Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.
The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-06

Versions:
00
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
RFC 7970
The information below is for an old version of the document.
Document	Type	This is an older version of an Internet-Draft that was ultimately published as RFC 7970.
	Authors	Roman Danyliw , Paul Stoecker
	Last updated	2014-05-29 (Latest revision 2014-02-13)
	RFC stream	Internet Engineering Task Force (IETF)
	Formats	txt htmlized pdf bibtex bibxml
	Reviews	SECDIR Last Call review (of -16) by Robert Sparks Has issues
	Additional resources	Mailing list discussion
Stream	WG state	WG Document
	Document shepherd	(None)
IESG	IESG state	Became RFC 7970 (Proposed Standard)
	Consensus boilerplate	Unknown
	Telechat date	(None)
	Responsible AD	(None)
	Send notices to	(None)
Email authors Email WG IPR References Referenced by Nits Search email archive
draft-ietf-mile-rfc5070-bis-06
"required"/>
         <xs:attribute name="formatid"
                       type="xs:string"/>
       </xs:complexType>

Danyliw & Stoecker       Expires August 18, 2014               [Page 92]
Internet-Draft                   IODEFv2                   February 2014

     </xs:element>
   <!--
    ==================================================================
    ===  Incident class                                            ===
    ==================================================================
   -->
     <xs:element name="Incident">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:IncidentID"/>
           <xs:element ref="iodef:AlternativeID"
                       minOccurs="0"/>
           <xs:element ref="iodef:RelatedActivity"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:DetectTime"
                       minOccurs="0"/>
           <xs:element ref="iodef:StartTime"
                       minOccurs="0"/>
           <xs:element ref="iodef:EndTime"
                       minOccurs="0"/>
           <xs:element ref="iodef:ReportTime"/>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Discovery"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Assessment"
                       maxOccurs="unbounded"/>
           <xs:element ref="iodef:Method"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Contact"
                       maxOccurs="unbounded"/>
           <xs:element ref="iodef:EventData"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:History"
                       minOccurs="0"/>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="purpose" use="required">
           <xs:simpleType>
             <xs:restriction base="xs:NMTOKEN">
               <xs:enumeration value="traceback"/>
               <xs:enumeration value="mitigation"/>
               <xs:enumeration value="reporting"/>
               <xs:enumeration value="watch" />
               <xs:enumeration value="other"/>
               <xs:enumeration value="ext-value"/>
             </xs:restriction>

Danyliw & Stoecker       Expires August 18, 2014               [Page 93]
Internet-Draft                   IODEFv2                   February 2014

           </xs:simpleType>
         </xs:attribute>
         <xs:attribute name="ext-purpose"
                       type="xs:string" use="optional"/>
         <xs:attribute name="lang"
                       type="xs:language"/>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type" default="private"/>
         <xs:attribute name="indicator-uid"
                       type="xs:string" use="optional"/>
         <xs:attribute name="indicator-set-id"
                       type="xs:string" use="optional"/>
       </xs:complexType>
     </xs:element>
   <!--
    ==================================================================
    ==  IncidentID class                                            ==
    ==================================================================
   -->
     <xs:element name="IncidentID" type="iodef:IncidentIDType"/>
     <xs:complexType name="IncidentIDType">
       <xs:simpleContent>
         <xs:extension base="xs:string">
           <xs:attribute name="name"
                         type="xs:string" use="required"/>
           <xs:attribute name="instance"
                         type="xs:string" use="optional"/>
           <xs:attribute name="restriction"
                         type="iodef:restriction-type"
                         default="public"/>
         </xs:extension>
       </xs:simpleContent>
     </xs:complexType>

   <!--
    ==================================================================
    ==  ReportID class                                              ==
    ==================================================================
   -->
     <xs:element name="ReportID">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:IncidentID"
             maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
           type="iodef:restriction-type"/>
       </xs:complexType>

Danyliw & Stoecker       Expires August 18, 2014               [Page 94]
Internet-Draft                   IODEFv2                   February 2014

     </xs:element>

   <!--
    ==================================================================
    ==  AlternativeID class                                         ==
    ==================================================================
   -->
     <xs:element name="AlternativeID">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:IncidentID"
                       maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
       </xs:complexType>
     </xs:element>
   <!--
    ==================================================================
    ==  RelatedActivity class                                       ==
    ==================================================================
   -->
     <xs:element name="RelatedActivity">
       <xs:complexType>
         <xs:sequence>
           <xs:choice maxOccurs="unbounded">
             <xs:element ref="iodef:IncidentID"
                         maxOccurs="unbounded"/>
             <xs:element ref="iodef:URL"
                         maxOccurs="unbounded"/>
             <xs:element ref="iodef:ThreatActor"
                         maxOccurs="unbounded"/>
             <xs:element ref="iodef:Campaign"
                         maxOccurs="unbounded"/>
           </xs:choice>
           <xs:element ref="iodef:Confidence"
                       minOccurs="0"/>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
       </xs:complexType>
     </xs:element>

   <!--

Danyliw & Stoecker       Expires August 18, 2014               [Page 95]
Internet-Draft                   IODEFv2                   February 2014

    ==================================================================
    ==  ThreatActor class                                           ==
    ==================================================================
   -->
     <xs:element name="ThreatActor">
       <xs:complexType>
         <xs:sequence>
           <xs:choice>
             <xs:sequence>
               <xs:element ref="iodef:ThreatActorID" />
               <xs:element ref="iodef:Description"
                         minOccurs="0" maxOccurs="unbounded"/>
             </xs:sequence>
             <xs:element ref="iodef:Description"
                         minOccurs="1" maxOccurs="unbounded"/>
           </xs:choice>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
       </xs:complexType>
     </xs:element>
     <xs:element name="ThreatActorID" type="xs:string"/>

   <!--
    ==================================================================
    ==  Campaign class                                              ==
    ==================================================================
   -->
     <xs:element name="Campaign">
       <xs:complexType>
         <xs:sequence>
           <xs:choice>
             <xs:sequence>
               <xs:element ref="iodef:CampaignID"/>
               <xs:element ref="iodef:Description"
                         minOccurs="0" maxOccurs="unbounded"/>
             </xs:sequence>
             <xs:element ref="iodef:Description"
                         minOccurs="1" maxOccurs="unbounded"/>
           </xs:choice>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
       </xs:complexType>

Danyliw & Stoecker       Expires August 18, 2014               [Page 96]
Internet-Draft                   IODEFv2                   February 2014

     </xs:element>
     <xs:element name="CampaignID" type="xs:string"/>

   <!--
    ==================================================================
    ==  AdditionalData class                                        ==
    ==================================================================
   -->
     <xs:element name="AdditionalData" type="iodef:ExtensionType"/>
   <!--
    ==================================================================
    ==   Contact class                                              ==
    ==================================================================
   -->
     <xs:element name="Contact">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:ContactName"
                       minOccurs="0"/>
           <xs:element ref="iodef:ContactTitle"
                       minOccurs="0"/>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:RegistryHandle"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:PostalAddress"
                       minOccurs="0"/>
           <xs:element ref="iodef:Email"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Telephone"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Fax"
                       minOccurs="0"/>
           <xs:element ref="iodef:Timezone"
                       minOccurs="0"/>
           <xs:element ref="iodef:Contact"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="role" use="required">
           <xs:simpleType>
             <xs:restriction base="xs:NMTOKEN">
               <xs:enumeration value="creator"/>
               <xs:enumeration value="reporter"/>
               <xs:enumeration value="admin"/>
               <xs:enumeration value="tech"/>
               <xs:enumeration value="provider"/>

Danyliw & Stoecker       Expires August 18, 2014               [Page 97]
Internet-Draft                   IODEFv2                   February 2014

