The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-20
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7970.
|
|
|---|---|---|---|
| Author | Roman Danyliw | ||
| Last updated | 2016-05-09 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews | |||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Takeshi Takahashi | ||
| Shepherd write-up | Show Last changed 2016-04-21 | ||
| IESG | IESG state | Became RFC 7970 (Proposed Standard) | |
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | Kathleen Moriarty | ||
| Send notices to | rdd@cert.org, mile-chairs@tools.ietf.org, mile@ietf.org |
draft-ietf-mile-rfc5070-bis-20
gt;
Incident Object Description Exchange Format v2.0, RFC5070bis
</xs:documentation>
</xs:annotation>
<!--
===================================================================
== IODEF-Document class ==
===================================================================
-->
<xs:element name="IODEF-Document">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Incident" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="version" type="xs:string" fixed="2.00"/>
<xs:attribute ref="xml:lang"/>
<xs:attribute name="format-id" type="xs:string" use="optional"/>
<xs:attribute name="private-enum-name"
type="xs:string" use="optional"/>
<xs:attribute name="private-enum-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Incident class ==
===================================================================
-->
<xs:element name="Incident">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"/>
<xs:element ref="iodef:AlternativeID" minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
Danyliw Expires November 10, 2016 [Page 118]
Internet-Draft IODEF v2 May 2016
<xs:element ref="iodef:DetectTime" minOccurs="0"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" minOccurs="0"/>
<xs:element ref="iodef:ReportTime" minOccurs="0"/>
<xs:element ref="iodef:GenerationTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:IndicatorData" minOccurs="0"/>
<xs:element ref="iodef:History" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose"
type="incident-purpose-type" use="required"/>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="status" type="incident-status-type"/>
<xs:attribute name="ext-status"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="private"
use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="incident-purpose-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
Danyliw Expires November 10, 2016 [Page 119]
Internet-Draft IODEF v2 May 2016
<xs:simpleType name="incident-status-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="new"/>
<xs:enumeration value="in-progress"/>
<xs:enumeration value="forwarded"/>
<xs:enumeration value="resolved"/>
<xs:enumeration value="future"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== IncidentID class ==
===================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!--
==================================================================
== AlternativeID class ==
==================================================================
-->
<xs:element name="AlternativeID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== RelatedActivity class ==
Danyliw Expires November 10, 2016 [Page 120]
Internet-Draft IODEF v2 May 2016
===================================================================
-->
<xs:element name="RelatedActivity">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:IndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActor">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ThreatActorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActorID" type="xs:string"/>
<xs:element name="Campaign">
<xs:complexType>
<xs:sequence>
Danyliw Expires November 10, 2016 [Page 121]
Internet-Draft IODEF v2 May 2016
<xs:element ref="iodef:CampaignID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="CampaignID" type="xs:string"/>
<!--
===================================================================
== Contact class ==
===================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Timezone" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role"
type="contact-role-type" use="required"/>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
Danyliw Expires November 10, 2016 [Page 122]
Internet-Draft IODEF v2 May 2016
<xs:attribute name="type"
type="contact-type-type" use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="contact-role-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="zone"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="vendor-services"/>
<xs:enumeration value="victim"/>
<xs:enumeration value="victim-notified"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="contact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ContactName" type="iodef:MLStringType"/>
<xs:element name="ContactTitle" type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="registry"
type="registryhandle-registry-type"/>
Danyliw Expires November 10, 2016 [Page 123]
Internet-Draft IODEF v2 May 2016
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="registryhandle-registry-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="PostalAddress">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:PAddress"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="postaladdress-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="PAddress" type="iodef:MLStringType"/>
<xs:simpleType name="postaladdress-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="street"/>
<xs:enumeration value="mailing"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Telephone">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:TelephoneNumber"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="telephone-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
Danyliw Expires November 10, 2016 [Page 124]
Internet-Draft IODEF v2 May 2016
</xs:complexType>
</xs:element>
<xs:element name="TelephoneNumber" type="xs:string"/>
<xs:simpleType name="telephone-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="wired"/>
<xs:enumeration value="mobile"/>
<xs:enumeration value="fax"/>
<xs:enumeration value="hotline"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Email">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:EmailTo"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="email-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="email-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="direct"/>
