EventData

The EventData class describes a particular event of the incident for a given set of hosts or networks. This description includes the systems from which the activity originated and those targeted, an assessment of the techniques used by the intruder, the impact of the activity on the organization, and any forensic evidence discovered.

EventData EventData EventData [ML_STRING] Description (0..*) [] DetectTime (0..1) [] StartTime (0..1) [] EndTime (0..1) [ENUM] restriction (Optional) EventData->EventData 0..* Contact Contact [ML_STRING] ContactName (0..1) [ML_STRING] Description (0..*) [] Telephone (0..*) [] Fax (0..1) [TIMEZONE] Timezone (0..1) [ENUM] role (Required) [STRING] ext-role (Optional) [ENUM] type (Required) [STRING] ext-type (Optional) [ENUM] restriction (Optional) EventData->Contact 0..* AdditionalData AdditionalData [ENUM] dtype (Required) [STRING] ext-dtype (Optional) [STRING] meaning (Optional) [STRING] formatid (Optional) [ENUM] restriction (Optional) EventData->AdditionalData 0..* Assessment Assessment [ENUM] occurrence (Optional) [ENUM] restriction (Optional) EventData->Assessment 0..1 Method Method [ML_STRING] Description (0..*) [ENUM] restriction (Optional) EventData->Method 0..* Flow Flow EventData->Flow 0..* Expectation Expectation [ML_STRING] Description (0..*) [] StartTime (0..1) [] EndTime (0..1) [ENUM] restriction (Optional) [ENUM] severity (Optional) [ENUM] action (Optional) [STRING] ext-action (Optional) EventData->Expectation 0..* Record Record [ENUM] restriction (Optional) EventData->Record 0..1 Contact->Contact 0..* RegistryHandle RegistryHandle [ENUM] registry (Required) [STRING] ext-registry (Optional) Contact->RegistryHandle 0..* PostalAddress PostalAddress [ENUM] meaning (Optional) [ENUM] lang (Required) Contact->PostalAddress 0..1 Email Email [ENUM] meaning (Optional) Contact->Email 0..* Contact->AdditionalData 0..* Assessment->AdditionalData 0..* Impact Impact [ENUM] lang (Required) [ENUM] severity (Optional) [ENUM] completion (Optional) [ENUM] type (Required) [STRING] ext-type (Optional) Assessment->Impact 0..* TimeImpact TimeImpact [ENUM] severity (Optional) [ENUM] metric (Required) [STRING] ext-metric (Optional) [ENUM] duration (Required) [STRING] ext-duration (Optional) Assessment->TimeImpact 0..* MonetaryImpact MonetaryImpact [ENUM] severity (Optional) [STRING] currency (Required) Assessment->MonetaryImpact 0..* Counter Counter [ENUM] type (Required) [STRING] ext-type (Optional) [ENUM] duration (Optional) [STRING] ext-duration (Optional) Assessment->Counter 0..* Confidence Confidence [ENUM] rating (Required) Assessment->Confidence 0..1 Method->AdditionalData 0..* Reference Reference [ML_STRING] ReferenceName (1..1) [URL] URL (0..*) [ML_STRING] Description (0..*) Method->Reference 0..* System System [ML_STRING] Description (0..*) [ENUM] restriction (Optional) [ENUM] category (Required) [STRING] ext-category (Optional) [STRING] interface (Optional) [ENUM] spoofed (Optional) Flow->System 1..* System->AdditionalData 0..* System->Counter 0..* Node Node [ML_STRING] NodeName (0..*) [ML_STRING] Location (0..1) [] DateTime (0..1) System->Node 1..1 Service Service [INTEGER] Port (0..1) [PORTLIST] Portlist (0..1) [INTEGER] ProtoCode (0..1) [INTEGER] ProtoType (0..1) [INTEGER] ProtoFlags (0..1) [INTEGER] ip_protocol (Required) System->Service 0..* OperatingSystem OperatingSystem [URL] URL (0..1) [STRING] swid (Optional) [STRING] configid (Optional) [STRING] vendor (Optional) [STRING] family (Optional) [STRING] name (Optional) [STRING] version (Optional) [STRING] patch (Optional) System->OperatingSystem 0..1 Node->Counter 0..* Address Address [ENUM] category (Required) [STRING] ext-category (Optional) [STRING] vlan-name (Optional) [STRING] vlan-num (Optional) Node->Address 0..* NodeRole NodeRole [ENUM] category (Required) [STRING] ext-category (Optional) [ENUM] lang (Required) Node->NodeRole 0..* Application Application [URL] URL (0..1) [STRING] swid (Optional) [STRING] configid (Optional) [STRING] vendor (Optional) [STRING] family (Optional) [STRING] name (Optional) [STRING] version (Optional) [STRING] patch (Optional) Service->Application 0..* Expectation->Contact 0..1 RecordData RecordData [] DateTime (0..1) [ML_STRING] Description (0..*) [ENUM] restriction (Optional) Record->RecordData 1..* RecordData->AdditionalData 0..1 RecordData->Application 0..1 RecordPattern RecordPattern [ENUM] type (Required) [STRING] ext-type (Optional) [INTEGER] offset (Optional) [ENUM] offsetunit (Optional) [STRING] ext-offsetunit (Optional) [INTEGER] instance (Optional) RecordData->RecordPattern 0..* RecordItem RecordItem [ENUM] dtype (Required) [STRING] ext-dtype (Optional) [STRING] meaning (Optional) [STRING] formatid (Optional) [ENUM] restriction (Optional) RecordData->RecordItem 1..*