               <xs:enumeration value="zone"/>
               <xs:enumeration value="user"/>
               <xs:enumeration value="billing"/>
               <xs:enumeration value="legal"/>
               <xs:enumeration value="abuse"/>
               <xs:enumeration value="irt"/>
               <xs:enumeration value="cc"/>
               <xs:enumeration value="cc-irt"/>
               <xs:enumeration value="le"/>
               <xs:enumeration value="vendor"/>
               <xs:enumeration value="ext-value"/>
             </xs:restriction>
           </xs:simpleType>
         </xs:attribute>
         <xs:attribute name="ext-role"
                       type="xs:string" use="optional"/>
         <xs:attribute name="type" use="required">
           <xs:simpleType>
             <xs:restriction base="xs:NMTOKEN">
               <xs:enumeration value="person"/>
               <xs:enumeration value="organization"/>
               <xs:enumeration value="ext-value"/>
             </xs:restriction>
           </xs:simpleType>
         </xs:attribute>
         <xs:attribute name="ext-type"
                       type="xs:string" use="optional"/>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
       </xs:complexType>
     </xs:element>
     <xs:element name="ContactName"
                 type="iodef:MLStringType"/>
     <xs:element name="ContactTitle"
                 type="iodef:MLStringType"/>
     <xs:element name="RegistryHandle">
       <xs:complexType>
         <xs:simpleContent>
           <xs:extension base="xs:string">
             <xs:attribute name="registry">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="internic"/>
                   <xs:enumeration value="apnic"/>
                   <xs:enumeration value="arin"/>
                   <xs:enumeration value="lacnic"/>
                   <xs:enumeration value="ripe"/>
                   <xs:enumeration value="afrinic"/>

Danyliw & Stoecker       Expires August 18, 2014               [Page 98]
Internet-Draft                   IODEFv2                   February 2014

                   <xs:enumeration value="local"/>
                   <xs:enumeration value="ext-value"/>
                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="ext-registry"
                           type="xs:string" use="optional"/>
           </xs:extension>
         </xs:simpleContent>
       </xs:complexType>
     </xs:element>

     <xs:element name="PostalAddress">
       <xs:complexType>
         <xs:simpleContent>
           <xs:extension base="iodef:MLStringType">
             <xs:attribute name="meaning"
                           type="xs:string" use="optional"/>
           </xs:extension>
         </xs:simpleContent>
       </xs:complexType>
     </xs:element>
     <xs:element name="Email" type="iodef:ContactMeansType"/>
     <xs:element name="Telephone" type="iodef:ContactMeansType"/>
     <xs:element name="Fax" type="iodef:ContactMeansType"/>

     <xs:complexType name="ContactMeansType">
       <xs:simpleContent>
         <xs:extension base="xs:string">
           <xs:attribute name="meaning"
                         type="xs:string" use="optional"/>
         </xs:extension>
       </xs:simpleContent>
     </xs:complexType>

   <!--
    ==================================================================
    ==  Time-based classes                                          ==
    ==================================================================
   -->
     <xs:element name="DateTime"
                 type="xs:dateTime"/>
     <xs:element name="ReportTime"
                 type="xs:dateTime"/>
     <xs:element name="DetectTime"
                 type="xs:dateTime"/>
     <xs:element name="StartTime"
                 type="xs:dateTime"/>

Danyliw & Stoecker       Expires August 18, 2014               [Page 99]
Internet-Draft                   IODEFv2                   February 2014

     <xs:element name="EndTime"
                 type="xs:dateTime"/>
     <xs:element name="Timezone"
                 type="iodef:TimezoneType"/>
     <xs:simpleType name="TimezoneType">
       <xs:restriction base="xs:string">
         <xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
       </xs:restriction>
     </xs:simpleType>
   <!--
    ==================================================================
    ==  History class                                               ==
    ==================================================================
   -->
     <xs:element name="History">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:HistoryItem"
                       maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"
                       default="default"/>
       </xs:complexType>
     </xs:element>
     <xs:element name="HistoryItem">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:DateTime"/>
           <xs:element ref="iodef:IncidentID"
                       minOccurs="0"/>
           <xs:element ref="iodef:Contact"
                       minOccurs="0"/>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element name="DefinedCOA"
                       type="iodef:MLStringType"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
         <xs:attribute name="action"
                       type="iodef:action-type" use="required"/>
         <xs:attribute name="ext-action"
         type="xs:string" use="optional"/>
         <xs:attribute name="indicator-uid"

Danyliw & Stoecker       Expires August 18, 2014              [Page 100]
Internet-Draft                   IODEFv2                   February 2014

                       type="xs:string" use="optional"/>
         <xs:attribute name="indicator-set-id"
                       type="xs:string" use="optional"/>
       </xs:complexType>
     </xs:element>
   <!--
    ==================================================================
    ==  Expectation class                                           ==
    ==================================================================
   -->
     <xs:element name="Expectation">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element name="DefinedCOA"
                       type="iodef:MLStringType"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:StartTime"
                       minOccurs="0"/>
           <xs:element ref="iodef:EndTime"
                       minOccurs="0"/>
           <xs:element ref="iodef:Contact"
                       minOccurs="0"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"
                       default="default"/>
         <xs:attribute name="severity"
                       type="iodef:severity-type"/>
         <xs:attribute name="action"
                       type="iodef:action-type" default="other"/>
         <xs:attribute name="ext-action"
                       type="xs:string" use="optional"/>
         <xs:attribute name="indicator-uid"
                       type="xs:string" use="optional"/>
         <xs:attribute name="indicator-set-id"
                       type="xs:string" use="optional"/>
       </xs:complexType>
     </xs:element>

   <!--
    ==================================================================
    ==  Discovery class                                             ==
    ==================================================================
   -->
     <xs:element name="Discovery">
       <xs:complexType>

Danyliw & Stoecker       Expires August 18, 2014              [Page 101]
Internet-Draft                   IODEFv2                   February 2014

         <xs:sequence>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Contact"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:DetectionPattern"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="source"
                       use="optional" default="unknown">
           <xs:simpleType>
             <xs:restriction base="xs:NMTOKEN">
               <xs:enumeration value="idps"/>
               <xs:enumeration value="siem"/>
               <xs:enumeration value="av"/>
               <xs:enumeration value="file-integrity"/>
               <xs:enumeration value="third-party-monitoring"/>
               <xs:enumeration value="os-log"/>
               <xs:enumeration value="application-log"/>
               <xs:enumeration value="device-log"/>
               <xs:enumeration value="network-flow"/>
               <xs:enumeration value="investigation"/>
               <xs:enumeration value="internal-notification"/>
               <xs:enumeration value="external-notification"/>
               <xs:enumeration value="unknown"/>
               <xs:enumeration value="ext-value"/>
             </xs:restriction>
           </xs:simpleType>
         </xs:attribute>
         <xs:attribute name="ext-source"
                       type="xs:string" use="optional"/>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
       </xs:complexType>
     </xs:element>

     <xs:element name="DetectionPattern">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:Application"/>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element name="DetectionConfiguration"
                       type="xs:string"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 102]
Internet-Draft                   IODEFv2                   February 2014

       </xs:complexType>
     </xs:element>

   <!--
    ==================================================================
    ==  Method class                                                ==
    ==================================================================
   -->
     <xs:element name="Method">
       <xs:complexType>
         <xs:sequence>
           <xs:choice maxOccurs="unbounded">
             <xs:element ref="iodef:Reference"/>
             <xs:element ref="iodef:Description"/>
           </xs:choice>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
       </xs:complexType>
     </xs:element>
   <!--
    ==================================================================
    ==  Reference class                                             ==
    ==================================================================
   -->
     <xs:element name="Reference">
       <xs:complexType>
         <xs:sequence>
           <xs:element name="ReferenceName"
                       type="iodef:MLStringType"/>
           <xs:element ref="iodef:URL"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="indicator-uid"
                       type="xs:string" use="optional"/>
         <xs:attribute name="indicator-set-id"
                       type="xs:string" use="optional"/>
         <!-- Adding in Attack Type -->
         <xs:attribute name="attacktype" type="att-type"
                       use="required">
         </xs:attribute>
         <xs:attribute name="ext-attacktype"
           type="xs:string" use="optional"/>
       </xs:complexType>