<xs:enumeration value="hotline"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Time-based classes ==
===================================================================
-->
<xs:element name="DateTime" type="xs:dateTime"/>
<xs:element name="ReportTime" type="xs:dateTime"/>
<xs:element name="DetectTime" type="xs:dateTime"/>
<xs:element name="StartTime" type="xs:dateTime"/>
<xs:element name="EndTime" type="xs:dateTime"/>
<xs:element name="RecoveryTime" type="xs:dateTime"/>
<xs:element name="GenerationTime" type="xs:dateTime"/>
<xs:element name="Timezone" type="iodef:TimezoneType"/>
<!--
===================================================================
== History class ==
===================================================================
Danyliw Expires November 10, 2016 [Page 125]
Internet-Draft IODEF v2 May 2016
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID" minOccurs="0"/>
<xs:element ref="iodef:Contact" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DefinedCOA"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="DefinedCOA" type="xs:string"/>
<!--
===================================================================
== Expectation class ==
===================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DefinedCOA"
Danyliw Expires November 10, 2016 [Page 126]
Internet-Draft IODEF v2 May 2016
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:Contact" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Discovery class ==
===================================================================
-->
<xs:element name="Discovery">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="source"
type="discovery-source-type" use="optional"
default="unknown"/>
<xs:attribute name="ext-source"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="discovery-source-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nidps"/>
<xs:enumeration value="hips"/>
<xs:enumeration value="siem"/>
Danyliw Expires November 10, 2016 [Page 127]
Internet-Draft IODEF v2 May 2016
<xs:enumeration value="av"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="incident"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="passive-dns"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="audit"/>
<xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="actor"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="DetectionPattern">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Method class ==
===================================================================
-->
<xs:element name="Method">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:AttackPattern"
Danyliw Expires November 10, 2016 [Page 128]
Internet-Draft IODEF v2 May 2016
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:Vulnerability"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:Weakness"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Reference class ==
===================================================================
-->
<xs:element name="Reference">
<xs:complexType>
<xs:sequence>
<xs:element ref="enum:ReferenceName" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Assessment class ==
===================================================================
-->
<xs:element name="Assessment">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentCategory"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:SystemImpact"/>
<xs:element ref="iodef:BusinessImpact"/>
<xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/>
<xs:element ref="iodef:IntendedImpact"/>
</xs:choice>
Danyliw Expires November 10, 2016 [Page 129]
Internet-Draft IODEF v2 May 2016
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:MitigatingFactor"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Cause"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="occurrence">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/>
<xs:enumeration value="potential"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IncidentCategory" type="iodef:MLStringType"/>
<xs:element name="BusinessImpact" type="iodef:BusinessImpactType"/>
<xs:element name="IntendedImpact" type="iodef:BusinessImpactType"/>
<xs:element name="MitigatingFactor" type="iodef:MLStringType"/>
<xs:element name="Cause" type="iodef:MLStringType"/>
<xs:element name="SystemImpact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="severity"
type="iodef:severity-type" use="optional"/>
<xs:attribute name="completion"
type="iodef:systemimpact-completion-type"
use="optional"/>
<xs:attribute name="type"
type="systemimpact-type-type"
use="optional" default="unknown"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="systemimpact-completion-type">
Danyliw Expires November 10, 2016 [Page 130]
Internet-Draft IODEF v2 May 2016
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="systemimpact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="takeover-account"/>
<xs:enumeration value="takeover-service"/>
<xs:enumeration value="takeover-system"/>
<xs:enumeration value="cps-manipulation"/>
<xs:enumeration value="cps-damage"/>
<xs:enumeration value="availability-data"/>
<xs:enumeration value="availability-account"/>
<xs:enumeration value="availability-service"/>
<xs:enumeration value="availability-system"/>
<xs:enumeration value="damaged-system"/>
<xs:enumeration value="damaged-data"/>
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="breach-configuration"/>
<xs:enumeration value="integrity-data"/>
<xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="traffic-redirection"/>
<xs:enumeration value="monitoring-traffic"/>
<xs:enumeration value="monitoring-host"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="BusinessImpactType">
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="severity"
type="businessimpact-severity-type" use="optional"/>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type"
type="businessimpact-type-type"
use="optional" default="unknown"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
<xs:simpleType name="businessimpact-severity-type">
Danyliw Expires November 10, 2016 [Page 131]
Internet-Draft IODEF v2 May 2016
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="businessimpact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service"/>
<xs:enumeration value="theft-financial"/>
<xs:enumeration value="theft-service"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="TimeImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="metric"