digraph EventData { graph [rankdir=LR]; node [label="\N"]; graph [bb="0,0,1542,1762"]; EventData [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#737373" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The EventData class describes a particular event of the incident for a given set of hosts or networks. This description includes the systems from which the activity originated and those targeted, an assessment of the techniques used by the intruder, the impact of the activity on the organization, and any forensic evidence discovered. ">EventData</td> </tr>" %<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="A free-form textual description of the event.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The time the event was detected.">[] DetectTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The time the event started.">[] StartTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The time the event ended.">[] EndTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="122,1014", width="3.3611", height="1.7917"]; Contact [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The Contact class describes contact information for organizations and personnel involved in the incident. This class allows for the naming of the involved party, specifying contact information for them, and identifying their role in the incident. ">Contact</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The name of the contact. The contact may either be an organization or a person. The type attribute disambiguates the semantics.">[ML_STRING] ContactName (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="A free-form description of this contact. In the case of a person, this is often the organizational title of the individual.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The telephone number of the contact.">[] Telephone (0..*) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The facsimile telephone number of the contact.">[] Fax (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The timezone in which the contact resides formatted according to Section 2.9.">[TIMEZONE] Timezone (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="Indicates the role the contact fulfills. This attribute is defined as an enumerated list:">[ENUM] role (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="A means by which to extend the role attribute. See Section 5.1.">[STRING] ext-role (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="Indicates the type of contact being described. This attribute is defined as an enumerated list:">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="754,1553", width="3.6111", height="3.1806"]; RegistryHandle [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="The RegistryHandle class represents a handle into an Internet registry or community-specific database. The handle is specified in the element content and the type attribute specifies the database. ">RegistryHandle</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="The database to which the handle belongs. The default value is &#39;local&#39;. The possible values are:">[ENUM] registry (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="A means by which to extend the registry attribute. See Section 5.1.">[STRING] ext-registry (Optional) </td></tr>%</table>>, shape=plaintext, pos="1089,1728", width="3.5", height="0.95833"]; PostalAddress [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="The PostalAddress class specifies a postal address formatted according to the POSTAL data type (Section 2.11). ">PostalAddress</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="A free-form description of the element content.">[ENUM] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%</table>>, shape=plaintext, pos="1089,1642", width="3.0278", height="0.95833"]; Email [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/Email.html" TITLE="The Email class specifies an email address formatted according to EMAIL data type (Section 2.14). ">Email</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Email.html" TITLE="A free-form description of the element content (e.g., hours of coverage for a given number).">[ENUM] meaning (Optional) </td></tr>%</table>>, shape=plaintext, pos="1089,1566", width="3.0278", height="0.68056"]; AdditionalData [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a3d" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5. ">AdditionalData</td> </tr>" %<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The