The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-20
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7970.
|
|
---|---|---|---|
Author | Roman Danyliw | ||
Last updated | 2016-05-09 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Takeshi Takahashi | ||
Shepherd write-up | Show Last changed 2016-04-21 | ||
IESG | IESG state | Became RFC 7970 (Proposed Standard) | |
Consensus boilerplate | Yes | ||
Telechat date | (None) | ||
Responsible AD | Kathleen Moriarty | ||
Send notices to | rdd@cert.org, mile-chairs@tools.ietf.org, mile@ietf.org |
draft-ietf-mile-rfc5070-bis-20
gt; Incident Object Description Exchange Format v2.0, RFC5070bis </xs:documentation> </xs:annotation> <!-- =================================================================== == IODEF-Document class == =================================================================== --> <xs:element name="IODEF-Document"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Incident" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="version" type="xs:string" fixed="2.00"/> <xs:attribute ref="xml:lang"/> <xs:attribute name="format-id" type="xs:string" use="optional"/> <xs:attribute name="private-enum-name" type="xs:string" use="optional"/> <xs:attribute name="private-enum-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- =================================================================== == Incident class == =================================================================== --> <xs:element name="Incident"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentID"/> <xs:element ref="iodef:AlternativeID" minOccurs="0"/> <xs:element ref="iodef:RelatedActivity" minOccurs="0" maxOccurs="unbounded"/> Danyliw Expires November 10, 2016 [Page 118] Internet-Draft IODEF v2 May 2016 <xs:element ref="iodef:DetectTime" minOccurs="0"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:RecoveryTime" minOccurs="0"/> <xs:element ref="iodef:ReportTime" minOccurs="0"/> <xs:element ref="iodef:GenerationTime"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Discovery" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Assessment" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Method" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Contact" maxOccurs="unbounded"/> <xs:element ref="iodef:EventData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:IndicatorData" minOccurs="0"/> <xs:element ref="iodef:History" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="purpose" type="incident-purpose-type" use="required"/> <xs:attribute name="ext-purpose" type="xs:string" use="optional"/> <xs:attribute name="status" type="incident-status-type"/> <xs:attribute name="ext-status" type="xs:string" use="optional"/> <xs:attribute ref="xml:lang"/> <xs:attribute name="restriction" type="iodef:restriction-type" default="private" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="incident-purpose-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="traceback"/> <xs:enumeration value="mitigation"/> <xs:enumeration value="reporting"/> <xs:enumeration value="watch"/> <xs:enumeration value="other"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> Danyliw Expires November 10, 2016 [Page 119] Internet-Draft IODEF v2 May 2016 <xs:simpleType name="incident-status-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="new"/> <xs:enumeration value="in-progress"/> <xs:enumeration value="forwarded"/> <xs:enumeration value="resolved"/> <xs:enumeration value="future"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <!-- =================================================================== == IncidentID class == =================================================================== --> <xs:element name="IncidentID" type="iodef:IncidentIDType"/> <xs:complexType name="IncidentIDType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="name" type="xs:string" use="required"/> <xs:attribute name="instance" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> <!-- ================================================================== == AlternativeID class == ================================================================== --> <xs:element name="AlternativeID"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- =================================================================== == RelatedActivity class == Danyliw Expires November 10, 2016 [Page 120] Internet-Draft IODEF v2 May 2016 =================================================================== --> <xs:element name="RelatedActivity"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentID" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:ThreatActor" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Campaign" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:IndicatorID" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="ThreatActor"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:ThreatActorID" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:URL" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="ThreatActorID" type="xs:string"/> <xs:element name="Campaign"> <xs:complexType> <xs:sequence> Danyliw Expires November 10, 2016 [Page 121] Internet-Draft IODEF v2 May 2016 <xs:element ref="iodef:CampaignID" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="CampaignID" type="xs:string"/> <!-- =================================================================== == Contact class == =================================================================== --> <xs:element name="Contact"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:ContactName" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:ContactTitle" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:RegistryHandle" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:PostalAddress" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Email" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Telephone" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Timezone" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="role" type="contact-role-type" use="required"/> <xs:attribute name="ext-role" type="xs:string" use="optional"/> Danyliw Expires November 10, 2016 [Page 122] Internet-Draft IODEF v2 May 2016 <xs:attribute name="type" type="contact-type-type" use="required"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="contact-role-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="creator"/> <xs:enumeration value="reporter"/> <xs:enumeration value="admin"/> <xs:enumeration value="tech"/> <xs:enumeration value="provider"/> <xs:enumeration value="zone"/> <xs:enumeration value="user"/> <xs:enumeration value="billing"/> <xs:enumeration value="legal"/> <xs:enumeration value="abuse"/> <xs:enumeration value="irt"/> <xs:enumeration value="cc"/> <xs:enumeration value="cc-irt"/> <xs:enumeration value="leo"/> <xs:enumeration value="vendor"/> <xs:enumeration value="vendor-services"/> <xs:enumeration value="victim"/> <xs:enumeration value="victim-notified"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="contact-type-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="person"/> <xs:enumeration value="organization"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="ContactName" type="iodef:MLStringType"/> <xs:element name="ContactTitle" type="iodef:MLStringType"/> <xs:element name="RegistryHandle"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="registry" type="registryhandle-registry-type"/> Danyliw Expires November 10, 2016 [Page 123] Internet-Draft IODEF v2 May 2016 <xs:attribute name="ext-registry" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:simpleType name="registryhandle-registry-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="internic"/> <xs:enumeration value="apnic"/> <xs:enumeration value="arin"/> <xs:enumeration value="lacnic"/> <xs:enumeration value="ripe"/> <xs:enumeration value="afrinic"/> <xs:enumeration value="local"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="PostalAddress"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:PAddress"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="type" type="postaladdress-type-type" use="optional"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="PAddress" type="iodef:MLStringType"/> <xs:simpleType