs:element ref="iodef:Campaign"
5516	                      minOccurs="0" maxOccurs="unbounded"/>
5517	          <xs:element ref="iodef:IndicatorID"
5518	                      minOccurs="0" maxOccurs="unbounded"/>
5519	          <xs:element ref="iodef:Confidence" minOccurs="0"/>
5520	          <xs:element ref="iodef:Description"
5521	                      minOccurs="0" maxOccurs="unbounded"/>
5522	          <xs:element ref="iodef:AdditionalData"
5523	                      minOccurs="0" maxOccurs="unbounded"/>

5525	        </xs:sequence>
5526	        <xs:attribute name="restriction"
5527	                      type="iodef:restriction-type" use="optional"/>
5528	        <xs:attribute name="ext-restriction"
5529	                      type="xs:string" use="optional"/>
5530	      </xs:complexType>
5531	    </xs:element>
5532	    <xs:element name="ThreatActor">
5533	      <xs:complexType>
5534	        <xs:sequence>
5535	          <xs:element ref="iodef:ThreatActorID"
5536	                      minOccurs="0" maxOccurs="unbounded"/>
5537	          <xs:element ref="iodef:URL" maxOccurs="unbounded"/>
5538	          <xs:element ref="iodef:Description"
5539	                      minOccurs="0" maxOccurs="unbounded"/>
5540	          <xs:element ref="iodef:AdditionalData"
5541	                      minOccurs="0" maxOccurs="unbounded"/>
5542	        </xs:sequence>
5543	        <xs:attribute name="restriction"
5544	                      type="iodef:restriction-type" use="optional"/>
5545	        <xs:attribute name="ext-restriction"
5546	                      type="xs:string" use="optional"/>
5547	      </xs:complexType>
5548	    </xs:element>
5549	    <xs:element name="ThreatActorID" type="xs:string"/>
5550	    <xs:element name="Campaign">
5551	      <xs:complexType>
5552	        <xs:sequence>
5553	          <xs:element ref="iodef:CampaignID"
5554	                      minOccurs="0" maxOccurs="unbounded"/>
5555	          <xs:element ref="iodef:URL"
5556	                      minOccurs="0" maxOccurs="unbounded"/>
5557	          <xs:element ref="iodef:Description"
5558	                      minOccurs="0" maxOccurs="unbounded"/>
5559	          <xs:element ref="iodef:AdditionalData"
5560	                      minOccurs="0" maxOccurs="unbounded"/>
5561	        </xs:sequence>
5562	        <xs:attribute name="restriction"
5563	                      type="iodef:restriction-type" use="optional"/>
5564	        <xs:attribute name="ext-restriction"
5565	                      type="xs:string" use="optional"/>
5566	      </xs:complexType>
5567	    </xs:element>
5568	    <xs:element name="CampaignID" type="xs:string"/>
5569	    <!--
5570	     ===================================================================
5571	     ==   Contact class                                               ==
5572	     ===================================================================

5574	    -->
5575	    <xs:element name="Contact">
5576	      <xs:complexType>
5577	        <xs:sequence>
5578	          <xs:element ref="iodef:ContactName"
5579	                      minOccurs="0" maxOccurs="unbounded"/>
5580	          <xs:element ref="iodef:ContactTitle"
5581	                      minOccurs="0" maxOccurs="unbounded"/>
5582	          <xs:element ref="iodef:Description"
5583	                      minOccurs="0" maxOccurs="unbounded"/>
5584	          <xs:element ref="iodef:RegistryHandle"
5585	                      minOccurs="0" maxOccurs="unbounded"/>
5586	          <xs:element ref="iodef:PostalAddress"
5587	                      minOccurs="0" maxOccurs="unbounded"/>
5588	          <xs:element ref="iodef:Email"
5589	                      minOccurs="0" maxOccurs="unbounded"/>
5590	          <xs:element ref="iodef:Telephone"
5591	                      minOccurs="0" maxOccurs="unbounded"/>
5592	          <xs:element ref="iodef:Timezone" minOccurs="0"/>
5593	          <xs:element ref="iodef:Contact"
5594	                      minOccurs="0" maxOccurs="unbounded"/>
5595	          <xs:element ref="iodef:AdditionalData"
5596	                      minOccurs="0" maxOccurs="unbounded"/>
5597	        </xs:sequence>
5598	        <xs:attribute name="role"
5599	                      type="contact-role-type" use="required"/>
5600	        <xs:attribute name="ext-role"
5601	                      type="xs:string" use="optional"/>
5602	        <xs:attribute name="type"
5603	                      type="contact-type-type" use="required"/>
5604	        <xs:attribute name="ext-type"
5605	                      type="xs:string" use="optional"/>
5606	        <xs:attribute name="restriction"
5607	                      type="iodef:restriction-type" use="optional"/>
5608	        <xs:attribute name="ext-restriction"
5609	                      type="xs:string" use="optional"/>
5610	      </xs:complexType>
5611	    </xs:element>
5612	    <xs:simpleType name="contact-role-type">
5613	      <xs:restriction base="xs:NMTOKEN">
5614	        <xs:enumeration value="creator"/>
5615	        <xs:enumeration value="reporter"/>
5616	        <xs:enumeration value="admin"/>
5617	        <xs:enumeration value="tech"/>
5618	        <xs:enumeration value="provider"/>
5619	        <xs:enumeration value="zone"/>
5620	        <xs:enumeration value="user"/>
5621	        <xs:enumeration value="billing"/>
5622	        <xs:enumeration value="legal"/>
5623	        <xs:enumeration value="abuse"/>
5624	        <xs:enumeration value="irt"/>
5625	        <xs:enumeration value="cc"/>
5626	        <xs:enumeration value="cc-irt"/>
5627	        <xs:enumeration value="leo"/>
5628	        <xs:enumeration value="vendor"/>
5629	        <xs:enumeration value="vendor-services"/>
5630	        <xs:enumeration value="victim"/>
5631	        <xs:enumeration value="victim-notified"/>
5632	        <xs:enumeration value="ext-value"/>
5633	      </xs:restriction>
5634	    </xs:simpleType>
5635	    <xs:simpleType name="contact-type-type">
5636	      <xs:restriction base="xs:NMTOKEN">
5637	        <xs:enumeration value="person"/>
5638	        <xs:enumeration value="organization"/>
5639	        <xs:enumeration value="ext-value"/>
5640	      </xs:restriction>
5641	    </xs:simpleType>
5642	    <xs:element name="ContactName" type="iodef:MLStringType"/>
5643	    <xs:element name="ContactTitle" type="iodef:MLStringType"/>
5644	    <xs:element name="RegistryHandle">
5645	      <xs:complexType>
5646	        <xs:simpleContent>
5647	          <xs:extension base="xs:string">
5648	            <xs:attribute name="registry"
5649	                          type="registryhandle-registry-type"/>
5650	            <xs:attribute name="ext-registry"
5651	                          type="xs:string" use="optional"/>
5652	          </xs:extension>
5653	        </xs:simpleContent>
5654	      </xs:complexType>
5655	    </xs:element>
5656	    <xs:simpleType name="registryhandle-registry-type">
5657	      <xs:restriction base="xs:NMTOKEN">
5658	        <xs:enumeration value="internic"/>
5659	        <xs:enumeration value="apnic"/>
5660	        <xs:enumeration value="arin"/>
5661	        <xs:enumeration value="lacnic"/>
5662	        <xs:enumeration value="ripe"/>
5663	        <xs:enumeration value="afrinic"/>
5664	        <xs:enumeration value="local"/>
5665	        <xs:enumeration value="ext-value"/>
5666	      </xs:restriction>
5667	    </xs:simpleType>
5668	    <xs:element name="PostalAddress">
5669	      <xs:complexType>
5670	        <xs:sequence>
5671	          <xs:element ref="iodef:PAddress"/>
5672	          <xs:element ref="iodef:Description"
5673	                      minOccurs="0" maxOccurs="unbounded"/>
5674	        </xs:sequence>
5675	        <xs:attribute name="type"
5676	                      type="postaladdress-type-type" use="optional"/>
5677	        <xs:attribute name="ext-type" type="xs:string" use="optional"/>
5678	      </xs:complexType>
5679	    </xs:element>
5680	    <xs:element name="PAddress" type="iodef:MLStringType"/>
5681	    <xs:simpleType name="postaladdress-type-type">
5682	      <xs:restriction base="xs:NMTOKEN">
5683	        <xs:enumeration value="street"/>
5684	        <xs:enumeration value="mailing"/>
5685	        <xs:enumeration value="ext-value"/>
5686	      </xs:restriction>
5687	    </xs:simpleType>
5688	    <xs:element name="Telephone">
5689	      <xs:complexType>
5690	        <xs:sequence>
5691	          <xs:element ref="iodef:TelephoneNumber"/>
5692	          <xs:element ref="iodef:Description"
5693	                      minOccurs="0" maxOccurs="unbounded"/>
5694	        </xs:sequence>
5695	        <xs:attribute name="type"
5696	                      type="telephone-type-type" use="optional"/>
5697	        <xs:attribute name="ext-type" type="xs:string" use="optional"/>
5698	      </xs:complexType>
5699	    </xs:element>
5700	    <xs:element name="TelephoneNumber" type="xs:string"/>
5701	    <xs:simpleType name="telephone-type-type">
5702	      <xs:restriction base="xs:NMTOKEN">
5703	        <xs:enumeration value="wired"/>
5704	        <xs:enumeration value="mobile"/>
5705	        <xs:enumeration value="fax"/>
5706	        <xs:enumeration value="hotline"/>
5707	        <xs:enumeration value="ext-value"/>
5708	      </xs:restriction>
5709	    </xs:simpleType>
5710	    <xs:element name="Email">
5711	      <xs:complexType>
5712	        <xs:sequence>
5713	          <xs:element ref="iodef:EmailTo"/>
5714	          <xs:element ref="iodef:Description"
5715	                      minOccurs="0" maxOccurs="unbounded"/>
5716	        </xs:sequence>
5717	        <xs:attribute name="type"
5718	                      type="email-type-type" use="optional"/>
5719	        <xs:attribute name="ext-type" type="xs:string" use="optional"/>
5720	      </xs:complexType>
5721	    </xs:element>
5722	    <xs:simpleType name="email-type-type">
5723	      <xs:restriction base="xs:NMTOKEN">
5724	        <xs:enumeration value="direct"/>
5725	        <xs:enumeration value="hotline"/>
5726	        <xs:enumeration value="ext-value"/>
5727	      </xs:restriction>
5728	    </xs:simpleType>
5729	    <!--
5730	     ===================================================================
5731	     ==  Time-based classes                                           ==
5732	     ===================================================================
5733	    -->
5734	    <xs:element name="DateTime" type="xs:dateTime"/>
5735	    <xs:element name="ReportTime" type="xs:dateTime"/>
5736	    <xs:element name="DetectTime" type="xs:dateTime"/>
5737	    <xs:element name="StartTime" type="xs:dateTime"/>
5738	    <xs:element name="EndTime" type="xs:dateTime"/>
5739	    <xs:element name="RecoveryTime" type="xs:dateTime"/>
5740	    <xs:element name="GenerationTime" type="xs:dateTime"/>
5741	    <xs:element name="Timezone" type="iodef:TimezoneType"/>
5742	    <!--
5743	     ===================================================================
5744	     ==  History class                                                ==
5745	     ===================================================================
5746	    -->
5747	    <xs:element name="History">
5748	      <xs:complexType>
5749	        <xs:sequence>
5750	          <xs:element ref="iodef:HistoryItem" maxOccurs="unbounded"/>
5751	        </xs:sequence>
5752	        <xs:attribute name="restriction"
5753	                      type="iodef:restriction-type" use="optional"/>
5754	        <xs:attribute name="ext-restriction"
5755	                      type="xs:string" use="optional"/>
5756	      </xs:complexType>
5757	    </xs:element>
5758	    <xs:element name="HistoryItem">
5759	      <xs:complexType>
5760	        <xs:sequence>
5761	          <xs:element ref="iodef:DateTime"/>
5762	          <xs:element ref="iodef:IncidentID" minOccurs="0"/>
5763	          <xs:element ref="iodef:Contact" minOccurs="0"/>
5764	          <xs:element ref="iodef:Description"
5765	                      minOccurs="0" maxOccurs="unbounded"/>