Danyliw & Stoecker       Expires August 18, 2014              [Page 103]
Internet-Draft                   IODEFv2                   February 2014

     </xs:element>

   <!--
    ==================================================================
    ==  Assessment class                                            ==
    ==================================================================
   -->
     <xs:element name="Assessment">
       <xs:complexType>
         <xs:sequence>
           <xs:choice maxOccurs="unbounded">
             <xs:element ref="iodef:Impact"/>
             <xs:element ref="iodef:BusinessImpact"/>
             <xs:element ref="iodef:TimeImpact"/>
             <xs:element ref="iodef:MonetaryImpact"/>
           </xs:choice>
           <xs:element ref="iodef:Counter"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Confidence" minOccurs="0"/>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="occurrence">
           <xs:simpleType>
             <xs:restriction base="xs:NMTOKEN">
               <xs:enumeration value="actual"/>
               <xs:enumeration value="potential"/>
             </xs:restriction>
           </xs:simpleType>
         </xs:attribute>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
         <xs:attribute name="indicator-uid"
                       type="xs:string" use="optional"/>
         <xs:attribute name="indicator-set-id"
                       type="xs:string" use="optional"/>
       </xs:complexType>
     </xs:element>
     <xs:element name="Impact">
       <xs:complexType>
         <xs:simpleContent>
           <xs:extension base="iodef:MLStringType">
             <xs:attribute name="severity"
                           type="iodef:severity-type"/>
             <xs:attribute name="completion">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="failed"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 104]
Internet-Draft                   IODEFv2                   February 2014

                   <xs:enumeration value="succeeded"/>
                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="type"
                           use="optional" default="unknown">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="admin"/>
                   <xs:enumeration value="dos"/>
                   <xs:enumeration value="extortion"/>
                   <xs:enumeration value="file"/>
                   <xs:enumeration value="info-leak"/>
                   <xs:enumeration value="misconfiguration"/>
                   <xs:enumeration value="recon"/>
                   <xs:enumeration value="policy"/>
                   <xs:enumeration value="social-engineering"/>
                   <xs:enumeration value="user"/>
                   <xs:enumeration value="unknown"/>
                   <xs:enumeration value="ext-value"/>
                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="ext-type"
                           type="xs:string" use="optional"/>
           </xs:extension>
         </xs:simpleContent>
       </xs:complexType>
     </xs:element>
     <xs:element name="BusinessImpact">
       <xs:complexType>
         <xs:simpleContent>
           <xs:extension base="iodef:MLStringType">
             <xs:attribute name="severity"
                           use="optional">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="none"/>
                   <xs:enumeration value="low"/>
                   <xs:enumeration value="medium"/>
                   <xs:enumeration value="high"/>
                   <xs:enumeration value="unknown"/>
                   <xs:enumeration value="ext-value"/>
                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="ext-severity"
                           type="xs:string" use="optional"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 105]
Internet-Draft                   IODEFv2                   February 2014

             <xs:attribute name="type"
                           use="optional">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="breach-proprietary"/>
                   <xs:enumeration value="breach-privacy"/>
                   <xs:enumeration value="loss-of-integrity"/>
                   <xs:enumeration value="loss-of-service" />
                   <xs:enumeration value="loss-financial"/>
                   <xs:enumeration value="degraded-reputation"/>
                   <xs:enumeration value="asset-damage"/>
                   <xs:enumeration value="asset-manipulation"/>
                   <xs:enumeration value="legal"/>
                   <xs:enumeration value="ext-value"/>
                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="ext-type"
                           type="xs:string" use="optional"/>
           </xs:extension>
         </xs:simpleContent>
       </xs:complexType>
     </xs:element>

     <xs:element name="TimeImpact">
       <xs:complexType>
         <xs:simpleContent>
           <xs:extension base="iodef:PositiveFloatType">
             <xs:attribute name="severity"
                           type="iodef:severity-type"/>
             <xs:attribute name="metric"
                           use="required">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="labor"/>
                   <xs:enumeration value="elapsed"/>
                   <xs:enumeration value="downtime"/>
                   <xs:enumeration value="ext-value"/>
                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="ext-metric"
                           type="xs:string" use="optional"/>
             <xs:attribute name="duration"
                           type="iodef:duration-type"/>
             <xs:attribute name="ext-duration"
                           type="xs:string" use="optional"/>
           </xs:extension>

Danyliw & Stoecker       Expires August 18, 2014              [Page 106]
Internet-Draft                   IODEFv2                   February 2014

         </xs:simpleContent>
       </xs:complexType>
     </xs:element>
     <xs:element name="MonetaryImpact">
       <xs:complexType>
         <xs:simpleContent>
           <xs:extension base="iodef:PositiveFloatType">
             <xs:attribute name="severity"
                           type="iodef:severity-type"/>
             <xs:attribute name="currency"
                           type="xs:string"/>
           </xs:extension>
         </xs:simpleContent>
       </xs:complexType>
     </xs:element>
     <xs:element name="Confidence">
       <xs:complexType mixed="true">
         <xs:attribute name="rating" use="required">
           <xs:simpleType>
             <xs:restriction base="xs:NMTOKEN">
               <xs:enumeration value="low"/>
               <xs:enumeration value="medium"/>
               <xs:enumeration value="high"/>
               <xs:enumeration value="numeric"/>
               <xs:enumeration value="unknown"/>
             </xs:restriction>
           </xs:simpleType>
         </xs:attribute>
       </xs:complexType>
     </xs:element>
   <!--
    ==================================================================
    == EventData class                                              ==
    ==================================================================
   -->
     <xs:element name="EventData">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:DetectTime"
                       minOccurs="0"/>
           <xs:element ref="iodef:StartTime"
                       minOccurs="0"/>
           <xs:element ref="iodef:EndTime"
                       minOccurs="0"/>
           <xs:element ref="iodef:Contact"
                       minOccurs="0" maxOccurs="unbounded"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 107]
Internet-Draft                   IODEFv2                   February 2014

           <xs:element ref="iodef:Discovery"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Assessment"
                       minOccurs="0"/>
           <xs:element ref="iodef:Method"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Flow"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Expectation"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Record"
                       minOccurs="0"/>
           <xs:element ref="iodef:EventData"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"
                       default="default"/>
         <xs:attribute name="indicator-uid"
                       type="xs:string" use="optional"/>
         <xs:attribute name="indicator-set-id"
                       type="xs:string" use="optional"/>
       </xs:complexType>
     </xs:element>
   <!--
    ==================================================================
    ==  Flow class                                                  ==
    ==================================================================
   -->
     <!-- Added System unbounded for use only when the source or
          target watchlist is in use, otherwise only one system entry
          is expected.
       -->
     <xs:element name="Flow">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:System"
                       maxOccurs="unbounded"/>
         </xs:sequence>
       </xs:complexType>
     </xs:element>
   <!--
    ==================================================================
    ==  System class                                                ==
    ==================================================================
   -->

Danyliw & Stoecker       Expires August 18, 2014              [Page 108]
Internet-Draft                   IODEFv2                   February 2014