type="timeimpact-metric-type" use="required"/>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration" type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="timeimpact-metric-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
Danyliw Expires November 10, 2016 [Page 132]
Internet-Draft IODEF v2 May 2016
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="MonetaryImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="currency" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType>
<xs:attribute name="rating"
type="confidence-rating-type" use="required"/>
<xs:attribute name="ext-rating"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="confidence-rating-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== EventData class ==
===================================================================
-->
<xs:element name="EventData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" minOccurs="0"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" minOccurs="0"/>
<xs:element ref="iodef:ReportTime" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
Danyliw Expires November 10, 2016 [Page 133]
Internet-Draft IODEF v2 May 2016
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record" minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Flow class ==
===================================================================
-->
<xs:element name="Flow">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:System" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
===================================================================
== System class ==
===================================================================
-->
<xs:element name="System">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Node"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem"
Danyliw Expires November 10, 2016 [Page 134]
Internet-Draft IODEF v2 May 2016
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="category" type="system-category-type"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface" type="xs:string"/>
<xs:attribute name="spoofed"
type="yes-no-unknown-type" default="unknown"/>
<xs:attribute name="virtual"
type="yes-no-unknown-type" use="optional"
default="unknown"/>
<xs:attribute name="ownership" type="system-ownership-type"
use="optional"/>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="OperatingSystem" type="iodef:SoftwareType"/>
<xs:simpleType name="system-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="system-ownership-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
Danyliw Expires November 10, 2016 [Page 135]
Internet-Draft IODEF v2 May 2016
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== Node class ==
==================================================================
-->
<xs:element name="Node">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:PostalAddress" minOccurs="0"/>
<xs:element ref="iodef:Location"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Address">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category"
type="address-category-type"
default="ipv6-addr"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name" type="xs:string"/>
<xs:attribute name="vlan-num" type="xs:integer"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="address-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
Danyliw Expires November 10, 2016 [Page 136]
Internet-Draft IODEF v2 May 2016
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="category"
type="noderole-category-type" use="required"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="noderole-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="webmail"/>
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
Danyliw Expires November 10, 2016 [Page 137]
Internet-Draft IODEF v2 May 2016
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="assessment"/>
<xs:enumeration value="source-control"/>
<xs:enumeration value="config-management"/>
<xs:enumeration value="monitoring"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Service Class ==
===================================================================
-->
<xs:element name="Service">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ServiceName" minOccurs="0"/>
<xs:element ref="iodef:Port" minOccurs="0"/>
<xs:element ref="iodef:Portlist" minOccurs="0"/>
<xs:element ref="iodef:ProtoType" minOccurs="0"/>
<xs:element ref="iodef:ProtoCode" minOccurs="0"/>
<xs:element ref="iodef:ProtoField" minOccurs="0"/>
Danyliw Expires November 10, 2016 [Page 138]
Internet-Draft IODEF v2 May 2016
<xs:element ref="iodef:ApplicationHeader" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="ip-protocol"
type="xs:integer" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Port" type="xs:integer"/>
<xs:element name="Portlist" type="iodef:PortlistType"/>
<xs:element name="ProtoType" type="xs:integer"/>
<xs:element name="ProtoCode" type="xs:integer"/>
<xs:element name="ProtoField" type="xs:integer"/>
<xs:element name="ApplicationHeader">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ApplicationHeaderField"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="ApplicationHeaderField"
type="iodef:ExtensionType"/>
<xs:element name="ServiceName">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IANAService"
minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="IANAService" type="xs:string"/>
<xs:element name="Application" type="iodef:SoftwareType"/>
<!--
===================================================================
== Counter class ==
===================================================================
-->
<xs:element name="Counter">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:float">
<xs:attribute name="type"
Danyliw Expires November 10, 2016 [Page 139]
Internet-Draft IODEF v2 May 2016
type="counter-type-type" use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="unit"
type="counter-unit-type" use="required"/>
<xs:attribute name="ext-unit"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration" type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="counter-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="counter"/>
<xs:enumeration value="rate"/>
<xs:enumeration value="average"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="counter-unit-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="mbit"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== EmailData class ==
===================================================================
-->
<xs:element name="EmailData">
<xs:complexType>
<xs:sequence>
Danyliw Expires November 10, 2016 [Page 140]