5767	          <xs:element ref="iodef:DefinedCOA"
5768	                      minOccurs="0" maxOccurs="unbounded"/>
5769	          <xs:element ref="iodef:AdditionalData"
5770	                      minOccurs="0" maxOccurs="unbounded"/>
5771	        </xs:sequence>
5772	        <xs:attribute name="action"
5773	                      type="iodef:action-type" use="required"/>
5774	        <xs:attribute name="ext-action"
5775	                      type="xs:string" use="optional"/>
5776	        <xs:attribute name="restriction"
5777	                      type="iodef:restriction-type" use="optional"/>
5778	        <xs:attribute name="ext-restriction"
5779	                      type="xs:string" use="optional"/>
5780	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
5781	      </xs:complexType>
5782	    </xs:element>
5783	    <xs:element name="DefinedCOA" type="xs:string"/>
5784	    <!--
5785	     ===================================================================
5786	     ==  Expectation class                                            ==
5787	     ===================================================================
5788	    -->
5789	    <xs:element name="Expectation">
5790	      <xs:complexType>
5791	        <xs:sequence>
5792	          <xs:element ref="iodef:Description"
5793	                      minOccurs="0" maxOccurs="unbounded"/>
5794	          <xs:element ref="iodef:DefinedCOA"
5795	                      minOccurs="0" maxOccurs="unbounded"/>
5796	          <xs:element ref="iodef:StartTime" minOccurs="0"/>
5797	          <xs:element ref="iodef:EndTime" minOccurs="0"/>
5798	          <xs:element ref="iodef:Contact" minOccurs="0"/>
5799	        </xs:sequence>
5800	        <xs:attribute name="action"
5801	                      type="iodef:action-type" default="other"/>
5802	        <xs:attribute name="ext-action"
5803	                      type="xs:string" use="optional"/>
5804	        <xs:attribute name="severity" type="iodef:severity-type"/>
5805	        <xs:attribute name="restriction"
5806	                      type="iodef:restriction-type" use="optional"/>
5807	        <xs:attribute name="ext-restriction"
5808	                      type="xs:string" use="optional"/>
5809	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
5810	      </xs:complexType>
5811	    </xs:element>
5812	    <!--
5813	     ===================================================================
5814	     ==  Discovery class                                              ==
5815	     ===================================================================
5816	    -->
5817	    <xs:element name="Discovery">
5818	      <xs:complexType>
5819	        <xs:sequence>
5820	          <xs:element ref="iodef:Description"
5821	                      minOccurs="0" maxOccurs="unbounded"/>
5822	          <xs:element ref="iodef:Contact"
5823	                      minOccurs="0" maxOccurs="unbounded"/>
5824	          <xs:element ref="iodef:DetectionPattern"
5825	                      minOccurs="0" maxOccurs="unbounded"/>
5826	        </xs:sequence>
5827	        <xs:attribute name="source"
5828	                      type="discovery-source-type" use="optional"
5829	                      default="unknown"/>
5830	        <xs:attribute name="ext-source"
5831	                      type="xs:string" use="optional"/>
5832	        <xs:attribute name="restriction"
5833	                      type="iodef:restriction-type" use="optional"/>
5834	        <xs:attribute name="ext-restriction"
5835	                      type="xs:string" use="optional"/>
5836	      </xs:complexType>
5837	    </xs:element>
5838	    <xs:simpleType name="discovery-source-type">
5839	      <xs:restriction base="xs:NMTOKEN">
5840	        <xs:enumeration value="nidps"/>
5841	        <xs:enumeration value="hips"/>
5842	        <xs:enumeration value="siem"/>
5843	        <xs:enumeration value="av"/>
5844	        <xs:enumeration value="third-party-monitoring"/>
5845	        <xs:enumeration value="incident"/>
5846	        <xs:enumeration value="os-log"/>
5847	        <xs:enumeration value="application-log"/>
5848	        <xs:enumeration value="device-log"/>
5849	        <xs:enumeration value="network-flow"/>
5850	        <xs:enumeration value="passive-dns"/>
5851	        <xs:enumeration value="investigation"/>
5852	        <xs:enumeration value="audit"/>
5853	        <xs:enumeration value="internal-notification"/>
5854	        <xs:enumeration value="external-notification"/>
5855	        <xs:enumeration value="leo"/>
5856	        <xs:enumeration value="partner"/>
5857	        <xs:enumeration value="actor"/>
5858	        <xs:enumeration value="unknown"/>
5859	        <xs:enumeration value="ext-value"/>
5860	      </xs:restriction>
5861	    </xs:simpleType>
5862	    <xs:element name="DetectionPattern">
5863	      <xs:complexType>
5864	        <xs:sequence>
5865	          <xs:element ref="iodef:Application"/>
5866	          <xs:element ref="iodef:Description"
5867	                      minOccurs="0" maxOccurs="unbounded"/>
5868	          <xs:element name="DetectionConfiguration"
5869	                      type="xs:string"
5870	                      minOccurs="0" maxOccurs="unbounded"/>
5871	        </xs:sequence>
5872	        <xs:attribute name="restriction"
5873	                      type="iodef:restriction-type" use="optional"/>
5874	        <xs:attribute name="ext-restriction"
5875	                      type="xs:string" use="optional"/>
5876	      </xs:complexType>
5877	    </xs:element>
5878	    <!--
5879	     ===================================================================
5880	     ==  Method class                                                 ==
5881	     ===================================================================
5882	    -->
5883	    <xs:element name="Method">
5884	      <xs:complexType>
5885	        <xs:sequence>
5886	          <xs:element ref="iodef:Reference"
5887	                      minOccurs="0" maxOccurs="unbounded"/>
5888	          <xs:element ref="iodef:Description"
5889	                      minOccurs="0" maxOccurs="unbounded"/>
5890	          <xs:element ref="sci:AttackPattern"
5891	                      minOccurs="0" maxOccurs="unbounded"/>
5892	          <xs:element ref="sci:Vulnerability"
5893	                      minOccurs="0" maxOccurs="unbounded"/>
5894	          <xs:element ref="sci:Weakness"
5895	                      minOccurs="0" maxOccurs="unbounded"/>
5896	          <xs:element ref="iodef:AdditionalData"
5897	                      minOccurs="0" maxOccurs="unbounded"/>
5898	        </xs:sequence>
5899	        <xs:attribute name="restriction"
5900	                      type="iodef:restriction-type" use="optional"/>
5901	        <xs:attribute name="ext-restriction"
5902	                      type="xs:string" use="optional"/>
5903	      </xs:complexType>
5904	    </xs:element>
5905	    <!--
5906	     ===================================================================
5907	     ==  Reference class                                              ==
5908	     ===================================================================
5909	    -->
5910	    <xs:element name="Reference">
5911	      <xs:complexType>
5912	        <xs:sequence>
5913	          <xs:element ref="enum:ReferenceName" minOccurs="0"/>
5914	          <xs:element ref="iodef:URL"
5915	                      minOccurs="0" maxOccurs="unbounded"/>
5916	          <xs:element ref="iodef:Description"
5917	                      minOccurs="0" maxOccurs="unbounded"/>
5918	        </xs:sequence>
5919	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
5920	      </xs:complexType>
5921	    </xs:element>
5922	    <!--
5923	     ===================================================================
5924	     ==  Assessment class                                             ==
5925	     ===================================================================
5926	    -->
5927	    <xs:element name="Assessment">
5928	      <xs:complexType>
5929	        <xs:sequence>
5930	          <xs:element ref="iodef:IncidentCategory"
5931	                      minOccurs="0" maxOccurs="unbounded"/>
5932	          <xs:choice maxOccurs="unbounded">
5933	            <xs:element ref="iodef:SystemImpact"/>
5934	            <xs:element ref="iodef:BusinessImpact"/>
5935	            <xs:element ref="iodef:TimeImpact"/>
5936	            <xs:element ref="iodef:MonetaryImpact"/>
5937	            <xs:element ref="iodef:IntendedImpact"/>
5938	          </xs:choice>
5939	          <xs:element ref="iodef:Counter"
5940	                      minOccurs="0" maxOccurs="unbounded"/>
5941	          <xs:element ref="iodef:MitigatingFactor"
5942	                      minOccurs="0" maxOccurs="unbounded"/>
5943	          <xs:element ref="iodef:Cause"
5944	                      minOccurs="0" maxOccurs="unbounded"/>
5945	          <xs:element ref="iodef:Confidence" minOccurs="0"/>
5946	          <xs:element ref="iodef:AdditionalData"
5947	                      minOccurs="0" maxOccurs="unbounded"/>
5948	        </xs:sequence>
5949	        <xs:attribute name="occurrence">
5950	          <xs:simpleType>
5951	            <xs:restriction base="xs:NMTOKEN">
5952	              <xs:enumeration value="actual"/>
5953	              <xs:enumeration value="potential"/>
5954	            </xs:restriction>
5955	          </xs:simpleType>
5956	        </xs:attribute>
5957	        <xs:attribute name="restriction"
5958	                      type="iodef:restriction-type" use="optional"/>