     <xs:element name="System">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:Node" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Service"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:OperatingSystem"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Counter"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element name="AssetID" type="xs:string"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
         <xs:attribute name="category">
           <xs:simpleType>
             <xs:restriction base="xs:NMTOKEN">
               <xs:enumeration value="source"/>
               <xs:enumeration value="target"/>
               <!-- CHANGE - adding two new values to cover
                    watchlist groups -->
               <xs:enumeration value="watchlist-source"/>
               <xs:enumeration value="watchlist-target"/>
               <xs:enumeration value="intermediate"/>
               <xs:enumeration value="sensor"/>
               <xs:enumeration value="infrastructure"/>
               <xs:enumeration value="ext-value"/>
             </xs:restriction>
           </xs:simpleType>
         </xs:attribute>
         <xs:attribute name="ext-category"
                       type="xs:string" use="optional"/>
         <xs:attribute name="interface"
                       type="xs:string"/>
         <xs:attribute name="spoofed" type="yes-no-unknown-type"
                       default="unknown" />
         <xs:attribute name="virtual" type="yes-no-unknown-type"
                       use="optional" default="unknown"/>
         <xs:attribute name="ownership">
           <xs:simpleType>
             <xs:restriction base="xs:NMTOKEN">
               <xs:enumeration value="organization"/>
               <xs:enumeration value="personal"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 109]
Internet-Draft                   IODEFv2                   February 2014

               <xs:enumeration value="partner"/>
               <xs:enumeration value="customer"/>
               <xs:enumeration value="no-relationship"/>
               <xs:enumeration value="unknown"/>
               <xs:enumeration value="ext-value"/>
             </xs:restriction>
           </xs:simpleType>
         </xs:attribute>
         <xs:attribute name="ext-ownership"
                       type="xs:string" use="optional"/>
       </xs:complexType>
     </xs:element>
   <!--
    ==================================================================
    == Node class                                                   ==
    ==================================================================
   -->
     <xs:element name="Node">
       <xs:complexType>
         <xs:sequence>
           <xs:choice maxOccurs="unbounded">
             <xs:element ref="iodef:DomainData" minOccurs="0"
                         maxOccurs="unbounded"/>
             <xs:element ref="iodef:Address"
                         minOccurs="0" maxOccurs="unbounded"/>
           </xs:choice>
           <xs:element ref="iodef:PostalAddress"
                       minOccurs="0"/>
           <xs:element ref="iodef:Location"
                       minOccurs="0"/>
           <xs:element ref="iodef:NodeRole"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Counter"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
       </xs:complexType>
     </xs:element>
     <xs:element name="Address">
       <xs:complexType>
         <xs:simpleContent>
           <xs:extension base="xs:string">
             <xs:attribute name="category" default="ipv4-addr">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="asn"/>
                   <xs:enumeration value="atm"/>
                   <xs:enumeration value="e-mail"/>
                   <xs:enumeration value="mac"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 110]
Internet-Draft                   IODEFv2                   February 2014

                   <xs:enumeration value="ipv4-addr"/>
                   <xs:enumeration value="ipv4-net"/>
                   <xs:enumeration value="ipv4-net-mask"/>
                   <xs:enumeration value="ipv6-addr"/>
                   <xs:enumeration value="ipv6-net"/>
                   <xs:enumeration value="ipv6-net-mask"/>
                   <xs:enumeration value="site-uri"/>
                   <xs:enumeration value="ext-value"/>
                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="ext-category"
                           type="xs:string" use="optional"/>
             <xs:attribute name="vlan-name"
                           type="xs:string"/>
             <xs:attribute name="vlan-num"
                           type="xs:integer"/>
             <xs:attribute name="indicator-uid"
                           type="xs:string" use="optional"/>
            <xs:attribute name="indicator-set-id"
                           type="xs:string" use="optional"/>
           </xs:extension>
         </xs:simpleContent>
       </xs:complexType>
     </xs:element>
     <xs:element name="Location" type="iodef:MLStringType"/>
     <xs:element name="NodeRole">
       <xs:complexType>
         <xs:simpleContent>
           <xs:extension base="iodef:MLStringType">
             <xs:attribute name="category" use="required">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="client"/>
                   <xs:enumeration value="client-enterprise"/>
                   <xs:enumeration value="client-partner"/>
                   <xs:enumeration value="client-remote"/>
                   <xs:enumeration value="client-kiosk"/>
                   <xs:enumeration value="client-mobile"/>
                   <xs:enumeration value="server-internal"/>
                   <xs:enumeration value="server-public"/>
                   <xs:enumeration value="www"/>
                   <xs:enumeration value="mail"/>
                   <xs:enumeration value="messaging"/>
                   <xs:enumeration value="streaming"/>
                   <xs:enumeration value="voice"/>
                   <xs:enumeration value="file"/>
                   <xs:enumeration value="ftp"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 111]
Internet-Draft                   IODEFv2                   February 2014

                   <xs:enumeration value="p2p"/>
                   <xs:enumeration value="name"/>
                   <xs:enumeration value="directory"/>
                   <xs:enumeration value="credential"/>
                   <xs:enumeration value="print"/>
                   <xs:enumeration value="application"/>
                   <xs:enumeration value="database"/>
                   <xs:enumeration value="backup"/>
                   <xs:enumeration value="dhcp"/>
                   <xs:enumeration value="infra"/>
                   <xs:enumeration value="infra-firewall"/>
                   <xs:enumeration value="infra-router"/>
                   <xs:enumeration value="infra-switch"/>
                   <xs:enumeration value="camera"/>
                   <xs:enumeration value="proxy"/>
                   <xs:enumeration value="remote-access"/>
                   <xs:enumeration value="log"/>
                   <xs:enumeration value="virtualization"/>
                   <xs:enumeration value="pos"/>
                   <xs:enumeration value="scada"/>
                   <xs:enumeration value="scada-supervisory"/>
                   <xs:enumeration value="ext-value"/>
                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="ext-category"
                           type="xs:string" use="optional"/>
             <xs:attribute name="attacktype" type="att-type"
                           use="optional"/>
           </xs:extension>
         </xs:simpleContent>
       </xs:complexType>
     </xs:element>
   <!--
    ==================================================================
    ==  Service Class                                               ==
    ==================================================================
   -->
     <xs:element name="Service">
       <xs:complexType>
         <xs:sequence>
           <xs:choice minOccurs="0">
             <xs:element name="Port"
                         type="xs:integer"/>
             <xs:element name="Portlist"
                         type="iodef:PortlistType"/>
           </xs:choice>
           <xs:element name="ProtoType"

Danyliw & Stoecker       Expires August 18, 2014              [Page 112]
Internet-Draft                   IODEFv2                   February 2014

                       type="xs:integer" minOccurs="0"/>
           <xs:element name="ProtoCode"
                       type="xs:integer" minOccurs="0"/>
           <xs:element name="ProtoField"
                       type="xs:integer" minOccurs="0"/>
           <xs:element name="ApplicationHeader"
                       type="iodef:ApplicationHeaderType"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="EmailData" minOccurs="0"/>
           <xs:element ref="iodef:Application"
                       minOccurs="0"/>
         </xs:sequence>
         <xs:attribute name="ip-protocol"
                       type="xs:integer" use="required"/>
         <xs:attribute name="indicator-uid"
                       type="xs:string" use="optional"/>
         <xs:attribute name="indicator-set-id"
                       type="xs:string" use="optional"/>
       </xs:complexType>
     </xs:element>
     <xs:simpleType name="PortlistType">
       <xs:restriction base="xs:string">
         <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
       </xs:restriction>
     </xs:simpleType>
   <!--
    ==================================================================
    ==  Counter class                                               ==
    ==================================================================
   -->
     <xs:element name="Counter">
       <xs:complexType>
         <xs:simpleContent>
           <xs:extension base="xs:double">
             <xs:attribute name="type" use="required">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="byte"/>
                   <xs:enumeration value="packet"/>
                   <xs:enumeration value="flow"/>
                   <xs:enumeration value="session"/>
                   <xs:enumeration value="event"/>
                   <xs:enumeration value="alert"/>
                   <xs:enumeration value="message"/>
                   <xs:enumeration value="host"/>
                   <xs:enumeration value="site"/>
                   <xs:enumeration value="organization"/>
                   <xs:enumeration value="ext-value"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 113]
Internet-Draft                   IODEFv2                   February 2014