Internet-Draft IODEF v2 May 2016
<xs:element ref="iodef:EmailTo"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailFrom" minOccurs="0"/>
<xs:element ref="iodef:EmailSubject" minOccurs="0"/>
<xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/>
<xs:element ref="iodef:EmailHeaderField"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailHeaders" minOccurs="0"/>
<xs:element ref="iodef:EmailBody" minOccurs="0"/>
<xs:element ref="iodef:EmailMessage" minOccurs="0"/>
<xs:element ref="iodef:HashData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="SignatureData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="EmailTo" type="xs:string"/>
<xs:element name="EmailFrom" type="xs:string"/>
<xs:element name="EmailSubject" type="xs:string"/>
<xs:element name="EmailX-Mailer" type="xs:string"/>
<xs:element name="EmailHeaderField" type="iodef:ExtensionType"/>
<xs:element name="EmailHeaders" type="xs:string"/>
<xs:element name="EmailBody" type="xs:string"/>
<xs:element name="EmailMessage" type="xs:string"/>
<!--
===================================================================
== DomainData class ==
===================================================================
-->
<xs:element name="DomainData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Name"/>
<xs:element ref="iodef:DateDomainWasChecked"
minOccurs="0"/>
<xs:element ref="iodef:RegistrationDate"
minOccurs="0"/>
<xs:element ref="iodef:ExpirationDate"
minOccurs="0"/>
<xs:element ref="iodef:RelatedDNS"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Nameservers"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DomainContacts"
minOccurs="0"/>
</xs:sequence>
Danyliw Expires November 10, 2016 [Page 141]
Internet-Draft IODEF v2 May 2016
<xs:attribute name="system-status"
type="domaindata-system-status-type"/>
<xs:attribute name="ext-system-status"
type="xs:string" use="optional"/>
<xs:attribute name="domain-status"
type="domaindata-domain-status-type"/>
<xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Name" type="xs:string"/>
<xs:element name="DateDomainWasChecked" type="xs:dateTime"/>
<xs:element name="RegistrationDate" type="xs:dateTime"/>
<xs:element name="ExpirationDate" type="xs:dateTime"/>
<xs:simpleType name="domaindata-system-status-type">
<xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="domaindata-domain-status-type">
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="RelatedDNS" type="iodef:ExtensionType"/>
<xs:element name="Nameservers">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Server"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
Danyliw Expires November 10, 2016 [Page 142]
Internet-Draft IODEF v2 May 2016
</xs:element>
<xs:element name="Server" type="xs:string"/>
<xs:element name="DomainContacts">
<xs:complexType>
<xs:choice>
<xs:element ref="iodef:SameDomainContact"/>
<xs:element ref="iodef:Contact"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="SameDomainContact" type="xs:string"/>
<!--
===================================================================
== Record class ==
===================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:RecordData" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
Danyliw Expires November 10, 2016 [Page 143]
Internet-Draft IODEF v2 May 2016
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordPattern">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type"
type="recordpattern-type-type"
use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
type="recordpattern-offsetunit-type"
use="optional" default="line"/>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="recordpattern-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="recordpattern-offsetunit-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="RecordItem" type="iodef:ExtensionType"/>
<!--
Danyliw Expires November 10, 2016 [Page 144]
Internet-Draft IODEF v2 May 2016
===================================================================
== WindowsRegistryKeysModified Class ==
===================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Key" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Key">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:KeyName"/>
<xs:element ref="iodef:Value" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction"
type="key-registryaction-type"/>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value" type="xs:string"/>
<xs:simpleType name="key-registryaction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
====================================================================
== FileData Class ==
====================================================================
-->
<xs:element name="FileData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:File"
minOccurs="1" maxOccurs="unbounded"/>
Danyliw Expires November 10, 2016 [Page 145]
Internet-Draft IODEF v2 May 2016
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="File">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:FileName" minOccurs="0"/>
<xs:element ref="iodef:FileSize" minOccurs="0"/>
<xs:element ref="FileType" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData" minOccurs="0"/>
<xs:element ref="iodef:SignatureData" minOccurs="0"/>
<xs:element ref="iodef:AssociatedSoftware" minOccurs="0"/>
<xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="FileName" type="xs:string"/>
<xs:element name="FileSize" type="xs:integer"/>
<xs:element name="FileType" type="xs:string"/>
<xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/>
<xs:element name="FileProperties" type="iodef:ExtensionType"/>
<!--
====================================================================
== HashData Class ==
====================================================================
-->
<xs:element name="HashData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HashTargetID" minOccurs="0"/>
<xs:element ref="iodef:Hash"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FuzzyHash"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="scope"
type="hashdata-scope-type" use="required"/>
<xs:attribute name="ext-scope" type="xs:string" use="optional"/>
</xs:complexType>
Danyliw Expires November 10, 2016 [Page 146]
Internet-Draft IODEF v2 May 2016
</xs:element>
<xs:element name="HashTargetID" type="xs:string"/>
<xs:simpleType name="hashdata-scope-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="file-contents"/>
<xs:enumeration value="file-pe-section"/>
<xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="file-pe-resource"/>
<xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Hash">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:DigestMethod"/>
<xs:element ref="ds:DigestValue"/>
<xs:element ref="ds:CanonicalizationMethod"
minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHash">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:FuzzyHashValue"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/>
<!--
===================================================================
== SignatureData Class ==
===================================================================
-->
<xs:element name="SignatureData">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:Signature" maxOccurs="unbounded"/>
</xs:sequence>
Danyliw Expires November 10, 2016 [Page 147]
Internet-Draft IODEF v2 May 2016
</xs:complexType>
</xs:element>
<!--
===================================================================
== CertificateData ==
===================================================================
-->
<xs:element name="CertificateData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Certificate" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Certificate">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:X509Data"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== IndicatorData Class ==
===================================================================
-->
<xs:element name="IndicatorData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Indicator"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Indicator">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IndicatorID"/>
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
Danyliw Expires November 10, 2016 [Page 148]
Internet-Draft IODEF v2 May 2016
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice>
<xs:element ref="iodef:Observable"/>
<xs:element ref="iodef:ObservableReference"/>
<xs:element ref="iodef:IndicatorExpression"/>
<xs:element ref="iodef:IndicatorReference"/>
</xs:choice>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AttackPhase"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorID">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:ID">
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="version"
type="xs:string" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="AlternativeIndicatorID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
Danyliw Expires November 10, 2016 [Page 149]
Internet-Draft IODEF v2 May 2016
</xs:complexType>
</xs:element>
<xs:element name="Observable">
<xs:complexType>
<xs:choice>
<xs:element ref="iodef:Address" minOccurs="0"/>
<xs:element ref="iodef:DomainData" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:Service" minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/>
<xs:element ref="iodef:FileData" minOccurs="0"/>
<xs:element ref="iodef:CertificateData" minOccurs="0"/>
<xs:element ref="iodef:RegistryHandle" minOccurs="0"/>
<xs:element ref="iodef:RecordData" minOccurs="0"/>
<xs:element ref="iodef:EventData" minOccurs="0"/>
<xs:element ref="iodef:Incident" minOccurs="0"/>
<xs:element ref="iodef:Expectation" minOccurs="0"/>
<xs:element ref="iodef:Reference" minOccurs="0"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:HistoryItem" minOccurs="0"/>
<xs:element ref="iodef:BulkObservable" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="BulkObservable">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/>
<xs:element name="BulkObservableList"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="bulkobservable-type-type" use="required"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="bulkobservable-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
Danyliw Expires November 10, 2016 [Page 150]
Internet-Draft IODEF v2 May 2016
<xs:enumeration value="e-mail"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="domain-name"/>
<xs:enumeration value="domain-to-ipv4"/>
<xs:enumeration value="domain-to-ipv6"/>
<xs:enumeration value="domain-to-ipv4-timestamp"/>
<xs:enumeration value="domain-to-ipv6-timestamp"/>
<xs:enumeration value="ipv4-port"/>
<xs:enumeration value="ipv6-port"/>
<xs:enumeration value="windows-reg-key"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-x-mailer"/>
<xs:enumeration value="email-subject"/>
<xs:enumeration value="http-user-agent"/>
<xs:enumeration value="http-request-uri"/>
<xs:enumeration value="mutex"/>
<xs:enumeration value="file-path"/>
<xs:enumeration value="user-name"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="BulkObservableFormat">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Hash" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="BulkObservableList" type="xs:string"/>
<xs:element name="IndicatorExpression">
<xs:complexType>
<xs:sequence maxOccurs="unbounded">
<xs:choice>
<xs:element ref="iodef:IndicatorExpression"/>
<xs:element ref="iodef:Observable"/>
<xs:element ref="iodef:ObservableReference"/>
<xs:element ref="iodef:IndicatorReference"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="operator"
Danyliw Expires November 10, 2016 [Page 151]
Internet-Draft IODEF v2 May 2016
type="indicatorexpression-operator-type"
use="optional" default="and"/>
<xs:attribute name="ext-operator"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="indicatorexpression-operator-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="not"/>
<xs:enumeration value="and"/>
<xs:enumeration value="or"/>
<xs:enumeration value="xor"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ObservableReference">
<xs:complexType>
<xs:attribute name="uid-ref" type="xs:IDREF" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorReference">
<xs:complexType>
<xs:attribute name="uid-ref" type="xs:IDREF" use="optional"/>
<xs:attribute name="euid-ref" type="xs:string" use="optional"/>
<xs:attribute name="version" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="AttackPhase">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:AttackPhaseID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AttackPhaseID" type="xs:string"/>
<!--
===================================================================
== Miscellaneous Classes ==
===================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<xs:element name="Description" type="iodef:MLStringType"/>
<xs:element name="URL" type="xs:anyURI"/>
Danyliw Expires November 10, 2016 [Page 152]
Internet-Draft IODEF v2 May 2016
<!--
===================================================================
== IODEF Data Types ==