5960	        <xs:attribute name="ext-restriction"
5961	                      type="xs:string" use="optional"/>
5962	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
5963	      </xs:complexType>
5964	    </xs:element>
5965	    <xs:element name="IncidentCategory" type="iodef:MLStringType"/>
5966	    <xs:element name="BusinessImpact" type="iodef:BusinessImpactType"/>
5967	    <xs:element name="IntendedImpact" type="iodef:BusinessImpactType"/>
5968	    <xs:element name="MitigatingFactor" type="iodef:MLStringType"/>
5969	    <xs:element name="Cause" type="iodef:MLStringType"/>
5970	    <xs:element name="SystemImpact">
5971	      <xs:complexType>
5972	        <xs:sequence>
5973	          <xs:element ref="iodef:Description"
5974	                      minOccurs="0" maxOccurs="unbounded"/>
5975	        </xs:sequence>
5976	        <xs:attribute name="severity"
5977	                      type="iodef:severity-type" use="optional"/>
5978	        <xs:attribute name="completion"
5979	                      type="iodef:systemimpact-completion-type"
5980	                      use="optional"/>
5981	        <xs:attribute name="type"
5982	                      type="systemimpact-type-type"
5983	                      use="optional" default="unknown"/>
5984	        <xs:attribute name="ext-type" type="xs:string" use="optional"/>
5985	      </xs:complexType>
5986	    </xs:element>
5987	    <xs:simpleType name="systemimpact-completion-type">
5988	      <xs:restriction base="xs:NMTOKEN">
5989	        <xs:enumeration value="failed"/>
5990	        <xs:enumeration value="succeeded"/>
5991	      </xs:restriction>
5992	    </xs:simpleType>
5993	    <xs:simpleType name="systemimpact-type-type">
5994	      <xs:restriction base="xs:NMTOKEN">
5995	        <xs:enumeration value="takeover-account"/>
5996	        <xs:enumeration value="takeover-service"/>
5997	        <xs:enumeration value="takeover-system"/>
5998	        <xs:enumeration value="cps-manipulation"/>
5999	        <xs:enumeration value="cps-damage"/>
6000	        <xs:enumeration value="availability-data"/>
6001	        <xs:enumeration value="availability-account"/>
6002	        <xs:enumeration value="availability-service"/>
6003	        <xs:enumeration value="availability-system"/>
6004	        <xs:enumeration value="damaged-system"/>
6005	        <xs:enumeration value="damaged-data"/>
6006	        <xs:enumeration value="breach-proprietary"/>
6007	        <xs:enumeration value="breach-privacy"/>
6008	        <xs:enumeration value="breach-credential"/>
6009	        <xs:enumeration value="breach-configuration"/>
6010	        <xs:enumeration value="integrity-data"/>
6011	        <xs:enumeration value="integrity-configuration"/>
6012	        <xs:enumeration value="integrity-hardware"/>
6013	        <xs:enumeration value="traffic-redirection"/>
6014	        <xs:enumeration value="monitoring-traffic"/>
6015	        <xs:enumeration value="monitoring-host"/>
6016	        <xs:enumeration value="policy"/>
6017	        <xs:enumeration value="unknown"/>
6018	        <xs:enumeration value="ext-value"/>
6019	      </xs:restriction>
6020	    </xs:simpleType>
6021	    <xs:complexType name="BusinessImpactType">
6022	      <xs:sequence>
6023	        <xs:element ref="iodef:Description"
6024	                    minOccurs="0" maxOccurs="unbounded"/>
6025	      </xs:sequence>
6026	      <xs:attribute name="severity"
6027	                    type="businessimpact-severity-type" use="optional"/>
6028	      <xs:attribute name="ext-severity"
6029	                    type="xs:string" use="optional"/>
6030	      <xs:attribute name="type"
6031	                    type="businessimpact-type-type"
6032	                    use="optional" default="unknown"/>
6033	      <xs:attribute name="ext-type" type="xs:string" use="optional"/>
6034	    </xs:complexType>
6035	    <xs:simpleType name="businessimpact-severity-type">
6036	      <xs:restriction base="xs:NMTOKEN">
6037	        <xs:enumeration value="none"/>
6038	        <xs:enumeration value="low"/>
6039	        <xs:enumeration value="medium"/>
6040	        <xs:enumeration value="high"/>
6041	        <xs:enumeration value="unknown"/>
6042	        <xs:enumeration value="ext-value"/>
6043	      </xs:restriction>
6044	    </xs:simpleType>
6045	    <xs:simpleType name="businessimpact-type-type">
6046	      <xs:restriction base="xs:NMTOKEN">
6047	        <xs:enumeration value="breach-proprietary"/>
6048	        <xs:enumeration value="breach-privacy"/>
6049	        <xs:enumeration value="breach-credential"/>
6050	        <xs:enumeration value="loss-of-integrity"/>
6051	        <xs:enumeration value="loss-of-service"/>
6052	        <xs:enumeration value="theft-financial"/>
6053	        <xs:enumeration value="theft-service"/>
6054	        <xs:enumeration value="degraded-reputation"/>
6055	        <xs:enumeration value="asset-damage"/>
6056	        <xs:enumeration value="asset-manipulation"/>
6057	        <xs:enumeration value="legal"/>
6058	        <xs:enumeration value="extortion"/>
6059	        <xs:enumeration value="unknown"/>
6060	        <xs:enumeration value="ext-value"/>
6061	      </xs:restriction>
6062	    </xs:simpleType>
6063	    <xs:element name="TimeImpact">
6064	      <xs:complexType>
6065	        <xs:simpleContent>
6066	          <xs:extension base="iodef:PositiveFloatType">
6067	            <xs:attribute name="severity" type="iodef:severity-type"/>
6068	            <xs:attribute name="metric"
6069	                          type="timeimpact-metric-type" use="required"/>
6070	            <xs:attribute name="ext-metric"
6071	                          type="xs:string" use="optional"/>
6072	            <xs:attribute name="duration" type="iodef:duration-type"/>
6073	            <xs:attribute name="ext-duration"
6074	                          type="xs:string" use="optional"/>
6075	          </xs:extension>
6076	        </xs:simpleContent>
6077	      </xs:complexType>
6078	    </xs:element>
6079	    <xs:simpleType name="timeimpact-metric-type">
6080	      <xs:restriction base="xs:NMTOKEN">
6081	        <xs:enumeration value="labor"/>
6082	        <xs:enumeration value="elapsed"/>
6083	        <xs:enumeration value="downtime"/>
6084	        <xs:enumeration value="ext-value"/>
6085	      </xs:restriction>
6086	    </xs:simpleType>
6087	    <xs:element name="MonetaryImpact">
6088	      <xs:complexType>
6089	        <xs:simpleContent>
6090	          <xs:extension base="iodef:PositiveFloatType">
6091	            <xs:attribute name="severity" type="iodef:severity-type"/>
6092	            <xs:attribute name="currency" type="xs:string"/>
6093	          </xs:extension>
6094	        </xs:simpleContent>
6095	      </xs:complexType>
6096	    </xs:element>
6097	    <xs:element name="Confidence">
6098	      <xs:complexType>
6099	        <xs:attribute name="rating"
6100	                      type="confidence-rating-type" use="required"/>
6101	        <xs:attribute name="ext-rating"
6102	                      type="xs:string" use="optional"/>
6103	      </xs:complexType>

6105	    </xs:element>
6106	    <xs:simpleType name="confidence-rating-type">
6107	      <xs:restriction base="xs:NMTOKEN">
6108	        <xs:enumeration value="low"/>
6109	        <xs:enumeration value="medium"/>
6110	        <xs:enumeration value="high"/>
6111	        <xs:enumeration value="numeric"/>
6112	        <xs:enumeration value="unknown"/>
6113	        <xs:enumeration value="ext-value"/>
6114	      </xs:restriction>
6115	    </xs:simpleType>
6116	    <!--
6117	     ===================================================================
6118	     == EventData class                                               ==
6119	     ===================================================================
6120	    -->
6121	    <xs:element name="EventData">
6122	      <xs:complexType>
6123	        <xs:sequence>
6124	          <xs:element ref="iodef:Description"
6125	                      minOccurs="0" maxOccurs="unbounded"/>
6126	          <xs:element ref="iodef:DetectTime" minOccurs="0"/>
6127	          <xs:element ref="iodef:StartTime" minOccurs="0"/>
6128	          <xs:element ref="iodef:EndTime" minOccurs="0"/>
6129	          <xs:element ref="iodef:RecoveryTime" minOccurs="0"/>
6130	          <xs:element ref="iodef:ReportTime" minOccurs="0"/>
6131	          <xs:element ref="iodef:Contact"
6132	                      minOccurs="0" maxOccurs="unbounded"/>
6133	          <xs:element ref="iodef:Discovery"
6134	                      minOccurs="0" maxOccurs="unbounded"/>
6135	          <xs:element ref="iodef:Assessment" minOccurs="0"/>
6136	          <xs:element ref="iodef:Method"
6137	                      minOccurs="0" maxOccurs="unbounded"/>
6138	          <xs:element ref="iodef:Flow"
6139	                      minOccurs="0" maxOccurs="unbounded"/>
6140	          <xs:element ref="iodef:Expectation"
6141	                      minOccurs="0" maxOccurs="unbounded"/>
6142	          <xs:element ref="iodef:Record" minOccurs="0"/>
6143	          <xs:element ref="iodef:EventData"
6144	                      minOccurs="0" maxOccurs="unbounded"/>
6145	          <xs:element ref="iodef:AdditionalData"
6146	                      minOccurs="0" maxOccurs="unbounded"/>
6147	        </xs:sequence>
6148	        <xs:attribute name="restriction"
6149	                      type="iodef:restriction-type" use="optional"/>
6150	        <xs:attribute name="ext-restriction"
6151	                      type="xs:string" use="optional"/>
6152	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>

6154	      </xs:complexType>
6155	    </xs:element>
6156	    <!--
6157	     ===================================================================
6158	     ==  Flow class                                                   ==
6159	     ===================================================================
6160	    -->
6161	    <xs:element name="Flow">
6162	      <xs:complexType>
6163	        <xs:sequence>
6164	          <xs:element ref="iodef:System" maxOccurs="unbounded"/>
6165	        </xs:sequence>
6166	      </xs:complexType>
6167	    </xs:element>
6168	    <!--
6169	     ===================================================================
6170	     ==  System class                                                 ==
6171	     ===================================================================
6172	    -->
6173	    <xs:element name="System">
6174	      <xs:complexType>
6175	        <xs:sequence>
6176	          <xs:element ref="iodef:Node"/>
6177	          <xs:element ref="iodef:NodeRole"
6178	                      minOccurs="0" maxOccurs="unbounded"/>
6179	          <xs:element ref="iodef:Service"
6180	                      minOccurs="0" maxOccurs="unbounded"/>
6181	          <xs:element ref="iodef:OperatingSystem"
6182	                      minOccurs="0" maxOccurs="unbounded"/>
6183	          <xs:element ref="iodef:Counter"
6184	                      minOccurs="0" maxOccurs="unbounded"/>
6185	          <xs:element name="AssetID"
6186	                      type="xs:string"
6187	                      minOccurs="0" maxOccurs="unbounded"/>
6188	          <xs:element ref="iodef:Description"
6189	                      minOccurs="0" maxOccurs="unbounded"/>
6190	          <xs:element ref="iodef:AdditionalData"
6191	                      minOccurs="0" maxOccurs="unbounded"/>
6192	        </xs:sequence>
6193	        <xs:attribute name="category" type="system-category-type"/>
6194	        <xs:attribute name="ext-category"
6195	                      type="xs:string" use="optional"/>
6196	        <xs:attribute name="interface" type="xs:string"/>
6197	        <xs:attribute name="spoofed"
6198	                      type="yes-no-unknown-type" default="unknown"/>
6199	        <xs:attribute name="virtual"
6200	                      type="yes-no-unknown-type" use="optional"
6201	                      default="unknown"/>

6203	        <xs:attribute name="ownership" type="system-ownership-type"
6204	                      use="optional"/>
6205	        <xs:attribute name="ext-ownership"
6206	                      type="xs:string" use="optional"/>
6207	        <xs:attribute name="restriction"
6208	                      type="iodef:restriction-type" use="optional"/>
6209	        <xs:attribute name="ext-restriction"
6210	                      type="xs:string" use="optional"/>
6211	      </xs:complexType>
6212	    </xs:element>
6213	    <xs:element name="OperatingSystem" type="iodef:SoftwareType"/>
6214	    <xs:simpleType name="system-category-type">
6215	      <xs:restriction base="xs:NMTOKEN">
6216	        <xs:enumeration value="source"/>
6217	        <xs:enumeration value="target"/>
6218	        <xs:enumeration value="intermediate"/>
6219	        <xs:enumeration value="sensor"/>
6220	        <xs:enumeration value="infrastructure"/>
6221	        <xs:enumeration value="ext-value"/>
6222	      </xs:restriction>
6223	    </xs:simpleType>
6224	    <xs:simpleType name="system-ownership-type">
6225	      <xs:restriction base="xs:NMTOKEN">
6226	        <xs:enumeration value="organization"/>
6227	        <xs:enumeration value="personal"/>
6228	        <xs:enumeration value="partner"/>
6229	        <xs:enumeration value="customer"/>
6230	        <xs:enumeration value="no-relationship"/>
6231	        <xs:enumeration value="unknown"/>
6232	        <xs:enumeration value="ext-value"/>
6233	      </xs:restriction>
6234	    </xs:simpleType>
6235	    <!--
6236	     ==================================================================
6237	     == Node class                                                   ==
6238	     ==================================================================
6239	    -->
6240	    <xs:element name="Node">
6241	      <xs:complexType>
6242	        <xs:sequence>
6243	          <xs:choice maxOccurs="unbounded">
6244	            <xs:element ref="iodef:DomainData"
6245	                        minOccurs="0" maxOccurs="unbounded"/>
6246	            <xs:element ref="iodef:Address"
6247	                        minOccurs="0" maxOccurs="unbounded"/>
6248	          </xs:choice>
6249	          <xs:element ref="iodef:PostalAddress" minOccurs="0"/>
6250	          <xs:element ref="iodef:Location"
6251	                      minOccurs="0" maxOccurs="unbounded"/>
6252	          <xs:element ref="iodef:Counter"
6253	                      minOccurs="0" maxOccurs="unbounded"/>
6254	        </xs:sequence>
6255	      </xs:complexType>
6256	    </xs:element>
6257	    <xs:element name="Address">
6258	      <xs:complexType>
6259	        <xs:simpleContent>
6260	          <xs:extension base="xs:string">
6261	            <xs:attribute name="category"
6262	                          type="address-category-type"
6263	                          default="ipv6-addr"/>
6264	            <xs:attribute name="ext-category"
6265	                          type="xs:string" use="optional"/>
6266	            <xs:attribute name="vlan-name" type="xs:string"/>
6267	            <xs:attribute name="vlan-num" type="xs:integer"/>
6268	            <xs:attribute name="observable-id"
6269	                          type="xs:ID" use="optional"/>
6270	          </xs:extension>
6271	        </xs:simpleContent>
6272	      </xs:complexType>
6273	    </xs:element>
6274	    <xs:simpleType name="address-category-type">
6275	      <xs:restriction base="xs:NMTOKEN">
6276	        <xs:enumeration value="asn"/>
6277	        <xs:enumeration value="atm"/>
6278	        <xs:enumeration value="e-mail"/>
6279	        <xs:enumeration value="mac"/>
6280	        <xs:enumeration value="ipv4-addr"/>
6281	        <xs:enumeration value="ipv4-net"/>
6282	        <xs:enumeration value="ipv4-net-mask"/>
6283	        <xs:enumeration value="ipv6-addr"/>
6284	        <xs:enumeration value="ipv6-net"/>
6285	        <xs:enumeration value="ipv6-net-mask"/>
6286	        <xs:enumeration value="site-uri"/>
6287	        <xs:enumeration value="ext-value"/>
6288	      </xs:restriction>
6289	    </xs:simpleType>
6290	    <xs:element name="Location" type="iodef:MLStringType"/>
6291	    <xs:element name="NodeRole">
6292	      <xs:complexType>
6293	        <xs:sequence>
6294	          <xs:element ref="iodef:Description"
6295	                      minOccurs="0" maxOccurs="unbounded"/>
6296	        </xs:sequence>
6297	        <xs:attribute name="category"
6298	                      type="noderole-category-type" use="required"/>