name="postaladdress-type-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="street"/> <xs:enumeration value="mailing"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="Telephone"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:TelephoneNumber"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="type" type="telephone-type-type" use="optional"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/> Danyliw Expires November 10, 2016 [Page 124] Internet-Draft IODEF v2 May 2016 </xs:complexType> </xs:element> <xs:element name="TelephoneNumber" type="xs:string"/> <xs:simpleType name="telephone-type-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="wired"/> <xs:enumeration value="mobile"/> <xs:enumeration value="fax"/> <xs:enumeration value="hotline"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="Email"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:EmailTo"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="type" type="email-type-type" use="optional"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="email-type-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="direct"/> <xs:enumeration value="hotline"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <!-- =================================================================== == Time-based classes == =================================================================== --> <xs:element name="DateTime" type="xs:dateTime"/> <xs:element name="ReportTime" type="xs:dateTime"/> <xs:element name="DetectTime" type="xs:dateTime"/> <xs:element name="StartTime" type="xs:dateTime"/> <xs:element name="EndTime" type="xs:dateTime"/> <xs:element name="RecoveryTime" type="xs:dateTime"/> <xs:element name="GenerationTime" type="xs:dateTime"/> <xs:element name="Timezone" type="iodef:TimezoneType"/> <!-- =================================================================== == History class == =================================================================== Danyliw Expires November 10, 2016 [Page 125] Internet-Draft IODEF v2 May 2016 --> <xs:element name="History"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:HistoryItem" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="HistoryItem"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:DateTime"/> <xs:element ref="iodef:IncidentID" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:DefinedCOA" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="action" type="iodef:action-type" use="required"/> <xs:attribute name="ext-action" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="DefinedCOA" type="xs:string"/> <!-- =================================================================== == Expectation class == =================================================================== --> <xs:element name="Expectation"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:DefinedCOA" Danyliw Expires November 10, 2016 [Page 126] Internet-Draft IODEF v2 May 2016 minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0"/> </xs:sequence> <xs:attribute name="action" type="iodef:action-type" default="other"/> <xs:attribute name="ext-action" type="xs:string" use="optional"/> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <!-- =================================================================== == Discovery class == =================================================================== --> <xs:element name="Discovery"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:DetectionPattern" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="source" type="discovery-source-type" use="optional" default="unknown"/> <xs:attribute name="ext-source" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="discovery-source-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="nidps"/> <xs:enumeration value="hips"/> <xs:enumeration value="siem"/> Danyliw Expires November 10, 2016 [Page 127] Internet-Draft IODEF v2 May 2016 <xs:enumeration value="av"/> <xs:enumeration value="third-party-monitoring"/> <xs:enumeration value="incident"/> <xs:enumeration value="os-log"/> <xs:enumeration value="application-log"/> <xs:enumeration value="device-log"/> <xs:enumeration value="network-flow"/> <xs:enumeration value="passive-dns"/> <xs:enumeration value="investigation"/> <xs:enumeration value="audit"/> <xs:enumeration value="internal-notification"/> <xs:enumeration value="external-notification"/> <xs:enumeration value="leo"/> <xs:enumeration value="partner"/> <xs:enumeration value="actor"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="DetectionPattern"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Application"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="DetectionConfiguration" type="xs:string" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- =================================================================== == Method class == =================================================================== --> <xs:element name="Method"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Reference" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="sci:AttackPattern" Danyliw Expires November 10, 2016 [Page 128] Internet-Draft IODEF v2 May 2016 minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="sci:Vulnerability" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="sci:Weakness" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- =================================================================== == Reference class == =================================================================== --> <xs:element name="Reference"> <xs:complexType> <xs:sequence> <xs:element ref="enum:ReferenceName" minOccurs="0"/> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <!-- =================================================================== == Assessment class == =================================================================== --> <xs:element name="Assessment"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentCategory" minOccurs="0" maxOccurs="unbounded"/> <xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:SystemImpact"/> <xs:element ref="iodef:BusinessImpact"/> <xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:MonetaryImpact"/> <xs:element ref="iodef:IntendedImpact"/> </xs:choice> Danyliw Expires November 10, 2016 [Page 129] Internet-Draft IODEF v2 May 2016 <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:MitigatingFactor" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Cause" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="occurrence"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="actual"/> <xs:enumeration value="potential"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="IncidentCategory" type="iodef:MLStringType"/> <xs:element name="BusinessImpact" type="iodef:BusinessImpactType"/> <xs:element name="IntendedImpact" type="iodef:BusinessImpactType"/> <xs:element name="MitigatingFactor" type="iodef:MLStringType"/> <xs:element name="Cause" type="iodef:MLStringType"/> <xs:element name="SystemImpact"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="severity" type="iodef:severity-type" use="optional"/> <xs:attribute name="completion" type="iodef:systemimpact-completion-type" use="optional"/> <xs:attribute name="type" type="systemimpact-type-type" use="optional" default="unknown"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="systemimpact-completion-type"> Danyliw Expires November 10, 2016 [Page 130] Internet-Draft IODEF v2 May 2016 <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="failed"/> <xs:enumeration value="succeeded"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="systemimpact-type-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="takeover-account"/> <xs:enumeration value="takeover-service"/> <xs:enumeration value="takeover-system"/> <xs:enumeration value="cps-manipulation"/> <xs:enumeration value="cps-damage"/> <xs:enumeration value="availability-data"/> <xs:enumeration