===================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="translation-id"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string">
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="ExtensionType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="name" type="xs:string" use="optional"/>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
<xs:attribute name="meaning" type="xs:string" use="optional"/>
<xs:attribute name="formatid" type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
<xs:complexType name="SoftwareType">
Danyliw Expires November 10, 2016 [Page 153]
Internet-Draft IODEF v2 May 2016
<xs:sequence>
<xs:element ref="iodef:SoftwareReference" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="SoftwareReference">
<xs:complexType>
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="spec-name"
type="softwarereference-spec-name-type"
use="required"/>
<xs:attribute name="ext-spec-name"
type="xs:string" use="optional"/>
<xs:attribute name="dtype"
type="softwarereference-dtype-type"
use="optional"/>
<xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="softwarereference-spec-name-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="custom"/>
<xs:enumeration value="cpe"/>
<xs:enumeration value="swid"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="softwarereference-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="bytes"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Global attribute type declarations ==
===================================================================
-->
Danyliw Expires November 10, 2016 [Page 154]
Internet-Draft IODEF v2 May 2016
<xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/>
<xs:enumeration value="public"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="need-to-know"/>
<xs:enumeration value="private"/>
<xs:enumeration value="white"/>
<xs:enumeration value="green"/>
<xs:enumeration value="amber"/>
<xs:enumeration value="red"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/>
Danyliw Expires November 10, 2016 [Page 155]
Internet-Draft IODEF v2 May 2016
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="redirect-traffic"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="harden-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
Danyliw Expires November 10, 2016 [Page 156]
Internet-Draft IODEF v2 May 2016
9. Security Considerations
The IODEF data model does not directly introduce security or privacy
issues. However, as the data encoded by the IODEF might be
considered sensitive by the parties exchanging it or by those
described by it, care needs to be taken to ensure appropriate
handling during the document construction, exchange, processing,
archiving, subsequent retrieval and analysis.
9.1. Security
The underlying messaging format and protocol used to exchange
instances of the IODEF MUST provide appropriate guarantees of
confidentiality, integrity, and authenticity. The use of a
standardized security protocol is encouraged. The Real-time Inter-
network Defense (RID) protocol [RFC6545] and its associated transport
binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.
The contents of an IODEF document may include a request for action.
An IODEF implementation may also initiate courses of action based on
the document contents. For these reasons, care must be taken by
IODEF implementations to properly authenticate the sender and
receiver of the document. The recipient must also ascribe
appropriate confidence to the data prior to action.
Executable content could be embedded into the IODEF document directly
or through an extension. The IODEF implementation MUST handle this
content with care to prevent unintentional automated execution.
9.2. Privacy
The IODEF contains numerous fields that are identifiers which could
be linked to an individual or organization. IODEF documents may
contain sensitive information about these identified parties; and
repeated document exchanges about the same and related parties may
enable the correlation of data about them. Likewise, a party may
report on another to a third party without their knowledge.
When creating an IODEF document, careful consideration must be given
to what information is shared. Personal identifiers and attributable
sensitive information should only be shared when necessary.
When exchanging documents, transport security MUST provide document-
level confidentiality. XML element-level confidentiality can also be
provided by using [W3C.XMLENC].
In order to suggest data processing and handling guidelines of the
encoded information, the IODEF allows a document sender to convey a
Danyliw Expires November 10, 2016 [Page 157]
Internet-Draft IODEF v2 May 2016
privacy policy using the restriction attribute. The various
instances of this attribute allow different data elements of the
document to be covered by dissimilar policies. While flexible, it
must be stressed that this approach only serves as a guideline from
the sender, as the recipient is free to ignore it.
Although outside of the scope of an IODEF implementation, the
contents of IODEF documents and any derived analysis should be
archived with at appropriate confidentiality controls. Likewise,
access to retrieve and analyze this data should be restricted to
authorized users.
10. IANA Considerations
This document registers a namespace, an XML schema, and a number of
registries that map to enumerated values defined in the data model.
10.1. Namespace and Schema
This document uses URNs to describe an XML namespace and schema
conforming to a registry mechanism described in [RFC3688]
Registration for the IODEF namespace:
o URI: urn:ietf:params:xml:ns:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address"
section of this document.
o XML: None. Namespace URIs do not represent an XML specification.
Registration for the IODEF XML schema:
o URI: urn:ietf:params:xml:schema:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address"
section of this document.
o XML: See Section 8 of this document.
10.2. Enumerated Value Registries
This document creates 33 identically structured registries to be
managed by IANA:
o Name of the parent registry: "Incident Object Description Exchange
Format v2 (IODEF)"
Danyliw Expires November 10, 2016 [Page 158]
Internet-Draft IODEF v2 May 2016
o URL of the registry: http://www.iana.org/assignments/iodef2
o Namespace format: A registry entry consists of:
* Value. An enumerated value for a given IODEF attribute.
* Description. A short description of the enumerated value.