6300	        <xs:attribute name="ext-category"
6301	                      type="xs:string" use="optional"/>
6302	      </xs:complexType>
6303	    </xs:element>
6304	    <xs:simpleType name="noderole-category-type">
6305	      <xs:restriction base="xs:NMTOKEN">
6306	        <xs:enumeration value="client"/>
6307	        <xs:enumeration value="client-enterprise"/>
6308	        <xs:enumeration value="client-partner"/>
6309	        <xs:enumeration value="client-remote"/>
6310	        <xs:enumeration value="client-kiosk"/>
6311	        <xs:enumeration value="client-mobile"/>
6312	        <xs:enumeration value="server-internal"/>
6313	        <xs:enumeration value="server-public"/>
6314	        <xs:enumeration value="www"/>
6315	        <xs:enumeration value="mail"/>
6316	        <xs:enumeration value="webmail"/>
6317	        <xs:enumeration value="messaging"/>
6318	        <xs:enumeration value="streaming"/>
6319	        <xs:enumeration value="voice"/>
6320	        <xs:enumeration value="file"/>
6321	        <xs:enumeration value="ftp"/>
6322	        <xs:enumeration value="p2p"/>
6323	        <xs:enumeration value="name"/>
6324	        <xs:enumeration value="directory"/>
6325	        <xs:enumeration value="credential"/>
6326	        <xs:enumeration value="print"/>
6327	        <xs:enumeration value="application"/>
6328	        <xs:enumeration value="database"/>
6329	        <xs:enumeration value="backup"/>
6330	        <xs:enumeration value="dhcp"/>
6331	        <xs:enumeration value="assessment"/>
6332	        <xs:enumeration value="source-control"/>
6333	        <xs:enumeration value="config-management"/>
6334	        <xs:enumeration value="monitoring"/>
6335	        <xs:enumeration value="infra"/>
6336	        <xs:enumeration value="infra-firewall"/>
6337	        <xs:enumeration value="infra-router"/>
6338	        <xs:enumeration value="infra-switch"/>
6339	        <xs:enumeration value="camera"/>
6340	        <xs:enumeration value="proxy"/>
6341	        <xs:enumeration value="remote-access"/>
6342	        <xs:enumeration value="log"/>
6343	        <xs:enumeration value="virtualization"/>
6344	        <xs:enumeration value="pos"/>
6345	        <xs:enumeration value="scada"/>
6346	        <xs:enumeration value="scada-supervisory"/>
6347	        <xs:enumeration value="sinkhole"/>
6348	        <xs:enumeration value="honeypot"/>
6349	        <xs:enumeration value="anonymization"/>
6350	        <xs:enumeration value="c2-server"/>
6351	        <xs:enumeration value="malware-distribution"/>
6352	        <xs:enumeration value="drop-server"/>
6353	        <xs:enumeration value="hop-point"/>
6354	        <xs:enumeration value="reflector"/>
6355	        <xs:enumeration value="phishing-site"/>
6356	        <xs:enumeration value="spear-phishing-site"/>
6357	        <xs:enumeration value="recruiting-site"/>
6358	        <xs:enumeration value="fraudulent-site"/>
6359	        <xs:enumeration value="ext-value"/>
6360	      </xs:restriction>
6361	    </xs:simpleType>
6362	    <!--
6363	     ===================================================================
6364	     ==  Service Class                                                ==
6365	     ===================================================================
6366	    -->
6367	    <xs:element name="Service">
6368	      <xs:complexType>
6369	        <xs:sequence>
6370	          <xs:element ref="iodef:ServiceName" minOccurs="0"/>
6371	          <xs:choice minOccurs="0">
6372	            <xs:element ref="iodef:Port"/>
6373	            <xs:element ref="iodef:Portlist"/>
6374	          </xs:choice>
6375	          <xs:element ref="iodef:ProtoType" minOccurs="0"/>
6376	          <xs:element ref="iodef:ProtoCode" minOccurs="0"/>
6377	          <xs:element ref="iodef:ProtoField" minOccurs="0"/>
6378	          <xs:element ref="iodef:ApplicationHeader" minOccurs="0"/>
6379	          <xs:element ref="iodef:EmailData" minOccurs="0"/>
6380	          <xs:element ref="iodef:Application" minOccurs="0"/>
6381	        </xs:sequence>
6382	        <xs:attribute name="ip-protocol"
6383	                      type="xs:integer" use="required"/>
6384	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
6385	      </xs:complexType>
6386	    </xs:element>
6387	    <xs:element name="Port" type="xs:integer"/>
6388	    <xs:element name="Portlist" type="iodef:PortlistType"/>
6389	    <xs:element name="ProtoType" type="xs:integer"/>
6390	    <xs:element name="ProtoCode" type="xs:integer"/>
6391	    <xs:element name="ProtoField" type="xs:integer"/>
6392	    <xs:element name="ApplicationHeader">
6393	      <xs:complexType>
6394	        <xs:sequence>
6395	          <xs:element ref="iodef:ApplicationHeaderField"
6396	                      maxOccurs="unbounded"/>
6397	        </xs:sequence>
6398	      </xs:complexType>
6399	    </xs:element>
6400	    <xs:element name="ApplicationHeaderField"
6401	                type="iodef:ExtensionType"/>
6402	    <xs:element name="ServiceName">
6403	      <xs:complexType>
6404	        <xs:sequence>
6405	          <xs:element ref="iodef:IANAService"/>
6406	          <xs:element ref="iodef:URL"
6407	                      minOccurs="0" maxOccurs="unbounded"/>
6408	          <xs:element ref="iodef:Description"
6409	                      minOccurs="0" maxOccurs="unbounded"/>
6410	        </xs:sequence>
6411	      </xs:complexType>
6412	    </xs:element>
6413	    <xs:element name="IANAService" type="xs:string"/>
6414	    <xs:element name="Application" type="iodef:SoftwareType"/>
6415	    <!--
6416	     ===================================================================
6417	     ==  Counter class                                                ==
6418	     ===================================================================
6419	    -->
6420	    <xs:element name="Counter">
6421	      <xs:complexType>
6422	        <xs:simpleContent>
6423	          <xs:extension base="xs:float">
6424	            <xs:attribute name="type"
6425	                          type="counter-type-type" use="required"/>
6426	            <xs:attribute name="ext-type"
6427	                          type="xs:string" use="optional"/>
6428	            <xs:attribute name="unit"
6429	                          type="counter-unit-type" use="required"/>
6430	            <xs:attribute name="ext-unit"
6431	                          type="xs:string" use="optional"/>
6432	            <xs:attribute name="meaning"
6433	                          type="xs:string" use="optional"/>
6434	            <xs:attribute name="duration" type="iodef:duration-type"/>
6435	            <xs:attribute name="ext-duration"
6436	                          type="xs:string" use="optional"/>
6437	          </xs:extension>
6438	        </xs:simpleContent>
6439	      </xs:complexType>
6440	    </xs:element>
6441	    <xs:simpleType name="counter-type-type">
6442	      <xs:restriction base="xs:NMTOKEN">
6443	        <xs:enumeration value="counter"/>
6444	        <xs:enumeration value="rate"/>
6445	        <xs:enumeration value="average"/>
6446	        <xs:enumeration value="ext-value"/>
6447	      </xs:restriction>
6448	    </xs:simpleType>
6449	    <xs:simpleType name="counter-unit-type">
6450	      <xs:restriction base="xs:NMTOKEN">
6451	        <xs:enumeration value="byte"/>
6452	        <xs:enumeration value="mbit"/>
6453	        <xs:enumeration value="packet"/>
6454	        <xs:enumeration value="flow"/>
6455	        <xs:enumeration value="session"/>
6456	        <xs:enumeration value="event"/>
6457	        <xs:enumeration value="alert"/>
6458	        <xs:enumeration value="message"/>
6459	        <xs:enumeration value="host"/>
6460	        <xs:enumeration value="site"/>
6461	        <xs:enumeration value="organization"/>
6462	        <xs:enumeration value="ext-value"/>
6463	      </xs:restriction>
6464	    </xs:simpleType>
6465	    <!--
6466	     ===================================================================
6467	     ==  EmailData class                                              ==
6468	     ===================================================================
6469	    -->
6470	    <xs:element name="EmailData">
6471	      <xs:complexType>
6472	        <xs:sequence>
6473	          <xs:element ref="iodef:EmailTo"
6474	                      minOccurs="0" maxOccurs="unbounded"/>
6475	          <xs:element ref="iodef:EmailFrom" minOccurs="0"/>
6476	          <xs:element ref="iodef:EmailSubject" minOccurs="0"/>
6477	          <xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/>
6478	          <xs:element ref="iodef:EmailHeaderField"
6479	                      minOccurs="0" maxOccurs="unbounded"/>
6480	          <xs:element ref="iodef:EmailHeaders" minOccurs="0"/>
6481	          <xs:element ref="iodef:EmailBody" minOccurs="0"/>
6482	          <xs:element ref="iodef:EmailMessage" minOccurs="0"/>
6483	          <xs:element ref="iodef:HashData" minOccurs="0"/>
6484	          <xs:element ref="SignatureData" minOccurs="0"/>
6485	        </xs:sequence>
6486	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
6487	      </xs:complexType>
6488	    </xs:element>
6489	    <xs:element name="EmailTo" type="xs:string"/>
6490	    <xs:element name="EmailFrom" type="xs:string"/>
6491	    <xs:element name="EmailSubject" type="xs:string"/>
6492	    <xs:element name="EmailX-Mailer" type="xs:string"/>
6493	    <xs:element name="EmailHeaderField" type="iodef:ExtensionType"/>
6494	    <xs:element name="EmailHeaders" type="xs:string"/>
6495	    <xs:element name="EmailBody" type="xs:string"/>
6496	    <xs:element name="EmailMessage" type="xs:string"/>
6497	    <!--
6498	     ===================================================================
6499	     ==   DomainData class                                            ==
6500	     ===================================================================
6501	    -->
6502	    <xs:element name="DomainData">
6503	      <xs:complexType>
6504	        <xs:sequence>
6505	          <xs:element ref="iodef:Name" maxOccurs="1"/>
6506	          <xs:element ref="iodef:DateDomainWasChecked"
6507	                      minOccurs="0" maxOccurs="1"/>
6508	          <xs:element ref="iodef:RegistrationDate"
6509	                      minOccurs="0" maxOccurs="1"/>
6510	          <xs:element ref="iodef:ExpirationDate"
6511	                      minOccurs="0" maxOccurs="1"/>
6512	          <xs:element ref="iodef:RelatedDNS"
6513	                      minOccurs="0" maxOccurs="unbounded"/>
6514	          <xs:element ref="iodef:Nameservers"
6515	                      minOccurs="0" maxOccurs="unbounded"/>
6516	          <xs:element ref="iodef:DomainContacts"
6517	                      minOccurs="0" maxOccurs="1"/>
6518	        </xs:sequence>
6519	        <xs:attribute name="system-status"
6520	                      type="domaindata-system-status-type"/>
6521	        <xs:attribute name="ext-system-status"
6522	                      type="xs:string" use="optional"/>
6523	        <xs:attribute name="domain-status"
6524	                      type="domaindata-domain-status-type"/>
6525	        <xs:attribute name="ext-domain-status"
6526	                      type="xs:string" use="optional"/>
6527	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
6528	      </xs:complexType>
6529	    </xs:element>
6530	    <xs:element name="Name" type="xs:string"/>
6531	    <xs:element name="DateDomainWasChecked" type="xs:dateTime"/>
6532	    <xs:element name="RegistrationDate" type="xs:dateTime"/>
6533	    <xs:element name="ExpirationDate" type="xs:dateTime"/>
6534	    <xs:simpleType name="domaindata-system-status-type">
6535	      <xs:restriction base="xs:string">
6536	        <xs:enumeration value="spoofed"/>
6537	        <xs:enumeration value="fraudulent"/>
6538	        <xs:enumeration value="innocent-hacked"/>
6539	        <xs:enumeration value="innocent-hijacked"/>
6540	        <xs:enumeration value="unknown"/>
6541	        <xs:enumeration value="ext-value"/>
6542	      </xs:restriction>
6543	    </xs:simpleType>
6544	    <xs:simpleType name="domaindata-domain-status-type">
6545	      <xs:restriction base="xs:string">
6546	        <xs:enumeration value="reservedDelegation"/>
6547	        <xs:enumeration value="assignedAndActive"/>
6548	        <xs:enumeration value="assignedAndInactive"/>
6549	        <xs:enumeration value="assignedAndOnHold"/>
6550	        <xs:enumeration value="revoked"/>
6551	        <xs:enumeration value="transferPending"/>
6552	        <xs:enumeration value="registryLock"/>
6553	        <xs:enumeration value="registrarLock"/>
6554	        <xs:enumeration value="other"/>
6555	        <xs:enumeration value="unknown"/>
6556	        <xs:enumeration value="ext-value"/>
6557	      </xs:restriction>
6558	    </xs:simpleType>
6559	    <xs:element name="RelatedDNS" type="iodef:ExtensionType"/>
6560	    <xs:element name="Nameservers">
6561	      <xs:complexType>
6562	        <xs:sequence>
6563	          <xs:element ref="iodef:Server"/>
6564	          <xs:element ref="iodef:Address" maxOccurs="unbounded"/>
6565	        </xs:sequence>
6566	      </xs:complexType>
6567	    </xs:element>
6568	    <xs:element name="Server" type="xs:string"/>
6569	    <xs:element name="DomainContacts">
6570	      <xs:complexType>
6571	        <xs:choice>
6572	          <xs:element ref="iodef:SameDomainContact"/>
6573	          <xs:element ref="iodef:Contact"
6574	                      minOccurs="1" maxOccurs="unbounded"/>
6575	        </xs:choice>
6576	      </xs:complexType>
6577	    </xs:element>
6578	    <xs:element name="SameDomainContact" type="xs:string"/>
6579	    <!--
6580	     ===================================================================
6581	     ==  Record class                                                 ==
6582	     ===================================================================
6583	    -->
6584	    <xs:element name="Record">
6585	      <xs:complexType>
6586	        <xs:sequence>
6587	          <xs:element ref="iodef:RecordData" maxOccurs="unbounded"/>