value="availability-account"/> <xs:enumeration value="availability-service"/> <xs:enumeration value="availability-system"/> <xs:enumeration value="damaged-system"/> <xs:enumeration value="damaged-data"/> <xs:enumeration value="breach-proprietary"/> <xs:enumeration value="breach-privacy"/> <xs:enumeration value="breach-credential"/> <xs:enumeration value="breach-configuration"/> <xs:enumeration value="integrity-data"/> <xs:enumeration value="integrity-configuration"/> <xs:enumeration value="integrity-hardware"/> <xs:enumeration value="traffic-redirection"/> <xs:enumeration value="monitoring-traffic"/> <xs:enumeration value="monitoring-host"/> <xs:enumeration value="policy"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:complexType name="BusinessImpactType"> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="severity" type="businessimpact-severity-type" use="optional"/> <xs:attribute name="ext-severity" type="xs:string" use="optional"/> <xs:attribute name="type" type="businessimpact-type-type" use="optional" default="unknown"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/> </xs:complexType> <xs:simpleType name="businessimpact-severity-type"> Danyliw Expires November 10, 2016 [Page 131] Internet-Draft IODEF v2 May 2016 <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="none"/> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="businessimpact-type-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="breach-proprietary"/> <xs:enumeration value="breach-privacy"/> <xs:enumeration value="breach-credential"/> <xs:enumeration value="loss-of-integrity"/> <xs:enumeration value="loss-of-service"/> <xs:enumeration value="theft-financial"/> <xs:enumeration value="theft-service"/> <xs:enumeration value="degraded-reputation"/> <xs:enumeration value="asset-damage"/> <xs:enumeration value="asset-manipulation"/> <xs:enumeration value="legal"/> <xs:enumeration value="extortion"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="TimeImpact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:PositiveFloatType"> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="metric" type="timeimpact-metric-type" use="required"/> <xs:attribute name="ext-metric" type="xs:string" use="optional"/> <xs:attribute name="duration" type="iodef:duration-type"/> <xs:attribute name="ext-duration" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:simpleType name="timeimpact-metric-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="labor"/> <xs:enumeration value="elapsed"/> <xs:enumeration value="downtime"/> Danyliw Expires November 10, 2016 [Page 132] Internet-Draft IODEF v2 May 2016 <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="MonetaryImpact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:PositiveFloatType"> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="currency" type="xs:string"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Confidence"> <xs:complexType> <xs:attribute name="rating" type="confidence-rating-type" use="required"/> <xs:attribute name="ext-rating" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="confidence-rating-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> <xs:enumeration value="numeric"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <!-- =================================================================== == EventData class == =================================================================== --> <xs:element name="EventData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:DetectTime" minOccurs="0"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:RecoveryTime" minOccurs="0"/> <xs:element ref="iodef:ReportTime" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> Danyliw Expires November 10, 2016 [Page 133] Internet-Draft IODEF v2 May 2016 <xs:element ref="iodef:Discovery" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Assessment" minOccurs="0"/> <xs:element ref="iodef:Method" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Flow" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Expectation" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Record" minOccurs="0"/> <xs:element ref="iodef:EventData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <!-- =================================================================== == Flow class == =================================================================== --> <xs:element name="Flow"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:System" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <!-- =================================================================== == System class == =================================================================== --> <xs:element name="System"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Node"/> <xs:element ref="iodef:NodeRole" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Service" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:OperatingSystem" Danyliw Expires November 10, 2016 [Page 134] Internet-Draft IODEF v2 May 2016 minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="AssetID" type="xs:string" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="category" type="system-category-type"/> <xs:attribute name="ext-category" type="xs:string" use="optional"/> <xs:attribute name="interface" type="xs:string"/> <xs:attribute name="spoofed" type="yes-no-unknown-type" default="unknown"/> <xs:attribute name="virtual" type="yes-no-unknown-type" use="optional" default="unknown"/> <xs:attribute name="ownership" type="system-ownership-type" use="optional"/> <xs:attribute name="ext-ownership" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="OperatingSystem" type="iodef:SoftwareType"/> <xs:simpleType name="system-category-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="source"/> <xs:enumeration value="target"/> <xs:enumeration value="intermediate"/> <xs:enumeration value="sensor"/> <xs:enumeration value="infrastructure"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="system-ownership-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="organization"/> <xs:enumeration value="personal"/> <xs:enumeration value="partner"/> <xs:enumeration value="customer"/> <xs:enumeration value="no-relationship"/> Danyliw Expires November 10, 2016 [Page 135] Internet-Draft IODEF v2 May 2016 <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <!-- ================================================================== == Node class == ================================================================== --> <xs:element name="Node"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:DomainData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Address" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> <xs:element ref="iodef:PostalAddress" minOccurs="0"/> <xs:element ref="iodef:Location" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Address"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="category" type="address-category-type" default="ipv6-addr"/> <xs:attribute name="ext-category" type="xs:string" use="optional"/> <xs:attribute name="vlan-name" type="xs:string"/> <xs:attribute name="vlan-num" type="xs:integer"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:simpleType name="address-category-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="asn"/> <xs:enumeration value="atm"/> <xs:enumeration value="e-mail"/> Danyliw Expires November 10, 2016 [Page 136] Internet-Draft IODEF v2 May 2016 <xs:enumeration value="mac"/> <xs:enumeration value="ipv4-addr"/> <xs:enumeration value="ipv4-net"/> <xs:enumeration value="ipv4-net-mask"/> <xs:enumeration value="ipv6-addr"/> <xs:enumeration value="ipv6-net"/> <xs:enumeration value="ipv6-net-mask"/> <xs:enumeration value="site-uri"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="Location" type="iodef:MLStringType"/> <xs:element name="NodeRole"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="category" type="noderole-category-type" use="required"/> <xs:attribute name="ext-category" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="noderole-category-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="client"/> <xs:enumeration