* Reference. An optional list of URIs to further describe the
value.
o Allocation policy: Expert Review per [RFC5226]
The registries to be created are named in the "Registry Name" column
of Table 1. The initial values for the Value and Description fields
of a given registry are listed in the "IV (Value)" and "IV
(Description)" columns respectively. The "IV (Value)" points to a
given schema type per Section 8. Each enumerated value in the schema
gets a corresponding entry in a given registry. The "IV
(Description)" points to a section in the text of this document that
describes each enumerated value. The initial value of the Reference
field of every registry entry described below should be this
document.
+-----------------------+---------------------------+---------------+
| Registry Name | IV (Value) | IV |
| | | (Description) |
+-----------------------+---------------------------+---------------+
| Restriction | iodef-restriction-type | Section 3.3.1 |
| | | |
| Incident-purpose | incident-purpose-type | Section 3.2 |
| | | |
| Incident-status | incident-status-type | Section 3.2 |
| | | |
| Contact-role | contact-role-type | Section 3.9 |
| | | |
| Contact-type | contact-type-type | Section 3.9 |
| | | |
| RegistryHandle- | registryhandle-registry- | Section 3.9.1 |
| registry | type | |
| | | |
| Telephone-type | telephone-type-type | Section 3.9.4 |
| | | |
| Email-type | email-type-type | Section 3.9.3 |
| | | |
| Expectation-action | action-type | Section 3.15 |
| | | |
| Discovery-source | discovery-source-type | Section 3.10 |
Danyliw Expires November 10, 2016 [Page 159]
Internet-Draft IODEF v2 May 2016
| | | |
| SystemImpact-type | systemimpact-type-type | Section |
| | | 3.12.1 |
| | | |
| BusinessImpact- | businessimpact-severity- | Section |
| severity | type | 3.12.2 |
| | | |
| BusinessImpact-type | businessimpact-type-type | Section |
| | | 3.12.2 |
| | | |
| TimeImpact-metrics | timeimpact-metric-type | Section |
| | | 3.12.3 |
| | | |
| TimeImpact-duration | duration-type | Section |
| | | 3.12.3 |
| | | |
| Confidence-rating | confidence-rating-type | Section |
| | | 3.12.5 |
| | | |
| NodeRole-category | noderole-category-type | Section |
| | | 3.18.2 |
| | | |
| System-category | system-category-type | Section 3.17 |
| | | |
| System-ownership | system-ownership-type | Section 3.17 |
| | | |
| Address-category | address-category-type | Section |
| | | 3.18.1 |
| | | |
| Counter-type | counter-type-type | Section |
| | | 3.18.3 |
| | | |
| Counter-unit | counter-unit-type | Section |
| | | 3.18.3 |
| | | |
| DomainData-system- | domaindata-system-status- | Section 3.19 |
| status | type | |
| | | |
| DomainData-domain- | domaindata-domain-status- | Section 3.19 |
| status | type | |
| | | |
| RecordPattern-type | recordpattern-type-type | Section |
| | | 3.22.2 |
| | | |
| RecordPattern- | recordpattern-offsetunit- | Section |
| offsetunit | type | 3.22.2 |
| | | |
| Key-registryaction | key-registryaction-type | Section |
Danyliw Expires November 10, 2016 [Page 160]
Internet-Draft IODEF v2 May 2016
| | | 3.23.1 |
| | | |
| HashData-scope | hashdata-scope-type | Section 3.26 |
| | | |
| BulkObservable-type | bulkobservable-type-type | Section |
| | | 3.29.3.1 |
| | | |
| IndicatorExpression- | indicatorexpression- | Section |
| operator | operator-type | 3.29.4 |
| | | |
| ExtensionType-dtype | dtype-type | Section 2.16 |
| | | |
| SoftwareReference- | softwarereference-spec- | Section |
| spec-id | id-type | 2.15.1 |
| | | |
| SoftwareReference- | softwarereference-dtype- | Section |
| dtype | type | 2.15.1 |
+-----------------------+---------------------------+---------------+
Table 1: IANA Enumerated Value Registries
11. Acknowledgments
Thanks to Paul Stockler for his editorial leadership in the
transition of RFC5070bis to this document.
Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi
Takahashi, David Waltermire and Sean Turner as the MILE working group
chairs, secretary or area directors for providing feedback and
coordination of this document.
Thanks to the following individuals (listed alphabetically) who
provided feedback during the meetings, on the mailing list or through
implementation experience: Jerome Athias, David Black, Eric Burger,
Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris
Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam
Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio
Suzuki and Nik Teague.