6589	        </xs:sequence>
6590	        <xs:attribute name="restriction"
6591	                      type="iodef:restriction-type" use="optional"/>
6592	        <xs:attribute name="ext-restriction"
6593	                      type="xs:string" use="optional"/>
6594	      </xs:complexType>
6595	    </xs:element>
6596	    <xs:element name="RecordData">
6597	      <xs:complexType>
6598	        <xs:sequence>
6599	          <xs:element ref="iodef:DateTime" minOccurs="0"/>
6600	          <xs:element ref="iodef:Description"
6601	                      minOccurs="0" maxOccurs="unbounded"/>
6602	          <xs:element ref="iodef:Application" minOccurs="0"/>
6603	          <xs:element ref="iodef:RecordPattern"
6604	                      minOccurs="0" maxOccurs="unbounded"/>
6605	          <xs:element ref="iodef:RecordItem" maxOccurs="unbounded"/>
6606	          <xs:element ref="iodef:URL"
6607	                      minOccurs="0" maxOccurs="unbounded"/>
6608	          <xs:element ref="iodef:FileData"
6609	                      minOccurs="0" maxOccurs="unbounded"/>
6610	          <xs:element ref="iodef:WindowsRegistryKeysModified"
6611	                      minOccurs="0" maxOccurs="unbounded"/>
6612	          <xs:element ref="iodef:CertificateData"
6613	                      minOccurs="0" maxOccurs="unbounded"/>
6614	          <xs:element ref="iodef:AdditionalData"
6615	                      minOccurs="0" maxOccurs="unbounded"/>
6616	        </xs:sequence>
6617	        <xs:attribute name="restriction"
6618	                      type="iodef:restriction-type" use="optional"/>
6619	        <xs:attribute name="ext-restriction"
6620	                      type="xs:string" use="optional"/>
6621	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
6622	      </xs:complexType>
6623	    </xs:element>
6624	    <xs:element name="RecordPattern">
6625	      <xs:complexType>
6626	        <xs:simpleContent>
6627	          <xs:extension base="xs:string">
6628	            <xs:attribute name="type"
6629	                          type="recordpattern-type-type"
6630	                          use="required"/>
6631	            <xs:attribute name="ext-type"
6632	                          type="xs:string" use="optional"/>
6633	            <xs:attribute name="offset"
6634	                          type="xs:integer" use="optional"/>
6635	            <xs:attribute name="offsetunit"
6636	                          type="recordpattern-offsetunit-type"
6637	                          use="optional" default="line"/>
6638	            <xs:attribute name="ext-offsetunit"
6639	                          type="xs:string" use="optional"/>
6640	            <xs:attribute name="instance"
6641	                          type="xs:integer" use="optional"/>
6642	          </xs:extension>
6643	        </xs:simpleContent>
6644	      </xs:complexType>
6645	    </xs:element>
6646	    <xs:simpleType name="recordpattern-type-type">
6647	      <xs:restriction base="xs:NMTOKEN">
6648	        <xs:enumeration value="regex"/>
6649	        <xs:enumeration value="binary"/>
6650	        <xs:enumeration value="xpath"/>
6651	        <xs:enumeration value="ext-value"/>
6652	      </xs:restriction>
6653	    </xs:simpleType>
6654	    <xs:simpleType name="recordpattern-offsetunit-type">
6655	      <xs:restriction base="xs:NMTOKEN">
6656	        <xs:enumeration value="line"/>
6657	        <xs:enumeration value="byte"/>
6658	        <xs:enumeration value="ext-value"/>
6659	      </xs:restriction>
6660	    </xs:simpleType>
6661	    <xs:element name="RecordItem" type="iodef:ExtensionType"/>
6662	    <!--
6663	     ===================================================================
6664	     ==  WindowsRegistryKeysModified Class                            ==
6665	     ===================================================================
6666	    -->
6667	    <xs:element name="WindowsRegistryKeysModified">
6668	      <xs:complexType>
6669	        <xs:sequence>
6670	          <xs:element ref="iodef:Key" maxOccurs="unbounded"/>
6671	        </xs:sequence>
6672	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
6673	      </xs:complexType>
6674	    </xs:element>
6675	    <xs:element name="Key">
6676	      <xs:complexType>
6677	        <xs:sequence>
6678	          <xs:element ref="iodef:KeyName"/>
6679	          <xs:element ref="iodef:Value" minOccurs="0"/>
6680	        </xs:sequence>
6681	        <xs:attribute name="registryaction"
6682	                      type="key-registryaction-type"/>
6683	        <xs:attribute name="ext-registryaction"
6684	                      type="xs:string" use="optional"/>

6686	      </xs:complexType>
6687	    </xs:element>
6688	    <xs:element name="KeyName" type="xs:string"/>
6689	    <xs:element name="Value" type="xs:string"/>
6690	    <xs:simpleType name="key-registryaction-type">
6691	      <xs:restriction base="xs:NMTOKEN">
6692	        <xs:enumeration value="add-key"/>
6693	        <xs:enumeration value="add-value"/>
6694	        <xs:enumeration value="delete-key"/>
6695	        <xs:enumeration value="delete-value"/>
6696	        <xs:enumeration value="modify-key"/>
6697	        <xs:enumeration value="modify-value"/>
6698	        <xs:enumeration value="ext-value"/>
6699	      </xs:restriction>
6700	    </xs:simpleType>
6701	    <!--
6702	    ====================================================================
6703	    ==  FileData Class                                                ==
6704	    ====================================================================
6705	    -->
6706	    <xs:element name="FileData">
6707	      <xs:complexType>
6708	        <xs:sequence>
6709	          <xs:element ref="iodef:File"
6710	                      minOccurs="1" maxOccurs="unbounded"/>
6711	        </xs:sequence>
6712	        <xs:attribute name="restriction"
6713	                      type="iodef:restriction-type" use="optional"/>
6714	        <xs:attribute name="ext-restriction"
6715	                      type="xs:string" use="optional"/>
6716	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
6717	      </xs:complexType>
6718	    </xs:element>
6719	    <xs:element name="File">
6720	      <xs:complexType>
6721	        <xs:sequence>
6722	          <xs:element ref="iodef:FileName" minOccurs="0"/>
6723	          <xs:element ref="iodef:FileSize" minOccurs="0"/>
6724	          <xs:element ref="FileType" minOccurs="0"/>
6725	          <xs:element ref="iodef:URL"
6726	                      minOccurs="0" maxOccurs="unbounded"/>
6727	          <xs:element ref="iodef:HashData" minOccurs="0"/>
6728	          <xs:element ref="iodef:SignatureData" minOccurs="0"/>
6729	          <xs:element ref="iodef:AssociatedSoftware" minOccurs="0"/>
6730	          <xs:element ref="iodef:FileProperties"
6731	                      minOccurs="0" maxOccurs="unbounded"/>
6732	        </xs:sequence>
6733	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>

6735	      </xs:complexType>
6736	    </xs:element>
6737	    <xs:element name="FileName" type="xs:string"/>
6738	    <xs:element name="FileSize" type="xs:integer"/>
6739	    <xs:element name="FileType" type="xs:integer"/>
6740	    <xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/>
6741	    <xs:element name="FileProperties" type="iodef:ExtensionType"/>
6742	    <!--
6743	    ====================================================================
6744	    ==  HashData Class                                                ==
6745	    ====================================================================
6746	    -->
6747	    <xs:element name="HashData">
6748	      <xs:complexType>
6749	        <xs:sequence>
6750	          <xs:element ref="iodef:HashTargetID" minOccurs="0"/>
6751	          <xs:element ref="iodef:Hash"
6752	                      minOccurs="0" maxOccurs="unbounded"/>
6753	          <xs:element ref="iodef:FuzzyHash"
6754	                      minOccurs="0" maxOccurs="unbounded"/>
6755	        </xs:sequence>
6756	        <xs:attribute name="scope"
6757	                      type="hashdata-scope-type" use="required"/>
6758	        <xs:attribute name="ext-scope" type="xs:string" use="optional"/>
6759	      </xs:complexType>
6760	    </xs:element>
6761	    <xs:element name="HashTargetID" type="xs:string"/>
6762	    <xs:simpleType name="hashdata-scope-type">
6763	      <xs:restriction base="xs:NMTOKEN">
6764	        <xs:enumeration value="file-contents"/>
6765	        <xs:enumeration value="file-pe-section"/>
6766	        <xs:enumeration value="file-pe-iat"/>
6767	        <xs:enumeration value="file-pe-resource"/>
6768	        <xs:enumeration value="file-pdf-object"/>
6769	        <xs:enumeration value="email-hash"/>
6770	        <xs:enumeration value="email-headers-hash"/>
6771	        <xs:enumeration value="email-body-hash"/>
6772	        <xs:enumeration value="ext-value"/>
6773	      </xs:restriction>
6774	    </xs:simpleType>
6775	    <xs:element name="Hash">
6776	      <xs:complexType>
6777	        <xs:sequence>
6778	          <xs:element ref="ds:DigestMethod"/>
6779	          <xs:element ref="ds:DigestValue"/>
6780	          <xs:element ref="ds:CanonicalizationMethod"
6781	                      minOccurs="0"/>
6782	          <xs:element ref="iodef:Application" minOccurs="0"/>