value="client-enterprise"/> <xs:enumeration value="client-partner"/> <xs:enumeration value="client-remote"/> <xs:enumeration value="client-kiosk"/> <xs:enumeration value="client-mobile"/> <xs:enumeration value="server-internal"/> <xs:enumeration value="server-public"/> <xs:enumeration value="www"/> <xs:enumeration value="mail"/> <xs:enumeration value="webmail"/> <xs:enumeration value="messaging"/> <xs:enumeration value="streaming"/> <xs:enumeration value="voice"/> <xs:enumeration value="file"/> <xs:enumeration value="ftp"/> <xs:enumeration value="p2p"/> <xs:enumeration value="name"/> <xs:enumeration value="directory"/> <xs:enumeration value="credential"/> <xs:enumeration value="print"/> <xs:enumeration value="application"/> Danyliw Expires November 10, 2016 [Page 137] Internet-Draft IODEF v2 May 2016 <xs:enumeration value="database"/> <xs:enumeration value="backup"/> <xs:enumeration value="dhcp"/> <xs:enumeration value="assessment"/> <xs:enumeration value="source-control"/> <xs:enumeration value="config-management"/> <xs:enumeration value="monitoring"/> <xs:enumeration value="infra"/> <xs:enumeration value="infra-firewall"/> <xs:enumeration value="infra-router"/> <xs:enumeration value="infra-switch"/> <xs:enumeration value="camera"/> <xs:enumeration value="proxy"/> <xs:enumeration value="remote-access"/> <xs:enumeration value="log"/> <xs:enumeration value="virtualization"/> <xs:enumeration value="pos"/> <xs:enumeration value="scada"/> <xs:enumeration value="scada-supervisory"/> <xs:enumeration value="sinkhole"/> <xs:enumeration value="honeypot"/> <xs:enumeration value="anonymization"/> <xs:enumeration value="c2-server"/> <xs:enumeration value="malware-distribution"/> <xs:enumeration value="drop-server"/> <xs:enumeration value="hop-point"/> <xs:enumeration value="reflector"/> <xs:enumeration value="phishing-site"/> <xs:enumeration value="spear-phishing-site"/> <xs:enumeration value="recruiting-site"/> <xs:enumeration value="fraudulent-site"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <!-- =================================================================== == Service Class == =================================================================== --> <xs:element name="Service"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:ServiceName" minOccurs="0"/> <xs:element ref="iodef:Port" minOccurs="0"/> <xs:element ref="iodef:Portlist" minOccurs="0"/> <xs:element ref="iodef:ProtoType" minOccurs="0"/> <xs:element ref="iodef:ProtoCode" minOccurs="0"/> <xs:element ref="iodef:ProtoField" minOccurs="0"/> Danyliw Expires November 10, 2016 [Page 138] Internet-Draft IODEF v2 May 2016 <xs:element ref="iodef:ApplicationHeader" minOccurs="0"/> <xs:element ref="iodef:EmailData" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/> </xs:sequence> <xs:attribute name="ip-protocol" type="xs:integer" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="Port" type="xs:integer"/> <xs:element name="Portlist" type="iodef:PortlistType"/> <xs:element name="ProtoType" type="xs:integer"/> <xs:element name="ProtoCode" type="xs:integer"/> <xs:element name="ProtoField" type="xs:integer"/> <xs:element name="ApplicationHeader"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:ApplicationHeaderField" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ApplicationHeaderField" type="iodef:ExtensionType"/> <xs:element name="ServiceName"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IANAService" minOccurs="0"/> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="IANAService" type="xs:string"/> <xs:element name="Application" type="iodef:SoftwareType"/> <!-- =================================================================== == Counter class == =================================================================== --> <xs:element name="Counter"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:float"> <xs:attribute name="type" Danyliw Expires November 10, 2016 [Page 139] Internet-Draft IODEF v2 May 2016 type="counter-type-type" use="required"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="unit" type="counter-unit-type" use="required"/> <xs:attribute name="ext-unit" type="xs:string" use="optional"/> <xs:attribute name="meaning" type="xs:string" use="optional"/> <xs:attribute name="duration" type="iodef:duration-type"/> <xs:attribute name="ext-duration" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:simpleType name="counter-type-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="counter"/> <xs:enumeration value="rate"/> <xs:enumeration value="average"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="counter-unit-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="byte"/> <xs:enumeration value="mbit"/> <xs:enumeration value="packet"/> <xs:enumeration value="flow"/> <xs:enumeration value="session"/> <xs:enumeration value="event"/> <xs:enumeration value="alert"/> <xs:enumeration value="message"/> <xs:enumeration value="host"/> <xs:enumeration value="site"/> <xs:enumeration value="organization"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <!-- =================================================================== == EmailData class == =================================================================== --> <xs:element name="EmailData"> <xs:complexType> <xs:sequence> Danyliw Expires November 10, 2016 [Page 140] Internet-Draft IODEF v2 May 2016 <xs:element ref="iodef:EmailTo" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:EmailFrom" minOccurs="0"/> <xs:element ref="iodef:EmailSubject" minOccurs="0"/> <xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/> <xs:element ref="iodef:EmailHeaderField" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:EmailHeaders" minOccurs="0"/> <xs:element ref="iodef:EmailBody" minOccurs="0"/> <xs:element ref="iodef:EmailMessage" minOccurs="0"/> <xs:element ref="iodef:HashData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="SignatureData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="EmailTo" type="xs:string"/> <xs:element name="EmailFrom" type="xs:string"/> <xs:element name="EmailSubject" type="xs:string"/> <xs:element name="EmailX-Mailer" type="xs:string"/> <xs:element name="EmailHeaderField" type="iodef:ExtensionType"/> <xs:element name="EmailHeaders" type="xs:string"/> <xs:element name="EmailBody" type="xs:string"/> <xs:element name="EmailMessage" type="xs:string"/> <!-- =================================================================== == DomainData class == =================================================================== --> <xs:element name="DomainData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Name"/> <xs:element ref="iodef:DateDomainWasChecked" minOccurs="0"/> <xs:element ref="iodef:RegistrationDate" minOccurs="0"/> <xs:element ref="iodef:ExpirationDate" minOccurs="0"/> <xs:element ref="iodef:RelatedDNS" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Nameservers" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:DomainContacts" minOccurs="0"/> </xs:sequence> Danyliw Expires November 10, 2016 [Page 141] Internet-Draft IODEF v2 May 2016 <xs:attribute name="system-status" type="domaindata-system-status-type"/> <xs:attribute name="ext-system-status" type="xs:string" use="optional"/> <xs:attribute name="domain-status" type="domaindata-domain-status-type"/> <xs:attribute name="ext-domain-status" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="Name" type="xs:string"/> <xs:element name="DateDomainWasChecked" type="xs:dateTime"/> <xs:element name="RegistrationDate" type="xs:dateTime"/> <xs:element name="ExpirationDate" type="xs:dateTime"/> <xs:simpleType name="domaindata-system-status-type"> <xs:restriction base="xs:string"> <xs:enumeration value="spoofed"/> <xs:enumeration value="fraudulent"/> <xs:enumeration value="innocent-hacked"/> <xs:enumeration value="innocent-hijacked"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="domaindata-domain-status-type"> <xs:restriction base="xs:string"> <xs:enumeration value="reservedDelegation"/> <xs:enumeration value="assignedAndActive"/> <xs:enumeration value="assignedAndInactive"/> <xs:enumeration value="assignedAndOnHold"/> <xs:enumeration value="revoked"/> <xs:enumeration value="transferPending"/> <xs:enumeration value="registryLock"/> <xs:enumeration value="registrarLock"/> <xs:enumeration value="other"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="RelatedDNS" type="iodef:ExtensionType"/> <xs:element name="Nameservers"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Server"/> <xs:element ref="iodef:Address" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> Danyliw Expires November 10, 2016 [Page 142] Internet-Draft IODEF v2 May 2016 </xs:element> <xs:element name="Server" type="xs:string"/> <xs:element name="DomainContacts"> <xs:complexType> <xs:choice> <xs:element ref="iodef:SameDomainContact"/> <xs:element ref="iodef:Contact" minOccurs="1" maxOccurs="unbounded"/> </xs:choice> </xs:complexType> </xs:element> <xs:element name="SameDomainContact" type="xs:string"/> <!