                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="ext-type"
                           type="xs:string" use="optional"/>
             <xs:attribute name="meaning"
                           type="xs:string" use="optional"/>
             <xs:attribute name="duration"
                           type="iodef:duration-type"/>
             <xs:attribute name="ext-duration"
                           type="xs:string" use="optional"/>
           </xs:extension>
         </xs:simpleContent>
       </xs:complexType>
     </xs:element>

   <!--
    ==================================================================
    ==  EmailData class                                             ==
    ==================================================================
   -->
    <xs:element name="EmailData">
      <xs:complexType>
        <xs:sequence>
          <xs:element name="EmailFrom"
                      type="iodef:MLStringType" minOccurs="0"/>
          <xs:element name="EmailSubject"
                      type="iodef:MLStringType" minOccurs="0"/>
          <xs:element name="EmailX-Mailer"
                      type="iodef:MLStringType" minOccurs="0"/>
          <xs:element name="EmailHeaderField"
                      type="iodef:ApplicationHeaderType"
                      minOccurs="0"/>
        </xs:sequence>
        <xs:attribute name="indicator-uid"
                      type="xs:string" use="optional"/>
        <xs:attribute name="indicator-set-id"
                      type="xs:string" use="optional"/>
      </xs:complexType>
    </xs:element>

   <!--
    ==================================================================
    ==   DomainData class - from RFC5901                            ==
    ==================================================================
   -->
   <xs:element name="DomainData">
     <xs:complexType>

Danyliw & Stoecker       Expires August 18, 2014              [Page 114]
Internet-Draft                   IODEFv2                   February 2014

       <xs:sequence>
         <xs:element name="Name"
                     type="iodef:MLStringType" maxOccurs="1" />
         <xs:element name="DateDomainWasChecked"
                     type="xs:dateTime"
                     minOccurs="0" maxOccurs="1" />
         <xs:element name="RegistrationDate"
                     type="xs:dateTime"
                     minOccurs="0" maxOccurs="1" />
         <xs:element name="ExpirationDate"
                     type="xs:dateTime"
                     minOccurs="0" maxOccurs="1" />
         <xs:element name="RelatedDNS"
                     type="iodef:RelatedDNSEntryType"
                     minOccurs="0" maxOccurs="unbounded" />
         <xs:element ref="iodef:Nameservers"
                     minOccurs="0" maxOccurs="unbounded" />
         <xs:element ref="iodef:DomainContacts"
                     minOccurs="0" maxOccurs="1" />
       </xs:sequence>

       <xs:attribute name="system-status">
         <xs:simpleType>
           <xs:restriction base="xs:string">
             <xs:enumeration value="spoofed"/>
             <xs:enumeration value="fraudulent"/>
             <xs:enumeration value="innocent-hacked"/>
             <xs:enumeration value="innocent-hijacked"/>
             <xs:enumeration value="unknown"/>
           </xs:restriction>
         </xs:simpleType>
       </xs:attribute>
       <xs:attribute name="ext-system-status"
                     type="xs:string" use="optional"/>
       <xs:attribute name="domain-status">
         <xs:simpleType>
           <xs:restriction base="xs:string">
             <xs:enumeration value="reservedDelegation"/>
             <xs:enumeration value="assignedAndActive"/>
             <xs:enumeration value="assignedAndInactive"/>
             <xs:enumeration value="assignedAndOnHold"/>
             <xs:enumeration value="revoked"/>
             <xs:enumeration value="transferPending"/>
             <xs:enumeration value="registryLock"/>
             <xs:enumeration value="registrarLock"/>
             <xs:enumeration value="other"/>
             <xs:enumeration value="unknown"/>
           </xs:restriction>

Danyliw & Stoecker       Expires August 18, 2014              [Page 115]
Internet-Draft                   IODEFv2                   February 2014

         </xs:simpleType>
       </xs:attribute>
       <xs:attribute name="ext-domain-status"
                     type="xs:string" use="optional"/>
       <xs:attribute name="indicator-uid"
                     type="xs:string" use="optional"/>
       <xs:attribute name="indicator-set-id"
                     type="xs:string" use="optional"/>
     </xs:complexType>
   </xs:element>

     <xs:element name="RelatedDNS"
                 type="iodef:RelatedDNSEntryType"/>
     <xs:complexType name="RelatedDNSEntryType">
      <xs:simpleContent>
       <xs:extension base="xs:string">
       <xs:attribute name="record-type" use="optional">
         <xs:simpleType>
           <xs:restriction base="xs:NMTOKEN">
             <xs:enumeration value="A"/>
             <xs:enumeration value="AAAA"/>
             <xs:enumeration value="AFSDB"/>
             <xs:enumeration value="APL"/>
             <xs:enumeration value="AXFR"/>
             <xs:enumeration value="CAA"/>
             <xs:enumeration value="CERT"/>
             <xs:enumeration value="CNAME"/>
             <xs:enumeration value="DHCID"/>
             <xs:enumeration value="DLV"/>
             <xs:enumeration value="DNAME"/>
             <xs:enumeration value="DNSKEY"/>
             <xs:enumeration value="DS"/>
             <xs:enumeration value="HIP"/>
             <xs:enumeration value="IXFR"/>
             <xs:enumeration value="IPSECKEY"/>
             <xs:enumeration value="LOC"/>
             <xs:enumeration value="MX"/>
             <xs:enumeration value="NAPTR"/>
             <xs:enumeration value="NS"/>
             <xs:enumeration value="NSEC"/>
             <xs:enumeration value="NSEC3"/>
             <xs:enumeration value="NSEC3PARAM"/>
             <xs:enumeration value="OPT"/>
             <xs:enumeration value="PTR"/>
             <xs:enumeration value="RRSIG"/>
             <xs:enumeration value="RP"/>
             <xs:enumeration value="SIG"/>
             <xs:enumeration value="SOA"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 116]
Internet-Draft                   IODEFv2                   February 2014

             <xs:enumeration value="SPF"/>
             <xs:enumeration value="SRV"/>
             <xs:enumeration value="SSHFP"/>
             <xs:enumeration value="TA"/>
             <xs:enumeration value="TKEY"/>
             <xs:enumeration value="TLSA"/>
             <xs:enumeration value="TSIG"/>
             <xs:enumeration value="TXT"/>
             <xs:enumeration value="ext-value"/>
           </xs:restriction>
         </xs:simpleType>
       </xs:attribute>
       <xs:attribute name="ext-record-type"
                     type="xs:string" use="optional"/>
      </xs:extension>
     </xs:simpleContent>
    </xs:complexType>

    <xs:element name="Nameservers">
      <xs:complexType>
        <xs:sequence>
          <xs:element name="Server" type="iodef:MLStringType"/>
          <xs:element ref="iodef:Address" maxOccurs="unbounded"/>
        </xs:sequence>
      </xs:complexType>
    </xs:element>

    <xs:element name="DomainContacts">
      <xs:complexType>
         <xs:choice>
           <xs:element name="SameDomainContact"
                       type="iodef:MLStringType"/>
           <xs:element ref="iodef:Contact"
                       maxOccurs="unbounded" minOccurs="1"/>
         </xs:choice>
      </xs:complexType>
    </xs:element>

   <!--
    ==================================================================
    ==  Record class                                                ==
    ==================================================================
   -->
     <xs:element name="Record">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:RecordData"

Danyliw & Stoecker       Expires August 18, 2014              [Page 117]
Internet-Draft                   IODEFv2                   February 2014

                       maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
       </xs:complexType>
     </xs:element>
     <xs:element name="RecordData">
       <xs:complexType>
         <xs:sequence>
           <xs:element ref="iodef:DateTime"
                       minOccurs="0"/>
           <xs:element ref="iodef:Description"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:Application"
                       minOccurs="0"/>
           <xs:element ref="iodef:RecordPattern"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:RecordItem"
                       maxOccurs="unbounded"/>
           <xs:element ref="iodef:HashInformation"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:WindowsRegistryKeysModified"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="iodef:AdditionalData"
                       minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="restriction"
                       type="iodef:restriction-type"/>
         <xs:attribute name="indicator-uid"
                       type="xs:string" use="optional"/>
         <xs:attribute name="indicator-set-id"
                       type="xs:string" use="optional"/>
       </xs:complexType>
     </xs:element>