data type of the element content. The permitted values for this attribute are shown below. The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A means by which to extend the dtype attribute. See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="1089,960", width="3.2778", height="1.7917"]; Assessment [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Assessment.html" TITLE="The Assessment class describes the technical and non-technical repercussions of the incident on the CSIRT&#39;s constituency. ">Assessment</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Assessment.html" TITLE="Specifies whether the assessment is describing actual or potential outcomes. The default is &quot;actual&quot; and is assumed if not specified.">[ENUM] occurrence (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Assessment.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="754,1192", width="3.25", height="0.95833"]; Impact [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Impact.html" TITLE="The Impact class allows for categorizing and describing the technical impact of the incident on the network of an organization. ">Impact</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="An indication whether the described activity was successful. The permitted values are shown below. There is no default value.">[ENUM] completion (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="Classifies the malicious activity into incident categories. The permitted values are shown below. The default value is &quot;other&quot;.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%</table>>, shape=plaintext, pos="1089,1338", width="3.25", height="1.7917"]; TimeImpact [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="The TimeImpact class describes the impact of the incident on an organization as a function of time. It provides a way to convey down time and recovery time. ">TimeImpact</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="Defines the metric in which the time is expressed. The permitted values are shown below. There is no default value.">[ENUM] metric (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="A means by which to extend the metric attribute. See Section 5.1.">[STRING] ext-metric (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="Defines a unit of time, that when combined with the metric attribute, fully describes a metric of impact that will be conveyed in the element content. The permitted values are shown below. The default value is &quot;hour&quot;.">[ENUM] duration (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="A means by which to extend the duration attribute. See Section 5.1.">[STRING] ext-duration (Optional) </td></tr>%</table>>, shape=plaintext, pos="1089,1192", width="3.5556", height="1.7917"]; MonetaryImpact [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/MonetaryImpact.html" TITLE="The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished ">MonetaryImpact</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/MonetaryImpact.html" TITLE="An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/MonetaryImpact.html" TITLE="Defines the currency in which the monetary impact is expressed. The permitted values are defined in ISO 4217:2001, Codes for the representation of currencies and funds [14]. There is no default value.">[STRING] currency (Required) </td></tr>%</table>>, shape=plaintext, pos="1089,1076", width="3.2222", height="0.95833"]; Counter [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Counter.html" TITLE="The Counter class summarize multiple occurrences of some event, or conveys counts or rates on various features (e.g., packets, sessions, events). ">Counter</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="Specifies the units of the element content.