6784	        </xs:sequence>
6785	      </xs:complexType>
6786	    </xs:element>
6787	    <xs:element name="FuzzyHash">
6788	      <xs:complexType>
6789	        <xs:sequence>
6790	          <xs:element ref="iodef:FuzzHashValue"
6791	                      maxOccurs="unbounded"/>
6792	          <xs:element ref="iodef:AdditionalData" minOccurs="0"/>
6793	          <xs:element ref="iodef:AdditionalData"
6794	                      minOccurs="0" maxOccurs="unbounded"/>
6795	        </xs:sequence>
6796	      </xs:complexType>
6797	    </xs:element>
6798	    <xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/>
6799	    <!--
6800	     ===================================================================
6801	     ==  SignatureData Class                                          ==
6802	     ===================================================================
6803	    -->
6804	    <xs:element name="SignatureData">
6805	      <xs:complexType>
6806	        <xs:sequence>
6807	          <xs:element ref="ds:Signature" maxOccurs="unbounded"/>
6808	        </xs:sequence>
6809	      </xs:complexType>
6810	    </xs:element>
6811	    <!--
6812	     ===================================================================
6813	     ==  CertificateData                                              ==
6814	     ===================================================================
6815	    -->
6816	    <xs:element name="CertificateData">
6817	      <xs:complexType>
6818	        <xs:sequence>
6819	          <xs:element ref="iodef:Certificate" maxOccurs="unbounded"/>
6820	        </xs:sequence>
6821	        <xs:attribute name="restriction"
6822	                      type="iodef:restriction-type" use="optional"/>
6823	        <xs:attribute name="ext-restriction"
6824	                      type="xs:string" use="optional"/>
6825	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
6826	      </xs:complexType>
6827	    </xs:element>
6828	    <xs:element name="Certificate">
6829	      <xs:complexType>
6830	        <xs:sequence>
6831	          <xs:element ref="ds:X509Data"/>
6832	          <xs:element ref="iodef:Description"
6833	                      minOccurs="0" maxOccurs="unbounded"/>
6834	        </xs:sequence>
6835	        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
6836	      </xs:complexType>
6837	    </xs:element>
6838	    <!--
6839	     ===================================================================
6840	     == IndicatorData Class                                           ==
6841	     ===================================================================
6842	    -->
6843	    <xs:element name="IndicatorData">
6844	      <xs:complexType>
6845	        <xs:sequence>
6846	          <xs:element ref="iodef:Indicator"
6847	                      minOccurs="1" maxOccurs="unbounded"/>
6848	        </xs:sequence>
6849	      </xs:complexType>
6850	    </xs:element>
6851	    <xs:element name="Indicator">
6852	      <xs:complexType>
6853	        <xs:sequence>
6854	          <xs:element ref="iodef:IndicatorID"/>
6855	          <xs:element ref="iodef:AlternativeIndicatorID"
6856	                      minOccurs="0" maxOccurs="unbounded"/>
6857	          <xs:element ref="iodef:Description"
6858	                      minOccurs="0" maxOccurs="unbounded"/>
6859	          <xs:element ref="iodef:StartTime" minOccurs="0"/>
6860	          <xs:element ref="iodef:EndTime" minOccurs="0"/>
6861	          <xs:element ref="iodef:Confidence" minOccurs="0"/>
6862	          <xs:element ref="iodef:Contact"
6863	                      minOccurs="0" maxOccurs="unbounded"/>
6864	          <xs:choice>
6865	            <xs:element ref="iodef:Observable"/>
6866	            <xs:element ref="iodef:ObservableReference"/>
6867	            <xs:element ref="iodef:IndicatorExpression"/>
6868	            <xs:element ref="iodef:IndicatorReference"/>
6869	          </xs:choice>
6870	          <xs:element ref="iodef:NodeRole"
6871	                      minOccurs="0" maxOccurs="unbounded"/>
6872	          <xs:element ref="iodef:AttackPhase"
6873	                      minOccurs="0" maxOccurs="unbounded"/>
6874	          <xs:element ref="iodef:AdditionalData"
6875	                      minOccurs="0" maxOccurs="unbounded"/>
6876	        </xs:sequence>
6877	        <xs:attribute name="restriction"
6878	                      type="iodef:restriction-type" use="optional"/>
6879	        <xs:attribute name="ext-restriction"
6880	                      type="xs:string" use="optional"/>
6881	      </xs:complexType>
6882	    </xs:element>
6883	    <xs:element name="IndicatorID">
6884	      <xs:complexType>
6885	        <xs:simpleContent>
6886	          <xs:extension base="xs:ID">
6887	            <xs:attribute name="name" type="xs:string" use="required"/>
6888	            <xs:attribute name="version"
6889	                          type="xs:string" use="required"/>
6890	          </xs:extension>
6891	        </xs:simpleContent>
6892	      </xs:complexType>
6893	    </xs:element>
6894	    <xs:element name="AlternativeIndicatorID">
6895	      <xs:complexType>
6896	        <xs:sequence>
6897	          <xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/>
6898	        </xs:sequence>
6899	        <xs:attribute name="restriction"
6900	                      type="iodef:restriction-type" use="optional"/>
6901	        <xs:attribute name="ext-restriction"
6902	                      type="xs:string" use="optional"/>
6903	      </xs:complexType>
6904	    </xs:element>
6905	    <xs:element name="Observable">
6906	      <xs:complexType>
6907	        <xs:sequence>
6908	          <xs:element ref="iodef:Address" minOccurs="0"/>
6909	          <xs:element ref="iodef:DomainData" minOccurs="0"/>
6910	          <xs:element ref="iodef:EmailData" minOccurs="0"/>
6911	          <xs:element ref="iodef:WindowsRegistryKeysModified"
6912	                           minOccurs="0"/>
6913	          <xs:element ref="iodef:FileData" minOccurs="0"/>
6914	          <xs:element ref="iodef:CertificateData" minOccurs="0"/>
6915	          <xs:element ref="iodef:RegistryHandle" minOccurs="0"/>
6916	          <xs:element ref="iodef:RecordData" minOccurs="0"/>
6917	          <xs:element ref="iodef:EventData" minOccurs="0"/>
6918	          <xs:element ref="iodef:Incident" minOccurs="0"/>
6919	          <xs:element ref="iodef:Expectation" minOccurs="0"
6920	                      maxOccurs="unbounded"/>
6921	          <xs:element ref="Reference" minOccurs="0"
6922	                      maxOccurs="unbounded"/>
6923	          <xs:element ref="iodef:Assessment" minOccurs="0"/>
6924	          <xs:element ref="iodef:HistoryItem" minOccurs="0"/>
6925	          <xs:element ref="iodef:BulkObservable" minOccurs="0"/>
6926	          <xs:element ref="iodef:AdditionalData" minOccurs="0"/>
6927	        </xs:sequence>
6928	        <xs:attribute name="restriction"
6929	                      type="iodef:restriction-type" use="optional"/>
6930	        <xs:attribute name="ext-restriction"
6931	                      type="xs:string" use="optional"/>
6932	      </xs:complexType>
6933	    </xs:element>
6934	    <xs:element name="BulkObservable">
6935	      <xs:complexType>
6936	        <xs:sequence>
6937	          <xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/>
6938	          <xs:element name="BulkObservableList"
6939	                      type="xs:string" minOccurs="0"/>
6940	        </xs:sequence>
6941	        <xs:attribute name="type"
6942	                      type="bulkobservable-type-type" use="required"/>
6943	        <xs:attribute name="ext-type" type="xs:string" use="optional"/>
6944	      </xs:complexType>
6945	    </xs:element>
6946	    <xs:simpleType name="bulkobservable-type-type">
6947	      <xs:restriction base="xs:NMTOKEN">
6948	        <xs:enumeration value="asn"/>
6949	        <xs:enumeration value="atm"/>
6950	        <xs:enumeration value="e-mail"/>
6951	        <xs:enumeration value="ipv4-addr"/>
6952	        <xs:enumeration value="ipv4-net"/>
6953	        <xs:enumeration value="ipv4-net-mask"/>
6954	        <xs:enumeration value="ipv6-addr"/>
6955	        <xs:enumeration value="ipv6-net"/>
6956	        <xs:enumeration value="ipv6-net-mask"/>
6957	        <xs:enumeration value="mac"/>
6958	        <xs:enumeration value="site-uri"/>
6959	        <xs:enumeration value="domain-name"/>
6960	        <xs:enumeration value="domain-to-ipv4"/>
6961	        <xs:enumeration value="domain-to-ipv6"/>
6962	        <xs:enumeration value="domain-to-ipv4-timestamp"/>
6963	        <xs:enumeration value="domain-to-ipv6-timestamp"/>
6964	        <xs:enumeration value="ipv4-port"/>
6965	        <xs:enumeration value="ipv6-port"/>
6966	        <xs:enumeration value="windows-reg-key"/>
6967	        <xs:enumeration value="file-hash"/>
6968	        <xs:enumeration value="email-x-mailer"/>
6969	        <xs:enumeration value="email-subject"/>
6970	        <xs:enumeration value="http-user-agent"/>
6971	        <xs:enumeration value="http-request-uri"/>
6972	        <xs:enumeration value="mutex"/>
6973	        <xs:enumeration value="file-path"/>
6974	        <xs:enumeration value="user-name"/>
6975	      </xs:restriction>

6977	    </xs:simpleType>
6978	    <xs:element name="BulkObservableFormat">
6979	      <xs:complexType>
6980	        <xs:sequence>
6981	          <xs:element ref="iodef:Hash" minOccurs="0"/>
6982	          <xs:element ref="iodef:AdditionalData"
6983	                      minOccurs="0" maxOccurs="unbounded"/>
6984	        </xs:sequence>
6985	      </xs:complexType>
6986	    </xs:element>
6987	    <xs:element name="IndicatorExpression">
6988	      <xs:complexType>
6989	        <xs:sequence>
6990	          <xs:choice>
6991	            <xs:element ref="iodef:IndicatorExpression" minOccurs="0"/>
6992	            <xs:element ref="iodef:Observable" minOccurs="0"/>
6993	            <xs:element ref="iodef:ObservableReference" minOccurs="0"/>
6994	            <xs:element ref="iodef:IndicatorReference" minOccurs="0"/>
6995	          </xs:choice>
6996	          <xs:element ref="iodef:AlternativeIndicatorID"
6997	                      minOccurs="0" maxOccurs="unbounded"/>
6998	        </xs:sequence>
6999	        <xs:attribute name="operator"
7000	                      type="indicatorexpression-operator-type"
7001	                      use="optional" default="and"/>
7002	        <xs:attribute name="ext-operator"
7003	                      type="xs:string" use="optional"/>
7004	      </xs:complexType>
7005	    </xs:element>
7006	    <xs:simpleType name="indicatorexpression-operator-type">
7007	      <xs:restriction base="xs:NMTOKEN">
7008	        <xs:enumeration value="not"/>
7009	        <xs:enumeration value="and"/>
7010	        <xs:enumeration value="or"/>
7011	        <xs:enumeration value="xor"/>
7012	      </xs:restriction>
7013	    </xs:simpleType>
7014	    <xs:element name="ObservableReference">
7015	      <xs:complexType>
7016	        <xs:attribute name="uid-ref" type="xs:IDREF" use="required"/>
7017	      </xs:complexType>
7018	    </xs:element>
7019	    <xs:element name="IndicatorReference">
7020	      <xs:complexType>
7021	        <xs:attribute name="uid-ref" type="xs:IDREF" use="optional"/>
7022	        <xs:attribute name="euid-ref" type="xs:string" use="optional"/>
7023	        <xs:attribute name="version" type="xs:string" use="optional"/>
7024	      </xs:complexType>