     <xs:element name="RecordPattern">
       <xs:complexType>
         <xs:simpleContent>
           <xs:extension base="xs:string">
             <xs:attribute name="type" use="required">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="regex"/>
                   <xs:enumeration value="binary"/>
                   <xs:enumeration value="xpath"/>
                   <xs:enumeration value="ext-value"/>
                 </xs:restriction>
               </xs:simpleType>

Danyliw & Stoecker       Expires August 18, 2014              [Page 118]
Internet-Draft                   IODEFv2                   February 2014

             </xs:attribute>
             <xs:attribute name="ext-type"
                           type="xs:string" use="optional"/>
             <xs:attribute name="offset"
                           type="xs:integer" use="optional"/>
             <xs:attribute name="offsetunit"
                           use="optional" default="line">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="line"/>
                   <xs:enumeration value="byte"/>
                   <xs:enumeration value="ext-value"/>
                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="ext-offsetunit"
                           type="xs:string" use="optional"/>
             <xs:attribute name="instance"
                           type="xs:integer" use="optional"/>
           </xs:extension>
         </xs:simpleContent>
       </xs:complexType>
     </xs:element>
     <xs:element name="RecordItem"
                 type="iodef:ExtensionType"/>
   <!--
    ==================================================================
    ==  Class to describe Windows Registry Keys                     ==
    ==================================================================
   -->
     <xs:element name="WindowsRegistryKeysModified">
     <xs:complexType>
       <xs:sequence>
         <xs:element name="Key" maxOccurs="unbounded">
           <xs:complexType>
             <xs:sequence>
             <!-- Allows for the value to be optional for cases
                  such as, the registry key was deleted -->
                <xs:element name="KeyName" type="xs:string"/>
                <xs:element name="Value"
                            type="xs:string" minOccurs="0"/>
             </xs:sequence>
             <xs:attribute name="registryaction">
               <xs:simpleType>
                 <xs:restriction base="xs:NMTOKEN">
                   <xs:enumeration value="add-key"/>
                   <xs:enumeration value="add-value"/>
                   <xs:enumeration value="delete-key"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 119]
Internet-Draft                   IODEFv2                   February 2014

                   <xs:enumeration value="delete-value"/>
                   <xs:enumeration value="modify-key"/>
                   <xs:enumeration value="modify-value"/>
                   <xs:enumeration value="ext-value"/>
                 </xs:restriction>
               </xs:simpleType>
             </xs:attribute>
             <xs:attribute name="ext-registryaction"
                           type="xs:string" use="optional"/>
            </xs:complexType>
          </xs:element>
        </xs:sequence>
        <xs:attribute name="indicator-uid"
                      type="xs:string" use="optional"/>
        <xs:attribute name="indicator-set-id"
                      type="xs:string" use="optional"/>
      </xs:complexType>
      </xs:element>

  <!--
    ==================================================================
    ==  Classes that describe hash types, file information          ==
    ==  with certificate properties and digital signature info      ==
    ==  provided through the W3C digital signature schema           ==
    ==  so it does not need to be maintained here.                  ==
    ==================================================================
   -->
   <xs:element name="HashInformation">
   <xs:complexType>
     <xs:sequence>
         <xs:element name="FileName" type="iodef:MLStringType"
                     minOccurs="0" maxOccurs="unbounded"/>
         <xs:element name="FileSize" type="xs:integer"
                     minOccurs="0" maxOccurs="unbounded"/>
     <!-- CHANGE: Represent file hash information via digsig schema
       and the Reference class.  You may need any of the other classes
       and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5),
       which has been added.  KeyName, KeyValue, SignatureProperties
       classes may be useful, so Signature was added, but you can use
       KeyInfo and Reference directly to avoid some bloat.  -->
         <xs:element ref="ds:Signature"
                     minOccurs="0" maxOccurs="unbounded"/>
         <xs:element ref="ds:KeyInfo"
                     minOccurs="0" maxOccurs="unbounded"/>
         <xs:element ref="ds:Reference"
                     minOccurs="0" maxOccurs="unbounded"/>
         <xs:element ref="iodef:AdditionalData"
                     minOccurs="0" maxOccurs="unbounded"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 120]
Internet-Draft                   IODEFv2                   February 2014

       </xs:sequence>
       <xs:attribute name="type" use="optional">
         <xs:simpleType>
           <xs:restriction base="xs:NMTOKEN">
             <xs:enumeration value="PKI-email-ds"/>
             <xs:enumeration value="PKI-file-ds"/>
             <xs:enumeration value="PKI-email-ds-watchlist"/>
             <xs:enumeration value="PKI-file-ds-watchlist"/>
             <xs:enumeration value="PGP-email-ds"/>
             <xs:enumeration value="PGP-file-ds"/>
             <xs:enumeration value="PGP-email-ds-watchlist"/>
             <xs:enumeration value="PGP-file-ds-watchlist"/>
             <xs:enumeration value="file-hash"/>
             <xs:enumeration value="email-hash"/>
             <xs:enumeration value="file-hash-watchlist"/>
             <xs:enumeration value="email-hash-watchlist"/>
             <!-- QUESTION: Are values needed to differentiate the
                  key information shared when the ds:KeyInfo class
                  is referenced? -->
             <xs:enumeration value="ext-value"/>
           </xs:restriction>
         </xs:simpleType>
       </xs:attribute>
       <xs:attribute name="ext-type"
                     type="xs:string" use="optional"/>
       <xs:attribute name="valid"
                     type="xs:boolean" use="optional" />
       <xs:attribute name="indicator-uid"
                     type="xs:string" use="optional"/>
       <xs:attribute name="indicator-set-id"
                     type="xs:string" use="optional"/>
       <xs:attribute name="restriction"
                     type="iodef:restriction-type"/>
     </xs:complexType>
     </xs:element>

   <!--
    ==================================================================
    ==  Classes that describe software                              ==
    ==================================================================
   -->
     <xs:complexType name="SoftwareType">
       <xs:sequence>
         <xs:element ref="iodef:URL"
                     minOccurs="0"/>
       </xs:sequence>
       <xs:attribute name="swid"
                     type="xs:string" default="0"/>

Danyliw & Stoecker       Expires August 18, 2014              [Page 121]
Internet-Draft                   IODEFv2                   February 2014

       <xs:attribute name="configid"
                     type="xs:string" default="0"/>
       <xs:attribute name="vendor"
                     type="xs:string"/>
       <xs:attribute name="family"
                     type="xs:string"/>
       <xs:attribute name="name"
                     type="xs:string"/>
      <!-- CHANGE: Should UserAgent or HTTPUserAgent fit in
           SoftwareTypes? This is typically intended to mean
           servers, but the category seems more appropriate
           than others.
      -->
       <xs:attribute name="user-agent"
                     type="xs:string"/>
       <xs:attribute name="version"
                     type="xs:string"/>
       <xs:attribute name="patch"
                     type="xs:string"/>
     </xs:complexType>
     <xs:element name="Application"
                 type="iodef:SoftwareType"/>
     <xs:element name="OperatingSystem"
                 type="iodef:SoftwareType"/>

   <!--
    ==================================================================
    == Miscellaneous simple classes                                 ==
    ==================================================================
   -->
     <xs:element name="Description"
                 type="iodef:MLStringType"/>
     <xs:element name="URL"
                 type="xs:anyURI"/>
   <!--
    ==================================================================
    == Data Types                                                   ==
    ==================================================================
   -->
     <xs:simpleType name="PositiveFloatType">
       <xs:restriction base="xs:float">
         <xs:minExclusive value="0"/>
       </xs:restriction>
     </xs:simpleType>