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="If present, the Counter class represents a rate rather than a count over the entire event. In that case, this attribute specifies the denominator of the rate (where the type attribute specified the nominator). The possible values of this attribute are defined in Section 3.10.2">[ENUM] duration (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="A means by which to extend the duration attribute. See Section 5.1.">[STRING] ext-duration (Optional) </td></tr>%</table>>, shape=plaintext, pos="1413,907", width="3.5556", height="1.5139"]; Confidence [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Confidence.html" TITLE="The Confidence class represents a best estimate of the validity and accuracy of the described impact (see Section 3.10) of the incident activity. This estimate can be expressed as a category or a numeric calculation. ">Confidence</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Confidence.html" TITLE="A rating of the analytical validity of the specified Assessment. The permitted values are shown below. There is no default value.">[ENUM] rating (Required) </td></tr>%</table>>, shape=plaintext, pos="1089,1444", width="2.8056", height="0.68056"]; Method [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c3d1f" HREF="/idmef_parser/IODEF/Method.html" TITLE="The Method class describes the methodology used by the intruder to perpetrate the events of the incident. This class consists of a list of references describing the attack method and a free form description of the technique. ">Method</td> </tr>" %<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Method.html" TITLE="A free-form text description of the methodology used by the intruder.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Method.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="430,952", width="3.3611", height="0.95833"]; Reference [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c3d1f" HREF="/idmef_parser/IODEF/Reference.html" TITLE="The Reference class is a reference to a vulnerability, IDS alert, malware sample, advisory, or attack technique. A reference consists of a name, a URL to this reference, and an optional description. ">Reference</td> </tr>" %<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Reference.html" TITLE="Name of the reference.">[ML_STRING] ReferenceName (1..1) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Reference.html" TITLE="A URL associated with the reference.">[URL] URL (0..*) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Reference.html" TITLE="A free-form text description of this reference.">[ML_STRING] Description (0..*) </td></tr>%</table>>, shape=plaintext, pos="754,889", width="3.8056", height="1.2361"]; Flow [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Flow.html" TITLE="The Flow class groups related the source and target hosts. ">Flow</td> </tr>" %</table>>, shape=plaintext, pos="430,818", width="0.77778", height="0.5"]; System [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/System.html" TITLE="The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of &quot;source&quot;, then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of &quot;target&quot; or &quot;intermediary&quot;, then the machine or service is the one targeted in the activity. A value of &quot;sensor&quot; dictates that this System was part of an instrumentation to monitor the network. ">System</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="A free-form text description of the System.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="Classifies the role the host or network played in the incident. The possible values are:">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning.">[STRING] interface (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is &quot;unknown&quot;.">[ENUM] spoofed (Optional) </td></tr>%</table>>, shape=plaintext, pos="754,753", width="3.5833", height="2.0694"]; "Node" [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Node.html" TITLE="The Node class names a system (e.g., PC, router) or network. ">Node</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="The name of the Node (e.g., fully qualified domain name). This information MUST be provided if no Address information is given.">[ML_STRING] NodeName (0..*) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="A free-from description of the physical location of the equipment.">[ML_STRING] Location (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="A timestamp of when the resolution between the name and address was performed. This information SHOULD be provided if both an Address and NodeName are specified.">[] DateTime (0..1) </td></tr>%</table>>, shape=plaintext, pos="1089,781", width="3.3333", height="1.2361"]; Address [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address. ">Address</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The type of address represented. The permitted values for this attribute