7026	    </xs:element>
7027	    <xs:element name="AttackPhase">
7028	      <xs:complexType>
7029	        <xs:sequence>
7030	          <xs:element ref="iodef:AttackPhaseID"
7031	                      minOccurs="0" maxOccurs="unbounded"/>
7032	          <xs:element ref="iodef:URL" maxOccurs="unbounded"/>
7033	          <xs:element ref="iodef:Description"
7034	                      minOccurs="0" maxOccurs="unbounded"/>
7035	          <xs:element ref="iodef:AdditionalData"
7036	                      minOccurs="0" maxOccurs="unbounded"/>
7037	        </xs:sequence>
7038	      </xs:complexType>
7039	    </xs:element>
7040	    <xs:element name="AttackPhaseID" type="xs:string"/>
7041	    <!--
7042	     ===================================================================
7043	     == Miscellaneous Classes                                         ==
7044	     ===================================================================
7045	    -->
7046	    <xs:element name="AdditionalData" type="iodef:ExtensionType"/>
7047	    <xs:element name="Description" type="iodef:MLStringType"/>
7048	    <xs:element name="URL" type="xs:anyURI"/>
7049	    <!--
7050	     ===================================================================
7051	     == IODEF Data Types                                              ==
7052	     ===================================================================
7053	    -->
7054	    <xs:simpleType name="PositiveFloatType">
7055	      <xs:restriction base="xs:float">
7056	        <xs:minExclusive value="0"/>
7057	      </xs:restriction>
7058	    </xs:simpleType>
7059	    <xs:complexType name="MLStringType">
7060	      <xs:simpleContent>
7061	        <xs:extension base="xs:string">
7062	          <xs:attribute name="translation-id"
7063	                        type="xs:string" use="optional"/>
7064	          <xs:attribute ref="xml:lang"/>
7065	        </xs:extension>
7066	      </xs:simpleContent>
7067	    </xs:complexType>
7068	    <xs:simpleType name="PortlistType">
7069	      <xs:restriction base="xs:string">
7070	        <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
7071	      </xs:restriction>
7072	    </xs:simpleType>
7073	    <xs:simpleType name="TimezoneType">
7074	      <xs:restriction base="xs:string">
7075	        <xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
7076	      </xs:restriction>
7077	    </xs:simpleType>
7078	    <xs:complexType name="ExtensionType" mixed="true">
7079	      <xs:sequence>
7080	        <xs:any namespace="##any" processContents="lax"
7081	                minOccurs="0" maxOccurs="unbounded"/>
7082	      </xs:sequence>

7084	      <xs:attribute name="name" type="xs:string" use="optional"/>
7085	      <xs:attribute name="dtype"
7086	                    type="iodef:dtype-type" use="required"/>
7087	      <xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
7088	      <xs:attribute name="meaning" type="xs:string" use="optional"/>
7089	      <xs:attribute name="formatid" type="xs:string" use="optional"/>
7090	      <xs:attribute name="restriction"
7091	                    type="iodef:restriction-type" use="optional"/>
7092	      <xs:attribute name="ext-restriction"
7093	                    type="xs:string" use="optional"/>
7094	      <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
7095	    </xs:complexType>
7096	    <xs:complexType name="SoftwareType">
7097	      <xs:sequence>
7098	        <xs:element ref="iodef:SoftwareReference" minOccurs="0"/>
7099	        <xs:element ref="iodef:URL"
7100	                    minOccurs="0" maxOccurs="unbounded"/>
7101	        <xs:element ref="iodef:Description"
7102	                    minOccurs="0" maxOccurs="unbounded"/>
7103	      </xs:sequence>
7104	    </xs:complexType>
7105	    <xs:element name="SoftwareReference">
7106	      <xs:complexType>
7107	        <xs:sequence>
7108	          <xs:any namespace="##any" processContents="lax"
7109	                  minOccurs="0" maxOccurs="unbounded"/>
7110	        </xs:sequence>
7111	        <xs:attribute name="spec-name"
7112	                      type="softwarereference-spec-name-type"
7113	                      use="required"/>
7114	        <xs:attribute name="ext-spec-name"
7115	                      type="xs:string" use="optional"/>
7116	        <xs:attribute name="dtype"
7117	                      type="softwarereference-dtype-type"
7118	                      use="optional"/>
7119	        <xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
7120	      </xs:complexType>
7121	    </xs:element>
7122	    <xs:simpleType name="softwarereference-spec-name-type">
7123	      <xs:restriction base="xs:NMTOKEN">
7124	        <xs:enumeration value="custom"/>
7125	        <xs:enumeration value="cpe"/>
7126	        <xs:enumeration value="swid"/>
7127	        <xs:enumeration value="ext-value"/>
7128	      </xs:restriction>
7129	    </xs:simpleType>
7130	    <xs:simpleType name="softwarereference-dtype-type">
7131	      <xs:restriction base="xs:NMTOKEN">
7132	        <xs:enumeration value="bytes"/>
7133	        <xs:enumeration value="integer"/>
7134	        <xs:enumeration value="real"/>
7135	        <xs:enumeration value="string"/>
7136	        <xs:enumeration value="xml"/>
7137	        <xs:enumeration value="ext-value"/>
7138	      </xs:restriction>
7139	    </xs:simpleType>
7140	    <!--
7141	     ===================================================================
7142	     == Global attribute type declarations                            ==
7143	     ===================================================================
7144	    -->
7145	    <xs:simpleType name="yes-no-unknown-type">
7146	      <xs:restriction base="xs:NMTOKEN">
7147	        <xs:enumeration value="yes"/>
7148	        <xs:enumeration value="no"/>
7149	        <xs:enumeration value="unknown"/>
7150	      </xs:restriction>
7151	    </xs:simpleType>
7152	    <xs:simpleType name="restriction-type">
7153	      <xs:restriction base="xs:NMTOKEN">
7154	        <xs:enumeration value="default"/>
7155	        <xs:enumeration value="public"/>
7156	        <xs:enumeration value="partner"/>
7157	        <xs:enumeration value="need-to-know"/>
7158	        <xs:enumeration value="private"/>
7159	        <xs:enumeration value="white"/>
7160	        <xs:enumeration value="green"/>
7161	        <xs:enumeration value="amber"/>
7162	        <xs:enumeration value="red"/>
7163	        <xs:enumeration value="ext-value"/>
7164	      </xs:restriction>
7165	    </xs:simpleType>
7166	    <xs:simpleType name="severity-type">
7167	      <xs:restriction base="xs:NMTOKEN">
7168	        <xs:enumeration value="low"/>
7169	        <xs:enumeration value="medium"/>
7170	        <xs:enumeration value="high"/>
7171	      </xs:restriction>
7172	    </xs:simpleType>
7173	    <xs:simpleType name="duration-type">
7174	      <xs:restriction base="xs:NMTOKEN">
7175	        <xs:enumeration value="second"/>
7176	        <xs:enumeration value="minute"/>
7177	        <xs:enumeration value="hour"/>
7178	        <xs:enumeration value="day"/>
7179	        <xs:enumeration value="month"/>
7180	        <xs:enumeration value="quarter"/>
7181	        <xs:enumeration value="year"/>
7182	        <xs:enumeration value="ext-value"/>
7183	      </xs:restriction>
7184	    </xs:simpleType>
7185	    <xs:simpleType name="action-type">
7186	      <xs:restriction base="xs:NMTOKEN">
7187	        <xs:enumeration value="nothing"/>
7188	        <xs:enumeration value="contact-source-site"/>
7189	        <xs:enumeration value="contact-target-site"/>
7190	        <xs:enumeration value="contact-sender"/>
7191	        <xs:enumeration value="investigate"/>
7192	        <xs:enumeration value="block-host"/>
7193	        <xs:enumeration value="block-network"/>
7194	        <xs:enumeration value="block-port"/>
7195	        <xs:enumeration value="rate-limit-host"/>
7196	        <xs:enumeration value="rate-limit-network"/>
7197	        <xs:enumeration value="rate-limit-port"/>
7198	        <xs:enumeration value="redirect-traffic"/>
7199	        <xs:enumeration value="honeypot"/>
7200	        <xs:enumeration value="upgrade-software"/>
7201	        <xs:enumeration value="rebuild-asset"/>
7202	        <xs:enumeration value="harden-asset"/>
7203	        <xs:enumeration value="remediate-other"/>
7204	        <xs:enumeration value="status-triage"/>
7205	        <xs:enumeration value="status-new-info"/>
7206	        <xs:enumeration value="watch-and-report"/>
7207	        <xs:enumeration value="defined-coa"/>
7208	        <xs:enumeration value="other"/>
7209	        <xs:enumeration value="ext-value"/>
7210	      </xs:restriction>
7211	    </xs:simpleType>
7212	    <xs:simpleType name="dtype-type">
7213	      <xs:restriction base="xs:NMTOKEN">
7214	        <xs:enumeration value="boolean"/>
7215	        <xs:enumeration value="byte"/>
7216	        <xs:enumeration value="bytes"/>
7217	        <xs:enumeration value="character"/>
7218	        <xs:enumeration value="date-time"/>
7219	        <xs:enumeration value="integer"/>
7220	        <xs:enumeration value="ntpstamp"/>
7221	        <xs:enumeration value="portlist"/>
7222	        <xs:enumeration value="real"/>
7223	        <xs:enumeration value="string"/>
7224	        <xs:enumeration value="file"/>
7225	        <xs:enumeration value="path"/>
7226	        <xs:enumeration value="frame"/>
7227	        <xs:enumeration value="packet"/>
7228	        <xs:enumeration value="ipv4-packet"/>
7229	        <xs:enumeration value="ipv6-packet"/>
7230	        <xs:enumeration value="url"/>
7231	        <xs:enumeration value="csv"/>
7232	        <xs:enumeration value="winreg"/>
7233	        <xs:enumeration value="xml"/>
7234	        <xs:enumeration value="ext-value"/>
7235	      </xs:restriction>
7236	    </xs:simpleType>
7237	  </xs:schema>

7239	9.  Security Considerations

7241	   The IODEF data model does not directly introduce security issues.
7242	   However, as the data encoded by the IODEF might be considered
7243	   sensitive by the parties exchanging it or by those described by it,
7244	   care needs to be taken to ensure appropriate handling during the
7245	   document exchange, subsequent processing or archiving.

7247	   The contents of an IODEF document may include a request for action.
7248	   An IODEF implementation may also initiate courses of action based on
7249	   the document contents.  For these reasons, care must be taken by
7250	   IODEF implementations to properly authenticate the sender and
7251	   receiver of the document.  The recipient must also ascribe
7252	   appropriate confidence to the data prior to action.

7254	   The underlying messaging format and protocol used to exchange
7255	   instances of the IODEF MUST provide appropriate guarantees of
7256	   confidentiality, integrity, and authenticity.  The use of a
7257	   standardized security protocol is encouraged.  The Real-time Inter-
7258	   network Defense (RID) protocol [RFC6545] and its associated transport
7259	   binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.

7261	   Executable content could be embedded into the IODEF document directly
7262	   or through an extension.  The IODEF implementation MUST handle this
7263	   content with care to prevent unintentional automated execution.

7265	   In order to suggest data processing and handling guidelines of the
7266	   encoded information, the IODEF allows a document sender to convey a
7267	   privacy policy using the restriction attribute.  The various
7268	   instances of this attribute allow different data elements of the
7269	   document to be covered by dissimilar policies.  While flexible, it
7270	   must be stressed that this approach only serves as a guideline from
7271	   the sender, as the recipient is free to ignore it.

7273	10.  IANA Considerations

7275	   This document registers a namespace, an XML schema, and a number of
7276	   registries that map to enumerated values defined in the data model.

7278	10.1.  Namespace and Schema

7280	   This document uses URNs to describe an XML namespace and schema
7281	   conforming to a registry mechanism described in [RFC3688]

7283	   Registration for the IODEF namespace:

7285	   o  URI: urn:ietf:params:xml:ns:iodef-2.0

7287	   o  Registrant Contact: See the first author of the "Author's Address"
7288	      section of this document.

7290	   o  XML: None.  Namespace URIs do not represent an XML specification.

7292	   Registration for the IODEF XML schema:

7294	   o  URI: urn:ietf:params:xml:schema:iodef-2.0

7296	   o  Registrant Contact: See the first author of the "Author's Address"
7297	      section of this document.

7299	   o  XML: See Section 8 of this document.

7301	10.2.  Enumerated Value Registries

7303	   This document creates 33 identically structured registries to be
7304	   managed by IANA:

7306	   o  Name of the parent registry: "Incident Object Description Exchange
7307	      Format v2 (IODEF)"

7309	   o  URL of the registry: http://www.iana.org/assignments/iodef2

7311	   o  Namespace format: A registry entry consists of:

7313	      *  Value.  An enumerated value for a given IODEF attribute.

7315	      *  Description.  A short description of the enumerated value.