12. References
12.1. Normative References
[W3C.XML] World Wide Web Consortium, "Extensible Markup Language
(XML) 1.0 (Second Edition)", W3C Recommendation , October
2000, <http://www.w3.org/TR/2000/REC-xml-20001006>.
Danyliw Expires November 10, 2016 [Page 161]
Internet-Draft IODEF v2 May 2016
[W3C.SCHEMA]
World Wide Web Consortium, "XML XML Schema Part 1:
Structures Second Edition", W3C Recommendation , October
2004, <http://www.w3.org/TR/xmlschema-1/>.
[W3C.SCHEMA.DTYPES]
World Wide Web Consortium, "XML Schema Part 2: Datatypes
Second Edition", W3C Recommendation , October 2004,
<http://www.w3.org/TR/xmlschema-2/>.
[W3C.XMLNS]
World Wide Web Consortium, "Namespaces in XML", W3C
Recommendation , January 1999,
<http://www.w3.org/TR/REC-xml-names/>.
[W3C.XPATH]
World Wide Web Consortium, "XML Path Language (XPath)
3.1", W3C Candidate Recommendation , December 2015,
<https://www.w3.org/TR/xpath-3/>.
[W3C.XMLSIG]
World Wide Web Consortium, "XML Signature Syntax and
Processing 2.0", W3C Recommendation , June 2008,
<http://www.w3.org/TR/xmldsig-core/>.
[IEEE.POSIX]
Institute of Electrical and Electronics Engineers,
"Information Technology - Portable Operating System
Interface (POSIX) - Part 1: Base Definitions",
IEEE 1003.1, June 2001.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[RFC5646] Philips, A. and M. Davis, "Tags for Identifying of
Languages", RFC 5646, September 2009.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 3986,
January 2005`.
[RFC2978] Freed, N. and J. Postel, "IANA Charset Registration
Procedures", BCP 2978, October 2000.
[RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519,
June 2006.
Danyliw Expires November 10, 2016 [Page 162]
Internet-Draft IODEF v2 May 2016
[RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October
2008.
[RFC-ENUM]
Montville, A. and D. Black, "IODEF Enumeration Reference
Format", RFC 7495, January 2015.
[RFC-SCI] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
Incident Object Description Exchange Format (IODEF)
Extension for Structured Cybersecurity Information",
RFC 7203, April 2014.
[ISO4217] International Organization for Standardization,
"International Standard: Codes for the representation of
currencies and funds, ISO 4217:2001", ISO 4217:2001,
August 2001.
[RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January
2004.
[IANA.Ports]
Internet Assigned Numbers Authority, "Service Name and
Transport Protocol Port Number Registry", January 2014,
<http://www.iana.org/assignments/service-names-port-
numbers/service-names-port-numbers.txt>.
[IANA.Protocols]
Internet Assigned Numbers Authority, "Assigned Internet
Protocol Numbers", January 2014,
<http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.txt>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 3629, November 2003.
[RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
10646", RFC 2781, February 2000.
[IANA.Media]
Internet Assigned Numbers Authority, "Media Types", March
2015, <http://www.iana.org/assignments/media-types/
media-types.xhtml>.
[ISO19770]
International Organization for Standardization,
"Information technology -- Software asset management --
Part 2: Software identification tag, ISO/IEC
19770-2:2015", ISO 19770-2:2015, October 2015.
Danyliw Expires November 10, 2016 [Page 163]
Internet-Draft IODEF v2 May 2016
12.2. Informative References
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
Object Description Exchange Format", RFC 5070, December
2007.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
RFC 6545, April 2012.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546, April
2012.
[RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
Class for Reporting Phishing", RFC 5901, July 2010.
[NIST800.61rev2]
Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
"NIST Special Publication 800-61 Revision 2: Computer
Security Incident Handling Guide", January 2012,
<http://csrc.nist.gov/publications/nistpubs/800-61rev2/
SP800-61rev2.pdf>.
[RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
Type for the Internet Registry Information Service
(IRIS)", RFC 3982, January 2005.
[KB310516]
Microsoft Corporation, "How to add, modify, or delete
registry subkeys and values by using a registration
entries (.reg) file", December 2007.
[RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-
Separated Values (CSV) File", RFC 4180, October 2005.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226, May 2008.
[W3C.XMLENC]
World Wide Web Consortium, "XML Encryption Syntax and
Processing Version 1.1", W3C Recommendation , April 2013,
<https://www.w3.org/TR/xmlenc-core1/>.
Author's Address
Danyliw Expires November 10, 2016 [Page 164]
Internet-Draft IODEF v2 May 2016
Roman Danyliw
CERT - Carnegie Mellon University
Pittsburgh, PA
USA
EMail: rdd@cert.org
Danyliw Expires November 10, 2016 [Page 165]