are shown below. The default value is &quot;ipv4-addr&quot;.">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The name of the Virtual LAN to which the address belongs.">[STRING] vlan-name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The number of the Virtual LAN to which the address belongs.">[STRING] vlan-num (Optional) </td></tr>%</table>>, shape=plaintext, pos="1413,781", width="3.5833", height="1.5139"]; NodeRole [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="The NodeRole class describes the intended function performed by a particular host. ">NodeRole</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="Functionality provided by a node.">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%</table>>, shape=plaintext, pos="1413,665", width="3.5833", height="1.2361"]; Service [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Service.html" TITLE="The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port. ">Service</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A port number.">[INTEGER] Port (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A list of port numbers formatted according to Section 2.10.">[PORTLIST] Portlist (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol-specific code field (e.g., ICMP code field).">[INTEGER] ProtoCode (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol specific type field (e.g., ICMP type field).">[INTEGER] ProtoType (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol specific flag field (e.g., TCP flag field).">[INTEGER] ProtoFlags (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="The IANA protocol number.">[INTEGER] ip_protocol (Required) </td></tr>%</table>>, shape=plaintext, pos="1089,439", width="3.5556", height="2.0694"]; Application [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Application.html" TITLE="The Application class describes an application running on a System providing a Service. ">Application</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>, shape=plaintext, pos="1413,366", width="3.0833", height="2.625"]; OperatingSystem [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class (Section 3.17.1). ">OperatingSystem</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>, shape=plaintext, pos="1089,625", width="3.0833", height="2.625"]; Expectation [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#737373" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. The scope of the requested action is limited to purview of the EventData class in which this class is aggregated. ">Expectation</td> </tr>" %<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="A free-form description of the desired action(s).">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The time at which the action should be performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible. The absence of this element leaves the execution of the expectation to the discretion of the recipient.">[] StartTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed.">[] EndTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="Classifies the type of action requested. This attribute is an enumerated list with no default value.">[ENUM] action (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="A means by which to extend the action attribute. See Section 5.1.">[STRING] ext-action (Optional) </td></tr>%</table>>, shape=plaintext, pos="430,1330", width="3.3611", height="2.3472"]; Record [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/Record.html" TITLE="The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs should substantiate the activity described in the document. ">Record</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/Record.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="430,527", width="3.1667", height="0.68056"]; RecordData [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="The RecordData class groups log or audit data from a given sensor (e.g., IDS, firewall log) and provides a way to annotate the output. ">RecordData</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="Timestamp of the RecordItem data.">[] DateTime (0..1) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="Free-form textual description of the provided RecordItem data. At minimum, this description should convey the significance of the provided RecordItem data.