-- =================================================================== == Record class == =================================================================== --> <xs:element name="Record"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:RecordData" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="RecordData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:DateTime" minOccurs="0"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Application" minOccurs="0"/> <xs:element ref="iodef:RecordPattern" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:RecordItem" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:FileData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:WindowsRegistryKeysModified" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:CertificateData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" Danyliw Expires November 10, 2016 [Page 143] Internet-Draft IODEF v2 May 2016 minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="RecordPattern"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="type" type="recordpattern-type-type" use="required"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="offset" type="xs:integer" use="optional"/> <xs:attribute name="offsetunit" type="recordpattern-offsetunit-type" use="optional" default="line"/> <xs:attribute name="ext-offsetunit" type="xs:string" use="optional"/> <xs:attribute name="instance" type="xs:integer" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:simpleType name="recordpattern-type-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="regex"/> <xs:enumeration value="binary"/> <xs:enumeration value="xpath"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="recordpattern-offsetunit-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="line"/> <xs:enumeration value="byte"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="RecordItem" type="iodef:ExtensionType"/> <!-- Danyliw Expires November 10, 2016 [Page 144] Internet-Draft IODEF v2 May 2016 =================================================================== == WindowsRegistryKeysModified Class == =================================================================== --> <xs:element name="WindowsRegistryKeysModified"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Key" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="Key"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:KeyName"/> <xs:element ref="iodef:Value" minOccurs="0"/> </xs:sequence> <xs:attribute name="registryaction" type="key-registryaction-type"/> <xs:attribute name="ext-registryaction" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="KeyName" type="xs:string"/> <xs:element name="Value" type="xs:string"/> <xs:simpleType name="key-registryaction-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="add-key"/> <xs:enumeration value="add-value"/> <xs:enumeration value="delete-key"/> <xs:enumeration value="delete-value"/> <xs:enumeration value="modify-key"/> <xs:enumeration value="modify-value"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <!-- ==================================================================== == FileData Class == ==================================================================== --> <xs:element name="FileData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:File" minOccurs="1" maxOccurs="unbounded"/> Danyliw Expires November 10, 2016 [Page 145] Internet-Draft IODEF v2 May 2016 </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="File"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:FileName" minOccurs="0"/> <xs:element ref="iodef:FileSize" minOccurs="0"/> <xs:element ref="FileType" minOccurs="0"/> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:HashData" minOccurs="0"/> <xs:element ref="iodef:SignatureData" minOccurs="0"/> <xs:element ref="iodef:AssociatedSoftware" minOccurs="0"/> <xs:element ref="iodef:FileProperties" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="FileName" type="xs:string"/> <xs:element name="FileSize" type="xs:integer"/> <xs:element name="FileType" type="xs:string"/> <xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/> <xs:element name="FileProperties" type="iodef:ExtensionType"/> <!-- ==================================================================== == HashData Class == ==================================================================== --> <xs:element name="HashData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:HashTargetID" minOccurs="0"/> <xs:element ref="iodef:Hash" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:FuzzyHash" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="scope" type="hashdata-scope-type" use="required"/> <xs:attribute name="ext-scope" type="xs:string" use="optional"/> </xs:complexType> Danyliw Expires November 10, 2016 [Page 146] Internet-Draft IODEF v2 May 2016 </xs:element> <xs:element name="HashTargetID" type="xs:string"/> <xs:simpleType name="hashdata-scope-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="file-contents"/> <xs:enumeration value="file-pe-section"/> <xs:enumeration value="file-pe-iat"/> <xs:enumeration value="file-pe-resource"/> <xs:enumeration value="file-pdf-object"/> <xs:enumeration value="email-hash"/> <xs:enumeration value="email-headers-hash"/> <xs:enumeration value="email-body-hash"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:element name="Hash"> <xs:complexType> <xs:sequence> <xs:element ref="ds:DigestMethod"/> <xs:element ref="ds:DigestValue"/> <xs:element ref="ds:CanonicalizationMethod" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="FuzzyHash"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:FuzzyHashValue" maxOccurs="unbounded"/> <xs:element ref="iodef:Application" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/> <!-- =================================================================== == SignatureData Class == =================================================================== --> <xs:element name="SignatureData"> <xs:complexType> <xs:sequence> <xs:element ref="ds:Signature" maxOccurs="unbounded"/> </xs:sequence> Danyliw Expires November 10, 2016 [Page 147] Internet-Draft IODEF v2 May 2016 </xs:complexType> </xs:element> <!-- =================================================================== == CertificateData == =================================================================== --> <xs:element name="CertificateData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Certificate" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <xs:element name="Certificate"> <xs:complexType> <xs:sequence> <xs:element ref="ds:X509Data"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <!-- =================================================================== == IndicatorData Class == =================================================================== --> <xs:element name="IndicatorData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Indicator" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Indicator"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IndicatorID"/> <xs:element ref="iodef:AlternativeIndicatorID" minOccurs="0" maxOccurs="unbounded"/> Danyliw Expires November 10, 2016 [Page 148] Internet-Draft IODEF v2 May 2016 <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> <xs:choice> <xs:element ref="iodef:Observable"/> <xs:element ref="iodef:ObservableReference"/> <xs:element ref="iodef:IndicatorExpression"/> <xs:element ref="iodef:IndicatorReference"/> </xs:choice> <xs:element ref="iodef:NodeRole" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AttackPhase" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Reference" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="IndicatorID"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:ID"> <xs:attribute name="name" type="xs:string" use="required"/> <xs:attribute name="version" type="xs:string" use="required"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="AlternativeIndicatorID"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> Danyliw Expires November 10, 2016 [Page 149] Internet-Draft IODEF v2 May 2016 </xs:complexType> </xs:element> <xs:element name="Observable"> <xs:complexType> <xs:choice> <xs:element ref="iodef:Address" minOccurs="0"/> <xs:element ref="iodef:DomainData" minOccurs="0"/> <xs:element ref="iodef:EmailData" minOccurs="0"/> <xs:element ref="iodef:Service" minOccurs="0"/> <xs:element ref="iodef:WindowsRegistryKeysModified" minOccurs="0"/> <xs:element ref="iodef:FileData" minOccurs="0"/> <xs:element ref="iodef:CertificateData" minOccurs="0"/> <xs:element ref="iodef:RegistryHandle" minOccurs="0"/> <xs:element ref="iodef:RecordData" minOccurs="0"/> <xs:element ref="iodef:EventData" minOccurs="0"/> <xs:element ref="iodef:Incident" minOccurs="0"/> <xs:element ref="iodef:Expectation" minOccurs="0"/> <xs:element ref="iodef:Reference" minOccurs="0"/> <xs:element ref="iodef:Assessment" minOccurs="0"/> <xs:element ref="iodef:HistoryItem" minOccurs="0"/> <xs:element ref="iodef:BulkObservable" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="BulkObservable"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/> <xs:element name="BulkObservableList"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="type" type="bulkobservable-type-type" use="required"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="bulkobservable-type-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="asn"/> <xs:enumeration value="atm"/> Danyliw Expires November 10, 2016 [Page 150] Internet-Draft IODEF v2 May 2016 <xs:enumeration value="e-mail"/> <xs:enumeration value="ipv4-addr"/> <xs:enumeration value="ipv4-net"/> <xs:enumeration value="ipv4-net-mask"/> <xs:enumeration value="ipv6-addr"/> <xs:enumeration value="ipv6-net"/> <xs:enumeration value="ipv6-net-mask"/> <xs:enumeration value="mac"/> <xs:enumeration value="site-uri"/> <xs:enumeration value="domain-name"/> <xs:enumeration value="domain-to-ipv4"/> <xs:enumeration value="domain-to-ipv6"/> <xs:enumeration value="domain-to-ipv4-timestamp"/> <xs:enumeration value="domain-to-ipv6-timestamp"/> <xs:enumeration value="ipv4-port"/> <xs:enumeration value="ipv6-port"/> <xs:enumeration value="windows-reg-key"/> <xs:enumeration value="file-hash"/> <xs:enumeration value="email-x-mailer"/> <xs:enumeration value="email-subject"/> <xs:enumeration value="http-user-agent"/> <xs:enumeration value="http-request-uri"/> <xs:enumeration value="mutex"/> <xs:enumeration value="file-path"/> <xs:enumeration value="user-name"/> </xs:restriction> </xs:simpleType> <xs:element name="BulkObservableFormat"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Hash" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="BulkObservableList" type="xs:string"/> <xs:element name="IndicatorExpression"> <xs:complexType> <xs:sequence maxOccurs="unbounded"> <xs:choice> <xs:element ref="iodef:IndicatorExpression"/> <xs:element ref="iodef:Observable"/> <xs:element ref="iodef:ObservableReference"/> <xs:element ref="iodef:IndicatorReference"/> </xs:choice> </xs:sequence> <xs:attribute name="operator" Danyliw Expires November 10, 2016 [Page 151] Internet-Draft IODEF v2 May 2016 type="indicatorexpression-operator-type" use="optional" default="and"/> <xs:attribute name="ext-operator" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="indicatorexpression-operator-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="not"/> <xs:enumeration value="and"/> <xs:enumeration value="or"/> <xs:enumeration value="xor"/> </xs:restriction> </xs:simpleType> <xs:element name="ObservableReference"> <xs:complexType> <xs:attribute name="uid-ref" type="xs:IDREF" use="required"/> </xs:complexType> </xs:element> <xs:element name="IndicatorReference"> <xs:complexType> <xs:attribute name="uid-ref" type="xs:IDREF" use="optional"/> <xs:attribute name="euid-ref" type="xs:string" use="optional"/> <xs:attribute name="version" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="AttackPhase"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:AttackPhaseID" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:URL" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="AttackPhaseID" type="xs:string"/> <!-- =================================================================== == Miscellaneous Classes == =================================================================== --> <xs:element name="AdditionalData" type="iodef:ExtensionType"/> <xs:element name="Description" type="iodef:MLStringType"/> <xs:element name="URL" type="xs:anyURI"/> Danyliw Expires November 10, 2016 [Page 152] Internet-Draft IODEF v2 May 2016 <!-- =================================================================== == IODEF Data Types == =================================================================== --> <xs:simpleType name="PositiveFloatType"> <xs:restriction base="xs:float"> <xs:minExclusive value="0"/> </xs:restriction> </xs:simpleType> <xs:complexType name="MLStringType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="translation-id" type="xs:string" use="optional"/> <xs:attribute ref="xml:lang"/> </xs:extension> </xs:simpleContent> </xs:complexType> <xs:simpleType name="PortlistType"> <xs:restriction base="xs:string"> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="TimezoneType"> <xs:restriction base="xs:string"> <xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/> </xs:restriction> </xs:simpleType> <xs:complexType name="ExtensionType" mixed="true"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="name" type="xs:string" use="optional"/> <xs:attribute name="dtype" type="iodef:dtype-type" use="required"/> <xs:attribute name="ext-dtype" type="xs:string" use="optional"/> <xs:attribute name="meaning" type="xs:string" use="optional"/> <xs:attribute name="formatid" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type" use="optional"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> <xs:complexType name="SoftwareType"> Danyliw Expires November 10, 2016 [Page 153] Internet-Draft IODEF v2 May 2016 <xs:sequence> <xs:element ref="iodef:SoftwareReference" minOccurs="0"/> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:element name="SoftwareReference"> <xs:complexType> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="spec-name" type="softwarereference-spec-name-type" use="required"/> <xs:attribute name="ext-spec-name" type="xs:string" use="optional"/> <xs:attribute name="dtype" type="softwarereference-dtype-type" use="optional"/> <xs:attribute name="ext-dtype" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="softwarereference-spec-name-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="custom"/> <xs:enumeration value="cpe"/> <xs:enumeration value="swid"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="softwarereference-dtype-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="bytes"/> <xs:enumeration value="integer"/> <xs:enumeration value="real"/> <xs:enumeration value="string"/> <xs:enumeration value="xml"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <!-- =================================================================== == Global attribute type declarations == =================================================================== --> Danyliw Expires November 10, 2016 [Page 154] Internet-Draft IODEF v2 May 2016 <xs:simpleType name="yes-no-unknown-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="yes"/> <xs:enumeration value="no"/> <xs:enumeration value="unknown"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="restriction-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="default"/> <xs:enumeration value="public"/> <xs:enumeration value="partner"/> <xs:enumeration value="need-to-know"/> <xs:enumeration value="private"/> <xs:enumeration value="white"/> <xs:enumeration value="green"/> <xs:enumeration value="amber"/> <xs:enumeration value="red"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="severity-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="duration-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="second"/> <xs:enumeration value="minute"/> <xs:enumeration value="hour"/> <xs:enumeration value="day"/> <xs:enumeration value="month"/> <xs:enumeration value="quarter"/> <xs:enumeration value="year"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="action-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="nothing"/> <xs:enumeration value="contact-source-site"/> <xs:enumeration value="contact-target-site"/> <xs:enumeration value="contact-sender"/> <xs:enumeration value="investigate"/> <xs:enumeration value="block-host"/> Danyliw Expires November 10, 2016 [Page 155] Internet-Draft IODEF v2 May 2016 <xs:enumeration value="block-network"/> <xs:enumeration value="block-port"/> <xs:enumeration value="rate-limit-host"/> <xs:enumeration value="rate-limit-network"/> <xs:enumeration value="rate-limit-port"/> <xs:enumeration value="redirect-traffic"/> <xs:enumeration value="honeypot"/> <xs:enumeration value="upgrade-software"/> <xs:enumeration value="rebuild-asset"/> <xs:enumeration value="harden-asset"/> <xs:enumeration value="remediate-other"/> <xs:enumeration value="status-triage"/> <xs:enumeration value="status-new-info"/> <xs:enumeration value="watch-and-report"/> <xs:enumeration value="defined-coa"/> <xs:enumeration value="other"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="dtype-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="boolean"/> <xs:enumeration value="byte"/> <xs:enumeration value="bytes"/> <xs:enumeration value="character"/> <xs:enumeration value="date-time"/> <xs:enumeration value="integer"/> <xs:enumeration value="ntpstamp"/> <xs:enumeration value="portlist"/> <xs:enumeration value="real"/> <xs:enumeration value="string"/> <xs:enumeration value="file"/> <xs:enumeration value="path"/> <xs:enumeration value="frame"/> <xs:enumeration value="packet"/> <xs:enumeration value="ipv4-packet"/> <xs:enumeration value="ipv6-packet"/> <xs:enumeration value="url"/> <xs:enumeration value="csv"/> <xs:enumeration value="winreg"/> <xs:enumeration value="xml"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:schema> Danyliw Expires November 10, 2016 [Page 156] Internet-Draft IODEF v2 May 2016 9. Security Considerations The IODEF data model does not directly introduce security or privacy issues. However, as the data encoded by the IODEF might be considered sensitive by the parties exchanging it or by those described by it, care needs to be taken to ensure appropriate handling during the document construction, exchange, processing, archiving, subsequent retrieval and analysis. 9.1. Security The underlying messaging format and protocol used to exchange instances of the IODEF MUST provide appropriate guarantees of confidentiality, integrity, and authenticity. The use of a standardized security protocol is encouraged. The Real-time Inter- network Defense (RID) protocol [RFC6545] and its associated transport binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. The contents of an IODEF document may include a request for action. An IODEF implementation may also initiate courses of action based on the document contents. For these reasons, care must be taken by IODEF implementations to properly authenticate the sender and receiver of the document. The recipient must also ascribe appropriate confidence to the data prior to action. Executable content could be embedded into the IODEF document directly or through an extension. The IODEF implementation MUST handle this content with care to prevent unintentional automated execution. 9.2. Privacy The IODEF contains numerous fields that are identifiers which could be linked to an individual or organization. IODEF documents may contain sensitive information about these identified parties; and repeated document exchanges about the same and related parties may enable the correlation of data about them. Likewise, a party may report on another to a third party without their knowledge. When creating an IODEF document, careful consideration must be given to what information is shared. Personal identifiers and attributable sensitive information should only be shared when necessary. When exchanging documents, transport security MUST provide document- level confidentiality. XML element-level confidentiality can also be provided by using [W3C.XMLENC]. In order to suggest data processing and handling guidelines of the encoded information, the IODEF allows a document sender to convey a Danyliw Expires November 10, 2016 [Page 157] Internet-Draft IODEF v2 May 2016 privacy policy using the restriction attribute. The various instances of this attribute allow different data elements of the document to be covered by dissimilar policies. While flexible, it must be stressed that this approach only serves as a guideline from the sender, as the recipient is free to ignore it. Although outside of the scope of an IODEF implementation, the contents of IODEF documents and any derived analysis should be archived with at appropriate confidentiality controls. Likewise, access to retrieve and analyze this data should be restricted to authorized users. 10. IANA Considerations This document registers a namespace, an XML schema, and a number of registries that map to enumerated values defined in the data model. 10.1. Namespace and Schema This document uses URNs to describe an XML namespace and schema conforming to a registry mechanism described in [RFC3688] Registration for the IODEF namespace: o URI: urn:ietf:params:xml:ns:iodef-2.0 o Registrant Contact: See the first author of the "Author's Address" section of this document. o XML: None. Namespace URIs do not represent an XML specification. Registration for the IODEF XML schema: o URI: urn:ietf:params:xml:schema:iodef-2.0 o Registrant Contact: See the first author of the "Author's Address" section of this document. o XML: See Section 8 of this document. 10.2. Enumerated Value Registries This document creates 33 identically structured registries to be managed by IANA: o Name of the parent registry: "Incident Object Description Exchange Format v2 (IODEF)" Danyliw Expires November 10, 2016 [Page 158] Internet-Draft IODEF v2 May 2016 o URL of the registry: http://www.iana.org/assignments/iodef2 o Namespace format: A registry entry consists of: * Value. An enumerated value for a given IODEF attribute. * Description. A short description of the enumerated value. * Reference. An optional list of URIs to further describe the value. o Allocation policy: Expert Review per [RFC5226] The registries to be created are named in the "Registry Name" column of Table 1. The initial values for the Value and Description fields of a given registry are listed in the "IV (Value)" and "IV (Description)" columns respectively. The "IV (Value)" points to a given schema type per Section 8. Each enumerated value in the schema gets a corresponding entry in a given registry. The "IV (Description)" points to a section in the text of this document that describes each enumerated value. The initial value of the Reference field of every registry entry described below should be this document. +-----------------------+---------------------------+---------------+ | Registry Name | IV (Value) | IV | | | | (Description) | +-----------------------+---------------------------+---------------+ | Restriction | iodef-restriction-type | Section 