     <xs:complexType name="MLStringType">
       <xs:simpleContent>
         <xs:extension base="xs:string">

Danyliw & Stoecker       Expires August 18, 2014              [Page 122]
Internet-Draft                   IODEFv2                   February 2014

           <xs:attribute name="lang"
                         type="xs:language" use="optional"/>
         </xs:extension>
       </xs:simpleContent>
     </xs:complexType>

     <xs:complexType name="ExtensionType" mixed="true">
       <xs:sequence>
         <xs:any namespace="##any" processContents="lax"
                 minOccurs="0" maxOccurs="unbounded"/>
       </xs:sequence>
       <xs:attribute name="dtype"
                     type="iodef:dtype-type" use="required"/>
       <xs:attribute name="ext-dtype"
                     type="xs:string" use="optional"/>
       <xs:attribute name="meaning"
                     type="xs:string"/>
       <xs:attribute name="formatid"
                     type="xs:string"/>
       <xs:attribute name="restriction"
                     type="iodef:restriction-type"/>
     </xs:complexType>

     <xs:complexType name="ApplicationHeaderType" mixed="true">
       <xs:sequence>
          <xs:any namespace="##any" processContents="lax"
                  minOccurs="0" maxOccurs="unbounded"/>
       </xs:sequence>
       <xs:attribute name="proto"
                     type="xs:integer" use="required"/>
       <xs:attribute name="field"
                     type="xs:string" use="required"/>
       <xs:attribute name="dtype"
                     type="iodef:proto-dtype-type"
                     use="required"/>
       <xs:attribute name="indicator-uid"
                     type="xs:string" use="optional"/>
       <xs:attribute name="indicator-set-id"
                     type="xs:string" use="optional"/>
     </xs:complexType>

   <!--
    ==================================================================
    == Global attribute type declarations                           ==
    ==================================================================
   -->
     <xs:simpleType name="yes-no-type">
       <xs:restriction base="xs:NMTOKEN">

Danyliw & Stoecker       Expires August 18, 2014              [Page 123]
Internet-Draft                   IODEFv2                   February 2014

         <xs:enumeration value="yes"/>
         <xs:enumeration value="no"/>
       </xs:restriction>
     </xs:simpleType>

     <xs:simpleType name="yes-no-unknown-type">
       <xs:restriction base="xs:NMTOKEN">
         <xs:enumeration value="yes"/>
         <xs:enumeration value="no"/>
         <xs:enumeration value="unknown"/>
       </xs:restriction>
     </xs:simpleType>

     <xs:simpleType name="restriction-type">
       <xs:restriction base="xs:NMTOKEN">
         <xs:enumeration value="default"/>
         <xs:enumeration value="public"/>
         <xs:enumeration value="partner"/>
         <xs:enumeration value="need-to-know"/>
         <xs:enumeration value="private"/>
         <xs:enumeration value="white"/>
         <xs:enumeration value="green"/>
         <xs:enumeration value="amber"/>
         <xs:enumeration value="red"/>
       </xs:restriction>
     </xs:simpleType>

     <xs:simpleType name="severity-type">
       <xs:restriction base="xs:NMTOKEN">
         <xs:enumeration value="low"/>
         <xs:enumeration value="medium"/>
         <xs:enumeration value="high"/>
       </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="duration-type">
       <xs:restriction base="xs:NMTOKEN">
         <xs:enumeration value="second"/>
         <xs:enumeration value="minute"/>
         <xs:enumeration value="hour"/>
         <xs:enumeration value="day"/>
         <xs:enumeration value="month"/>
         <xs:enumeration value="quarter"/>
         <xs:enumeration value="year"/>
         <xs:enumeration value="ext-value"/>
       </xs:restriction>
     </xs:simpleType>

     <xs:simpleType name="action-type">

Danyliw & Stoecker       Expires August 18, 2014              [Page 124]
Internet-Draft                   IODEFv2                   February 2014

       <xs:restriction base="xs:NMTOKEN">
         <xs:enumeration value="nothing"/>
         <xs:enumeration value="contact-source-site"/>
         <xs:enumeration value="contact-target-site"/>
         <xs:enumeration value="contact-sender"/>
         <xs:enumeration value="investigate"/>
         <xs:enumeration value="block-host"/>
         <xs:enumeration value="block-network"/>
         <xs:enumeration value="block-port"/>
         <xs:enumeration value="rate-limit-host"/>
         <xs:enumeration value="rate-limit-network"/>
         <xs:enumeration value="rate-limit-port"/>
         <xs:enumeration value="upgrade-software"/>
         <xs:enumeration value="rebuild-asset"/>
         <xs:enumeration value="remediate-other"/>
         <xs:enumeration value="status-triage"/>
         <xs:enumeration value="status-new-info"/>
         <xs:enumeration value="watch-and-report"/>
         <xs:enumeration value="defined-coa"/>
         <xs:enumeration value="other"/>
         <xs:enumeration value="ext-value"/>
       </xs:restriction>
     </xs:simpleType>

     <xs:simpleType name="dtype-type">
       <xs:restriction base="xs:NMTOKEN">
         <xs:enumeration value="boolean"/>
         <xs:enumeration value="byte"/>
         <xs:enumeration value="bytes"/>
         <xs:enumeration value="character"/>
         <xs:enumeration value="date-time"/>
         <xs:enumeration value="integer"/>
         <xs:enumeration value="ntpstamp"/>
         <xs:enumeration value="portlist"/>
         <xs:enumeration value="real"/>
         <xs:enumeration value="string"/>
         <xs:enumeration value="file"/>
         <xs:enumeration value="path"/>
         <xs:enumeration value="frame"/>
         <xs:enumeration value="packet"/>
         <xs:enumeration value="ipv4-packet"/>
         <xs:enumeration value="ipv6-packet"/>
         <xs:enumeration value="url"/>
         <xs:enumeration value="csv"/>
         <xs:enumeration value="winreg"/>
         <xs:enumeration value="xml"/>
         <xs:enumeration value="ext-value"/>
       </xs:restriction>

Danyliw & Stoecker       Expires August 18, 2014              [Page 125]
Internet-Draft                   IODEFv2                   February 2014

     </xs:simpleType>

     <xs:simpleType name="proto-dtype-type">
       <xs:restriction base="xs:NMTOKEN">
         <xs:enumeration value="boolean"/>
         <xs:enumeration value="byte"/>
         <xs:enumeration value="bytes"/>
         <xs:enumeration value="character"/>
         <xs:enumeration value="date-time"/>
         <xs:enumeration value="integer"/>
         <xs:enumeration value="real"/>
         <xs:enumeration value="string"/>
         <xs:enumeration value="xml"/>
         <xs:enumeration value="ext-value"/>
       </xs:restriction>
     </xs:simpleType>

       <xs:simpleType name="att-type">
         <xs:restriction base="xs:NMTOKEN">
           <xs:enumeration value="c2-server"/>
           <xs:enumeration value="sink-hole"/>
           <xs:enumeration value="malware-distribution"/>
           <xs:enumeration value="phishing"/>
           <xs:enumeration value="spear-phishing"/>
           <xs:enumeration value="recruiting"/>
           <xs:enumeration value="fraudulent-site"/>
           <xs:enumeration value="dns-spoof"/>
           <xs:enumeration value="other"/>
           <xs:enumeration value="unknown"/>
           <xs:enumeration value="ext-value"/>
         </xs:restriction>
       </xs:simpleType>
 </xs:schema>

9.  Security Considerations

   The IODEF data model itself does not directly introduce security
   issues.  Rather, it simply defines a representation for incident
   information.  As the data encoded by the IODEF might be considered
   privacy sensitive by the parties exchanging the information or by
   those described by it, care needs to be taken in ensuring the
   appropriate disclosure during both document exchange and subsequent
   processing.  The former must be handled by a messaging format, but
   the latter risk must be addressed by the systems that process, store,
   and archive IODEF documents and information derived from them.