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="754,330", width="3.3611", height="1.2361"]; RecordPattern [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="The RecordPattern class describes where in the content of the RecordItem relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data. ">RecordPattern</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Describes the type of pattern being specified in the element content. The default is &quot;regex&quot;.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Amount of units (determined by the offsetunit attribute) to seek into the RecordItem data before matching the pattern.">[INTEGER] offset (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Describes the units of the offset attribute. The default is &quot;line&quot;.">[ENUM] offsetunit (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="A means by which to extend the offsetunit attribute. See Section 5.1.">[STRING] ext-offsetunit (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Number of types to apply the specified pattern.">[INTEGER] instance (Optional) </td></tr>%</table>>, shape=plaintext, pos="1089,74", width="3.6667", height="2.0694"]; RecordItem [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="The RecordItem class provides a way to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing the incident. The class supports both the direct encapsulation of the data, as well as, provides primitives to reference data stored elsewhere. ">RecordItem</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="The data type of the element content. The permitted values for this attribute are shown below. The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="A means by which to extend the dtype attribute. See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="1089,230", width="3.2778", height="1.7917"]; Contact -> RegistryHandle [label="0..*", pos="e,976.41,1694 884.72,1645.5 907.86,1659.8 932.19,1673.6 956,1685 959.59,1686.7 963.27,1688.4 967.01,1690", lp="924,1681.5"]; Contact -> PostalAddress [label="0..1", pos="e,979.79,1613 884.96,1587.8 913.03,1595.2 942.54,1603.1 970.12,1610.4", lp="924,1608.5"]; Contact -> Email [label="0..*", pos="e,979.79,1561.8 884.96,1558.1 912.91,1559.2 942.28,1560.3 969.76,1561.4", lp="924,1567.5"]; Contact -> Contact [label="0..*", pos="e,779.77,1667.1 728.23,1667.1 733.46,1678 742.05,1685 754,1685 762.4,1685 769.15,1681.6 774.23,1675.7", lp="754,1693.5"]; Contact -> AdditionalData [label="0..*", pos="e,970.27,1015.1 884.87,1481 906.03,1463.5 925.17,1442.8 938,1419 978.71,1343.4 910.55,1105.9 956,1033 958.27,1029.4 960.8,1025.9\ 963.53,1022.6", lp="924,1461.5"]; EventData -> Contact [label="0..*", pos="e,623.26,1543.8 133.8,1078.3 153.71,1168.5 202.61,1331.7 308,1423 392.86,1496.5 517.3,1528.5 613.19,1542.4", lp="430,1539.5"]; Assessment -> Impact [label="0..*", pos="e,971.93,1287 832.12,1226 870.93,1243 918.79,1263.8 962.64,1282.9", lp="924,1278.5"]; Assessment -> TimeImpact [label="0..*", pos="e,960.48,1192 871.17,1192 896.76,1192 924.09,1192 950.43,1192", lp="924,1200.5"]; Assessment -> MonetaryImpact [label="0..*", pos="e,982.54,1110.1 846.03,1158 880.44,1145.5 919.93,1131.3 956,1119 961.52,1117.1 967.17,1115.2 972.88,1113.3", lp="924,1143.5"]; Assessment -> Counter [label="0..*", pos="e,1403.1,961.26 772.52,1226 811.36,1295.9 902.15,1451 956,1477 1009.2,1502.7 1174,1511.5 1222,1477 1306.1,1416.5 1374.6,1107 1401.2\ ,971.13", lp="1089,1507.5"]; Assessment -> Confidence [label="0..1", pos="e,987.74,1425.6 775.93,1226.3 808.94,1275.1 876.1,1363.7 956,1411 962.99,1415.1 970.47,1418.8 978.2,1421.9", lp="924,1406.5"]; Assessment -> AdditionalData [label="0..*", pos="e,970.2,1023.9 793.16,1158 832.83,1124.3 896.63,1072.3 956,1033 957.87,1031.8 959.77,1030.5 961.69,1029.3", lp="924,1070.5"]; EventData -> Assessment [label="0..1", pos="e,636.79,1159 243.86,1048.3 353.99,1079.3 515.5,1124.8 627.16,1156.3", lp="430,1143.5"]; Method -> Reference [label="0..*", pos="e,616.24,915.79 551.57,928.36 569.45,924.88 588.04,921.27 606.38,917.7", lp="584,933.5"]; Method -> AdditionalData [label="0..*", pos="e,970.29,958.56 551.64,953.48 667.64,954.88 841.73,957 960.09,958.44", lp="754,966.5"]; EventData -> Method [label="0..*", pos="e,308.32,973.93 243.73,986.77 249.91,985.48 256.02,984.21 262,983 273.81,980.6 286.11,978.19 298.43,975.82", lp="276,991.5"]; "Node" -> Address [label="0..*", pos="e,1283.8,781 1209.2,781 1230.2,781 1252.2,781 1273.6,781", lp="1253,789.5"]; "Node" -> NodeRole [label="0..