7317	      *  Reference.  An optional list of URIs to further describe the
7318	         value.

7320	   o  Allocation policy: Expert Review per [RFC5226]

7322	   The registries to be created are named in the "Registry Name" column
7323	   of Table 1.  The initial values for the Value and Description fields
7324	   of a given registry are listed in the "IV (Value)" and "IV
7325	   (Description)" columns respectively.  The "IV (Value)" points to a
7326	   given schema type per Section 8.  Each enumerated value in the schema
7327	   gets a corresponding entry in a given registry.  The "IV
7328	   (Description)" points to a section in the text of this document that
7329	   describes each enumerated value.  The initial value of the Reference
7330	   field of every registry entry described below should be this
7331	   document.

7333	   +-----------------------+---------------------------+---------------+
7334	   |     Registry Name     |         IV (Value)        |       IV      |
7335	   |                       |                           | (Description) |
7336	   +-----------------------+---------------------------+---------------+
7337	   |      Restriction      |   iodef-restriction-type  | Section 3.3.1 |
7338	   |                       |                           |               |
7339	   |    Incident-purpose   |   incident-purpose-type   |  Section 3.2  |
7340	   |                       |                           |               |
7341	   |    Incident-status    |    incident-status-type   |  Section 3.2  |
7342	   |                       |                           |               |
7343	   |      Contact-role     |     contact-role-type     |  Section 3.9  |
7344	   |                       |                           |               |
7345	   |      Contact-type     |     contact-type-type     |  Section 3.9  |
7346	   |                       |                           |               |
7347	   |    RegistryHandle-    |  registryhandle-registry- | Section 3.9.1 |
7348	   |        registry       |            type           |               |
7349	   |                       |                           |               |
7350	   |     Telephone-type    |    telephone-type-type    | Section 3.9.4 |
7351	   |                       |                           |               |
7352	   |       Email-type      |      email-type-type      | Section 3.9.3 |
7353	   |                       |                           |               |
7354	   |   Expectation-action  |        action-type        |  Section 3.15 |
7355	   |                       |                           |               |
7356	   |    Discovery-source   |   discovery-source-type   |  Section 3.10 |
7357	   |                       |                           |               |
7358	   |   SystemImpact-type   |   systemimpact-type-type  |    Section    |
7359	   |                       |                           |     3.12.1    |
7360	   |                       |                           |               |
7361	   |    BusinessImpact-    |  businessimpact-severity- |    Section    |
7362	   |        severity       |            type           |     3.12.2    |
7363	   |                       |                           |               |
7364	   |  BusinessImpact-type  |  businessimpact-type-type |    Section    |
7365	   |                       |                           |     3.12.2    |
7366	   |                       |                           |               |
7367	   |   TimeImpact-metrics  |   timeimpact-metric-type  |    Section    |
7368	   |                       |                           |     3.12.3    |
7369	   |                       |                           |               |
7370	   |  TimeImpact-duration  |       duration-type       |    Section    |
7371	   |                       |                           |     3.12.3    |
7372	   |                       |                           |               |
7373	   |   Confidence-rating   |   confidence-rating-type  |    Section    |
7374	   |                       |                           |     3.12.5    |
7375	   |                       |                           |               |
7376	   |   NodeRole-category   |   noderole-category-type  |    Section    |
7377	   |                       |                           |     3.18.2    |
7378	   |                       |                           |               |
7379	   |    System-category    |    system-category-type   |  Section 3.17 |
7380	   |                       |                           |               |
7381	   |    System-ownership   |   system-ownership-type   |  Section 3.17 |
7382	   |                       |                           |               |
7383	   |    Address-category   |   address-category-type   |    Section    |
7384	   |                       |                           |     3.18.1    |
7385	   |                       |                           |               |
7386	   |      Counter-type     |     counter-type-type     |    Section    |
7387	   |                       |                           |     3.18.3    |
7388	   |                       |                           |               |
7389	   |      Counter-unit     |     counter-unit-type     |    Section    |
7390	   |                       |                           |     3.18.3    |
7391	   |                       |                           |               |
7392	   |   DomainData-system-  | domaindata-system-status- |  Section 3.19 |
7393	   |         status        |            type           |               |
7394	   |                       |                           |               |
7395	   |   DomainData-domain-  | domaindata-domain-status- |  Section 3.19 |
7396	   |         status        |            type           |               |
7397	   |                       |                           |               |
7398	   |   RecordPattern-type  |  recordpattern-type-type  |    Section    |
7399	   |                       |                           |     3.22.2    |
7400	   |                       |                           |               |
7401	   |     RecordPattern-    | recordpattern-offsetunit- |    Section    |
7402	   |       offsetunit      |            type           |     3.22.2    |
7403	   |                       |                           |               |
7404	   |   Key-registryaction  |  key-registryaction-type  |    Section    |
7405	   |                       |                           |     3.23.1    |
7406	   |                       |                           |               |
7407	   |     HashData-scope    |    hashdata-scope-type    |  Section 3.26 |
7408	   |                       |                           |               |
7409	   |  BulkObservable-type  |  bulkobservable-type-type |    Section    |
7410	   |                       |                           |    3.29.3.1   |
7411	   |                       |                           |               |
7412	   |  IndicatorExpression- |    indicatorexpression-   |    Section    |
7413	   |        operator       |       operator-type       |     3.29.4    |
7414	   |                       |                           |               |
7415	   |  ExtensionType-dtype  |         dtype-type        |  Section 2.16 |
7416	   |                       |                           |               |
7417	   |   SoftwareReference-  |  softwarereference-spec-  |    Section    |
7418	   |        spec-id        |          id-type          |     2.15.1    |
7419	   |                       |                           |               |
7420	   |   SoftwareReference-  |  softwarereference-dtype- |    Section    |
7421	   |         dtype         |            type           |     2.15.1    |
7422	   +-----------------------+---------------------------+---------------+

7424	                 Table 1: IANA Enumerated Value Registries

7426	11.  Acknowledgments

7428	   Thanks to Paul Stockler for his editorial leadership in the
7429	   transition of RFC5070bis to this document.

7431	   Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi
7432	   Takahashi, David Waltermire and Sean Turner as the MILE working group
7433	   chairs, secretary or area directors for providing feedback and
7434	   coordination of this document.

7436	   Thanks to the following individuals (listed alphabetically) who
7437	   provided feedback during the meetings, on the mailing list or through
7438	   implementation experience: Jerome Athias, David Black, Eric Burger,
7439	   Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris
7440	   Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam
7441	   Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio
7442	   Suzuki and Nik Teague.

7444	12.  References

7446	12.1.  Normative References

7448	   [W3C.XML]  World Wide Web Consortium, "Extensible Markup Language
7449	              (XML) 1.0 (Second Edition)", W3C Recommendation , October
7450	              2000, <http://www.w3.org/TR/2000/REC-xml-20001006>.

7452	   [W3C.SCHEMA]
7453	              World Wide Web Consortium, "XML XML Schema Part 1:
7454	              Structures Second Edition", W3C Recommendation , October
7455	              2004, <http://www.w3.org/TR/xmlschema-1/>.

7457	   [W3C.SCHEMA.DTYPES]
7458	              World Wide Web Consortium, "XML Schema Part 2: Datatypes
7459	              Second Edition", W3C Recommendation , October 2004,
7460	              <http://www.w3.org/TR/xmlschema-2/>.

7462	   [W3C.XMLNS]
7463	              World Wide Web Consortium, "Namespaces in XML", W3C
7464	              Recommendation , January 1999,
7465	              <http://www.w3.org/TR/REC-xml-names/>.

7467	   [W3C.XPATH]
7468	              World Wide Web Consortium, "XML Path Language (XPath)
7469	              2.0", W3C Candidate Recommendation , June 2006,
7470	              <http://www.w3.org/TR/xpath20/>.

7472	   [W3C.XMLSIG]
7473	              World Wide Web Consortium, "XML Signature Syntax and
7474	              Processing 2.0", W3C Candidate Recommendation , June 2008,
7475	              <http://www.w3.org/TR/xmldsig-core/>.

7477	   [IEEE.POSIX]
7478	              Institute of Electrical and Electronics Engineers,
7479	              "Information Technology - Portable Operating System
7480	              Interface (POSIX) - Part 1: Base Definitions",
7481	              IEEE 1003.1, June 2001.

7483	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
7484	              Requirement Levels", RFC 2119, March 1997.

7486	   [RFC5646]  Philips, A. and M. Davis, "Tags for Identifying of
7487	              Languages", RFC 5646, September 2009.

7489	   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
7490	              Resource Identifiers (URI): Generic Syntax", RFC 3986,
7491	              January 2005`.

7493	   [RFC2978]  Freed, N. and J. Postel, "IANA Charset Registration
7494	              Procedures", BCP 2978, October 2000.

7496	   [RFC4519]  Sciberras, A., "Schema for User Applications", RFC 4519,
7497	              June 2006.

7499	   [RFC5322]  Resnick, P., "Internet Message Format", RFC 5322, October
7500	              2008.

7502	   [RFC-ENUM]
7503	              Montville, A. and D. Black, "IODEF Enumeration Reference
7504	              Format", RFC 7495, January 2015.

7506	   [RFC-SCI]  Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
7507	              Incident Object Description Exchange Format (IODEF)
7508	              Extension for Structured Cybersecurity Information",
7509	              RFC 7203, April 2014.

7511	   [ISO4217]  International Organization for Standardization,
7512	              "International Standard: Codes for the representation of
7513	              currencies and funds, ISO 4217:2001", ISO 4217:2001,
7514	              August 2001.

7516	   [RFC3688]  Mealling, M., "The IETF XML Registry", RFC 3688, January
7517	              2004.

7519	   [IANA.Ports]
7520	              Internet Assigned Numbers Authority, "Service Name and
7521	              Transport Protocol Port Number Registry", January 2014,
7522	              <http://www.iana.org/assignments/service-names-port-
7523	              numbers/service-names-port-numbers.txt>.

7525	   [IANA.Protocols]
7526	              Internet Assigned Numbers Authority, "Assigned Internet
7527	              Protocol Numbers", January 2014,
7528	              <http://www.iana.org/assignments/protocol-numbers/
7529	              protocol-numbers.txt>.

7531	   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
7532	              10646", RFC 3629, November 2003.

7534	   [RFC2781]  Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
7535	              10646", RFC 2781, February 2000.

7537	   [IANA.Media]
7538	              Internet Assigned Numbers Authority, "Media Types", March
7539	              2015, <http://www.iana.org/assignments/media-types/
7540	              media-types.xhtml>.

7542	12.2.  Informative References

7544	   [RFC5070]  Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
7545	              Object Description Exchange Format", RFC 5070, December
7546	              2007.

7548	   [RFC6545]  Moriarty, K., "Real-time Inter-network Defense (RID)",
7549	              RFC 6545, April 2012.

7551	   [RFC6546]  Trammell, B., "Transport of Real-time Inter-network
7552	              Defense (RID) Messages over HTTP/TLS", RFC 6546, April
7553	              2012.

7555	   [RFC5901]  Cain, P. and D. Jevans, "Extensions to the IODEF-Document
7556	              Class for Reporting Phishing", RFC 5901, July 2010.

7558	   [NIST800.61rev2]
7559	              Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
7560	              "NIST Special Publication 800-61 Revision 2: Computer
7561	              Security Incident Handling Guide", January 2012,
7562	              <http://csrc.nist.gov/publications/nistpubs/800-61rev2/
7563	              SP800-61rev2.pdf>.

7565	   [RFC3982]  Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
7566	              Type for the Internet Registry Information Service
7567	              (IRIS)", RFC 3982, January 2005.

7569	   [KB310516]
7570	              Microsoft Corporation, "How to add, modify, or delete
7571	              registry subkeys and values by using a registration
7572	              entries (.reg) file", December 2007.

7574	   [RFC4180]  Shafranovich, Y., "Common Format and MIME Type for Comma-
7575	              Separated Values (CSV) File", RFC 4180, October 2005.

7577	   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
7578	              IANA Considerations Section in RFCs", RFC 5226, May 2008.

7580	Author's Address

7582	   Roman Danyliw
7583	   CERT - Carnegie Mellon University
7584	   Pittsburgh, PA
7585	   USA

7587	   EMail: rdd@cert.org