Danyliw & Stoecker       Expires August 18, 2014              [Page 126]
Internet-Draft                   IODEFv2                   February 2014

   Executable content could be embedded into the IODEF document directly
   or through an extension.  The IODEF parser should handle this content
   with care to prevent unintentional automated execution.

   The contents of an IODEF document may include a request for action or
   an IODEF parser may independently have logic to take certain actions
   based on information that it finds.  For this reason, care must be
   taken by the parser to properly authenticate the recipient of the
   document and ascribe an appropriate confidence to the data prior to
   action.

   The underlying messaging format and protocol used to exchange
   instances of the IODEF MUST provide appropriate guarantees of
   confidentiality, integrity, and authenticity.  The use of a
   standardized security protocol is encouraged.  The Real-time Inter-
   network Defense (RID) protocol [RFC6545] and its associated transport
   binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.

   In order to suggest data processing and handling guidelines of the
   encoded information, the IODEF allows a document sender to convey a
   privacy policy using the restriction attribute.  The various
   instances of this attribute allow different data elements of the
   document to be covered by dissimilar policies.  While flexible, it
   must be stressed that this approach only serves as a guideline from
   the sender, as the recipient is free to ignore it.  The issue of
   enforcement is not a technical problem.

10.  IANA Considerations

   This document uses URNs to describe an XML namespace and schema
   conforming to a registry mechanism described in [RFC3688]

   Registration for the IODEF namespace:

   o  URI: urn:ietf:params:xml:ns:iodef-2.0

   o  Registrant Contact: See the first author of the "Author's Address"
      section of this document.

   o  XML: None.  Namespace URIs do not represent an XML specification.

   Registration for the IODEF XML schema:

   o  URI: urn:ietf:params:xml:schema:iodef-2.0

   o  Registrant Contact: See the first author of the "Author's Address"
      section of this document.

Danyliw & Stoecker       Expires August 18, 2014              [Page 127]
Internet-Draft                   IODEFv2                   February 2014

   o  XML: See the "IODEF Schema" in Section 8 of this document.

11.  Acknowledgments

   The following groups and individuals, listed alphabetically,
   contributed substantially to this document and should be recognized
   for their efforts.

   o  Kathleen Moriarty, EMC Corporation

   o  Brian Trammell, ETH Zurich

   o  Patrick Cain, Cooper-Cain Group, Inc.

   o  ... TODO many more to add ...

12.  References

12.1.  Normative References

   [W3C.XML]  World Wide Web Consortium, "Extensible Markup Language
              (XML) 1.0 (Second Edition)", W3C Recommendation , October
              2000, <http://www.w3.org/TR/2000/REC-xml-20001006>.

   [W3C.SCHEMA]
              World Wide Web Consortium, "XML XML Schema Part 1:
              Structures Second Edition", W3C Recommendation , October
              2004, <http://www.w3.org/TR/xmlschema-1/>.

   [W3C.SCHEMA.DTYPES]
              World Wide Web Consortium, "XML Schema Part 2: Datatypes
              Second Edition", W3C Recommendation , October 2004,
              <http://www.w3.org/TR/xmlschema-2/>.

   [W3C.XMLNS]
              World Wide Web Consortium, "Namespaces in XML", W3C
              Recommendation , January 1999,
              <http://www.w3.org/TR/REC-xml-names/>.

   [W3C.XPATH]
              World Wide Web Consortium, "XML Path Language (XPath)
              2.0", W3C Candidate Recommendation , June 2006,
              <http://www.w3.org/TR/xpath20/>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", RFC 2119, March 1997.

Danyliw & Stoecker       Expires August 18, 2014              [Page 128]
Internet-Draft                   IODEFv2                   February 2014

   [RFC4646]  Philips, A. and M. Davis, "Tags for Identifying of
              Languages", RFC 4646, September 2006.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifiers (URI): Generic Syntax", RFC 3986,
              January 2005`.

   [RFC2978]  Freed, N. and J. Postel, "IANA Charset Registration
              Procedures", BCP 2978, October 2000.

   [RFC4519]  Sciberras, A., "Schema for User Applications", RFC 4519,
              June 2006.

   [RFC5322]  Resnick, P., "Internet Message Format", RFC 5322, October
              2008.

   [RFC3339]  Klyne, G. and C. Newman, "Date and Time on the Internet:
              Timestamps", RFC 3339, July 2002.

   [ISO8601]  International Organization for Standardization,
              "International Standard: Data elements and interchange
              formats - Information interchange - Representation of
              dates and times", ISO 8601, Second Edition, December 2000.

   [ISO4217]  International Organization for Standardization,
              "International Standard: Codes for the representation of
              currencies and funds, ISO 4217:2001", ISO 4217:2001,
              August 2001.

   [RFC3688]  Mealling, M., "The IETF XML Registry", RFC 3688, January
              2004.

   [RFC3275]  Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup
              Language) XML-Signature Syntax and Processing", RFC 3275,
              March 2002.

   [IANA.Ports]
              Internet Assigned Numbers Authority, "Service Name and
              Transport Protocol Port Number Registry", January 2014,
              <http://www.iana.org/assignments/
              service-names-port-numbers/
              service-names-port-numbers.txt>.

   [IANA.Protocols]
              Internet Assigned Numbers Authority, "Assigned Internet
              Protocol Numbers", January 2014, <http://www.iana.org/
              assignments/protocol-numbers/protocol-numbers.txt>.

Danyliw & Stoecker       Expires August 18, 2014              [Page 129]
Internet-Draft                   IODEFv2                   February 2014

12.2.  Informative References

   [RFC5070]  Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
              Object Description Exchange Format", RFC 5070, December
              2007.

   [refs.requirements]
              Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements
              for the Format for Incident Information Exchange (FINE)",
              Work in Progress, June 2006.

   [RFC4765]  Debar, H., Curry, D., Debar, H., and B. Feinstein,
              "Intrusion Detection Message Exchange Format", RFC 4765,
              March 2007.

   [RFC6545]  Moriarty, K., "Real-time Inter-network Defense (RID)", RFC
              6545, April 2012.

   [RFC6546]  Trammell, B., "Transport of Real-time Inter-network
              Defense (RID) Messages over HTTP/TLS", RFC 6546, April
              2012.

   [RFC5901]  Cain, P. and D. Jevans, "Extensions to the IODEF-Document
              Class for Reporting Phishing", RFC 5901, July 2010.

   [NIST800.61rev2]
              Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
              "NIST Special Publication 800-61 Revision 2: Computer
              Security Incident Handling Guide", January 2012,
              <http://csrc.nist.gov/publications/nistpubs/800-61rev2/
              SP800-61rev2.pdf>.

   [RFC3982]  Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
              Type for the Internet Registry Information Service
              (IRIS)", RFC 3982, January 2005.

   [KB310516]
              Microsoft Corporation, "How to add, modify, or delete
              registry subkeys and values by using a registration
              entries (.reg) file", December 2007.

   [RFC4180]  Shafranovich, Y., "Common Format and MIME Type for Comma-
              Separated Values (CSV) File", RFC 4180, October 2005.

Danyliw & Stoecker       Expires August 18, 2014              [Page 130]
Internet-Draft                   IODEFv2                   February 2014

Authors' Addresses

   Roman Danyliw
   CERT - Software Engineering Institute
   Pittsburgh, PA
   USA

   EMail: rdd@cert.org

   Paul Stoecker
   RSA
   Reston, VA
   USA

   EMail: paul.stoecker@rsa.com

Danyliw & Stoecker       Expires August 18, 2014              [Page 131]
The Incident Object Description Exchange Format v2 draft-ietf-mile-rfc5070-bis-06

The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-06