3.3.1 | | | | | | Incident-purpose | incident-purpose-type | Section 3.2 | | | | | | Incident-status | incident-status-type | Section 3.2 | | | | | | Contact-role | contact-role-type | Section 3.9 | | | | | | Contact-type | contact-type-type | Section 3.9 | | | | | | RegistryHandle- | registryhandle-registry- | Section 3.9.1 | | registry | type | | | | | | | Telephone-type | telephone-type-type | Section 3.9.4 | | | | | | Email-type | email-type-type | Section 3.9.3 | | | | | | Expectation-action | action-type | Section 3.15 | | | | | | Discovery-source | discovery-source-type | Section 3.10 | Danyliw Expires November 10, 2016 [Page 159] Internet-Draft IODEF v2 May 2016 | | | | | SystemImpact-type | systemimpact-type-type | Section | | | | 3.12.1 | | | | | | BusinessImpact- | businessimpact-severity- | Section | | severity | type | 3.12.2 | | | | | | BusinessImpact-type | businessimpact-type-type | Section | | | | 3.12.2 | | | | | | TimeImpact-metrics | timeimpact-metric-type | Section | | | | 3.12.3 | | | | | | TimeImpact-duration | duration-type | Section | | | | 3.12.3 | | | | | | Confidence-rating | confidence-rating-type | Section | | | | 3.12.5 | | | | | | NodeRole-category | noderole-category-type | Section | | | | 3.18.2 | | | | | | System-category | system-category-type | Section 3.17 | | | | | | System-ownership | system-ownership-type | Section 3.17 | | | | | | Address-category | address-category-type | Section | | | | 3.18.1 | | | | | | Counter-type | counter-type-type | Section | | | | 3.18.3 | | | | | | Counter-unit | counter-unit-type | Section | | | | 3.18.3 | | | | | | DomainData-system- | domaindata-system-status- | Section 3.19 | | status | type | | | | | | | DomainData-domain- | domaindata-domain-status- | Section 3.19 | | status | type | | | | | | | RecordPattern-type | recordpattern-type-type | Section | | | | 3.22.2 | | | | | | RecordPattern- | recordpattern-offsetunit- | Section | | offsetunit | type | 3.22.2 | | | | | | Key-registryaction | key-registryaction-type | Section | Danyliw Expires November 10, 2016 [Page 160] Internet-Draft IODEF v2 May 2016 | | | 3.23.1 | | | | | | HashData-scope | hashdata-scope-type | Section 3.26 | | | | | | BulkObservable-type | bulkobservable-type-type | Section | | | | 3.29.3.1 | | | | | | IndicatorExpression- | indicatorexpression- | Section | | operator | operator-type | 3.29.4 | | | | | | ExtensionType-dtype | dtype-type | Section 2.16 | | | | | | SoftwareReference- | softwarereference-spec- | Section | | spec-id | id-type | 2.15.1 | | | | | | SoftwareReference- | softwarereference-dtype- | Section | | dtype | type | 2.15.1 | +-----------------------+---------------------------+---------------+ Table 1: IANA Enumerated Value Registries 11. Acknowledgments Thanks to Paul Stockler for his editorial leadership in the transition of RFC5070bis to this document. Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi Takahashi, David Waltermire and Sean Turner as the MILE working group chairs, secretary or area directors for providing feedback and coordination of this document. Thanks to the following individuals (listed alphabetically) who provided feedback during the meetings, on the mailing list or through implementation experience: Jerome Athias, David Black, Eric Burger, Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio Suzuki and Nik Teague. 12. References 12.1. Normative References [W3C.XML] World Wide Web Consortium, "Extensible Markup Language (XML) 1.0 (Second Edition)", W3C Recommendation , October 2000, <http://www.w3.org/TR/2000/REC-xml-20001006>. Danyliw Expires November 10, 2016 [Page 161] Internet-Draft IODEF v2 May 2016 [W3C.SCHEMA] World Wide Web Consortium, "XML XML Schema Part 1: Structures Second Edition", W3C Recommendation , October 2004, <http://www.w3.org/TR/xmlschema-1/>. [W3C.SCHEMA.DTYPES] World Wide Web Consortium, "XML Schema Part 2: Datatypes Second Edition", W3C Recommendation , October 2004, <http://www.w3.org/TR/xmlschema-2/>. [W3C.XMLNS] World Wide Web Consortium, "Namespaces in XML", W3C Recommendation , January 1999, <http://www.w3.org/TR/REC-xml-names/>. [W3C.XPATH] World Wide Web Consortium, "XML Path Language (XPath) 3.1", W3C Candidate Recommendation , December 2015, <https://www.w3.org/TR/xpath-3/>. [W3C.XMLSIG] World Wide Web Consortium, "XML Signature Syntax and Processing 2.0", W3C Recommendation , June 2008, <http://www.w3.org/TR/xmldsig-core/>. [IEEE.POSIX] Institute of Electrical and Electronics Engineers, "Information Technology - Portable Operating System Interface (POSIX) - Part 1: Base Definitions", IEEE 1003.1, June 2001. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of Languages", RFC 5646, September 2009. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 3986, January 2005`. [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration Procedures", BCP 2978, October 2000. [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, June 2006. Danyliw Expires November 10, 2016 [Page 162] Internet-Draft IODEF v2 May 2016 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 2008. [RFC-ENUM] Montville, A. and D. Black, "IODEF Enumeration Reference Format", RFC 7495, January 2015. [RFC-SCI] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information", RFC 7203, April 2014. [ISO4217] International Organization for Standardization, "International Standard: Codes for the representation of currencies and funds, ISO 4217:2001", ISO 4217:2001, August 2001. [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 2004. [IANA.Ports] Internet Assigned Numbers Authority, "Service Name and Transport Protocol Port Number Registry", January 2014, <http://www.iana.org/assignments/service-names-port- numbers/service-names-port-numbers.txt>. [IANA.Protocols] Internet Assigned Numbers Authority, "Assigned Internet Protocol Numbers", January 2014, <http://www.iana.org/assignments/protocol-numbers/ protocol-numbers.txt>. [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 3629, November 2003. [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO 10646", RFC 2781, February 2000. [IANA.Media] Internet Assigned Numbers Authority, "Media Types", March 2015, <http://www.iana.org/assignments/media-types/ media-types.xhtml>. [ISO19770] International Organization for Standardization, "Information technology -- Software asset management -- Part 2: Software identification tag, ISO/IEC 19770-2:2015", ISO 19770-2:2015, October 2015. Danyliw Expires November 10, 2016 [Page 163] Internet-Draft IODEF v2 May 2016 12.2. Informative References [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident Object Description Exchange Format", RFC 5070, December 2007. [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6545, April 2012. [RFC6546] Trammell, B., "Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS", RFC 6546, April 2012. [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document Class for Reporting Phishing", RFC 5901, July 2010. [NIST800.61rev2] Cichonski, P., Millar, T., Grance, T., and K. Scarfone, "NIST Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide", January 2012, <http://csrc.nist.gov/publications/nistpubs/800-61rev2/ SP800-61rev2.pdf>. [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) Type for the Internet Registry Information Service (IRIS)", RFC 3982, January 2005. [KB310516] Microsoft Corporation, "How to add, modify, or delete registry subkeys and values by using a registration entries (.reg) file", December 2007. [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- Separated Values (CSV) File", RFC 4180, October 2005. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", RFC 5226, May 2008. [W3C.XMLENC] World Wide Web Consortium, "XML Encryption Syntax and Processing Version 1.1", W3C Recommendation , April 2013, <https://www.w3.org/TR/xmlenc-core1/>. Author's Address Danyliw Expires November 10, 2016 [Page 164] Internet-Draft IODEF v2 May 2016 Roman Danyliw CERT - Carnegie Mellon University Pittsburgh, PA USA EMail: rdd@cert.org Danyliw Expires November 10, 2016 [Page 165]