*", pos="e,1290,709.03 1209.2,737.97 1232.4,729.67 1256.8,720.93 1280.3,712.49", lp="1253,735.5"]; "Node" -> Counter [label="0..*", pos="e,1299,852.97 1209.4,807.48 1228.8,813.68 1248.3,821.13 1266,830 1275.1,834.55 1275.4,838.64 1284,844 1286,845.23 1288,846.46 1290\ ,847.68", lp="1253,838.5"]; System -> "Node" [label="1..1", pos="e,968.82,770.95 883.04,763.79 907.83,765.86 933.8,768.03 958.63,770.1", lp="924,776.5"]; Service -> Application [label="0..*", pos="e,1301.4,391.15 1217.5,410.04 1241.9,404.55 1267.3,398.82 1291.5,393.38", lp="1253,413.5"]; System -> Service [label="0..*", pos="e,966.9,513.11 809.59,678.74 847.66,630.76 901.03,568.79 956,522 956.99,521.16 957.99,520.32 959,519.48", lp="924,570.5"]; System -> OperatingSystem [label="0..1", pos="e,977.49,667.61 883.04,703.69 910.9,693.05 940.27,681.83 967.82,671.3", lp="924,701.5"]; System -> Counter [label="0..*", pos="e,1284.4,879.94 877.41,827.17 882.34,830.15 887.22,833.1 892,836 900.02,840.86 901.07,844.13 910,847 1042.4,889.56 1084.2,851.64\ 1222,870 1238.9,872.26 1256.6,875.06 1274.1,878.12", lp="1089,878.5"]; System -> AdditionalData [label="0..*", pos="e,970.12,917.95 883.19,826.88 886.26,829.84 889.2,832.88 892,836 904.74,850.21 896.57,861.43 910,875 924.72,889.89 942.56,902.5 \ 961.21,913.08", lp="924,904.5"]; Flow -> System [label="1..*", pos="e,624.79,778.92 458.75,812.23 494.04,805.15 556.38,792.65 614.71,780.94", lp="584,798.5"]; EventData -> Flow [label="0..*", pos="e,401.42,836.19 222.85,949.82 281.16,912.72 351.06,868.24 392.93,841.59", lp="276,930.5"]; Expectation -> Contact [label="0..1", pos="e,623.35,1463.1 551.57,1413.7 572.25,1427.9 593.88,1442.8 614.98,1457.3", lp="584,1449.5"]; EventData -> Expectation [label="0..*", pos="e,348.08,1246 184.7,1078.3 229.72,1124.5 291.03,1187.4 341.1,1238.8", lp="276,1190.5"]; RecordData -> Application [label="0..1", pos="e,1301.4,347.91 875.9,328.31 970.46,327.97 1104.7,329.62 1222,339 1244.5,340.8 1268.3,343.52 1291.3,346.55", lp="1089,347.5"]; RecordData -> RecordPattern [label="0..*", pos="e,968.47,148.07 801.3,285.93 841.2,249.63 900.53,197.7 956,157 957.4,155.98 958.8,154.95 960.22,153.93", lp="924,196.5"]; RecordData -> RecordItem [label="1..*", pos="e,970.28,265.44 875.89,293.61 903.42,285.4 932.73,276.65 960.52,268.35", lp="924,291.5"]; RecordData -> AdditionalData [label="0..1", pos="e,970.39,895.78 775.88,374.2 806.53,437.96 861.86,560.19 892,670 906.16,721.58 893.95,737.97 910,789 913.46,800 948.14,873.56 956\ ,882 958.23,884.4 960.56,886.75 962.96,889.05", lp="924,857.5"]; Record -> RecordData [label="1..*", pos="e,681.58,374.03 469.73,502.84 520.1,472.21 608.19,418.66 673,379.25", lp="584,449.5"]; EventData -> Record [label="0..1", pos="e,414.67,551.24 162.58,949.83 229.04,844.76 358.72,639.71 409.19,559.9", lp="276,794.5"]; EventData -> EventData [label="0..*", pos="e,148.72,1078.3 95.284,1078.3 99.108,1088.8 108.01,1096 122,1096 131.62,1096 138.83,1092.6 143.64,1087", lp="122,1104.5"]; EventData -> AdditionalData [label="0..*", pos="e,970.32,972.4 243.81,1010.4 395.7,1005.5 663.26,995.4 892,979 914.09,977.42 937.55,975.42 960.28,973.33", lp="584,1006.5"]; }


Aggregates

Description (0..*)

A free-form textual description of the event.

DetectTime (0..1)

The time the event was detected.

StartTime (0..1)

The time the event started.

EndTime (0..1)

The time the event ended.

Contact (0..*)

Contact information for the parties involved in the event.

Assessment (0..1)

The impact of the event on the target and the actions taken.

Method (0..*)

The technique used by the intruder in the event.

Flow (0..*)

A description of the systems or networks involved.

Expectation (0..*)

The expected action to be performed by the recipient for the described event.

Record (0..1)

Supportive data (e.g., log files) that provides additional information about the event.

EventData (0..*)

EventData instances contained within another EventData instance inherit the values of the parent(s); this recursive definition can be used to group common data pertaining to multiple events. When EventData elements are defined recursively, only the leaf instances (those EventData instances not containing other EventData instances) represent actual events.

AdditionalData (0..*)

An extension mechanism for data not explicitly represented in the data model.

Attributes

restriction (Optional)

This attribute is defined in Section 3.2.


IDMEF


IODEF