IODEF-Document

The IODEF-Document class is the top level class in the IODEF data model. All IODEF documents are an instance of this class.

IODEF-Document IODEF-Document IODEF-Document [STRING] version (Required) [ENUM] lang (Required) [STRING] formatid (Optional) Incident Incident [] DetectTime (0..1) [] StartTime (0..1) [] EndTime (0..1) [] ReportTime (1..1) [ML_STRING] Description (0..*) [ENUM] purpose (Required) [STRING] ext-purpose (Optional) [ENUM] lang (Optional) [ENUM] restriction (Optional) IODEF-Document->Incident 1..* IncidentID IncidentID [STRING] name (Required) [STRING] instance (Optional) [ENUM] restriction (Optional) Incident->IncidentID 1..1 AlternativeID AlternativeID [ENUM] restriction (Optional) Incident->AlternativeID 0..1 RelatedActivity RelatedActivity [URL] URL (1..*) [ENUM] restriction (Optional) Incident->RelatedActivity 0..1 Assessment Assessment [ENUM] occurrence (Optional) [ENUM] restriction (Optional) Incident->Assessment 1..* AdditionalData AdditionalData [ENUM] dtype (Required) [STRING] ext-dtype (Optional) [STRING] meaning (Optional) [STRING] formatid (Optional) [ENUM] restriction (Optional) Incident->AdditionalData 0..* Method Method [ML_STRING] Description (0..*) [ENUM] restriction (Optional) Incident->Method 0..* Contact Contact [ML_STRING] ContactName (0..1) [ML_STRING] Description (0..*) [] Telephone (0..*) [] Fax (0..1) [TIMEZONE] Timezone (0..1) [ENUM] role (Required) [STRING] ext-role (Optional) [ENUM] type (Required) [STRING] ext-type (Optional) [ENUM] restriction (Optional) Incident->Contact 1..* EventData EventData [ML_STRING] Description (0..*) [] DetectTime (0..1) [] StartTime (0..1) [] EndTime (0..1) [ENUM] restriction (Optional) Incident->EventData 0..* History History [ENUM] restriction (Optional) Incident->History 0..1 AlternativeID->IncidentID 1..* RelatedActivity->IncidentID 1..* Impact Impact [ENUM] lang (Required) [ENUM] severity (Optional) [ENUM] completion (Optional) [ENUM] type (Required) [STRING] ext-type (Optional) Assessment->Impact 0..* TimeImpact TimeImpact [ENUM] severity (Optional) [ENUM] metric (Required) [STRING] ext-metric (Optional) [ENUM] duration (Required) [STRING] ext-duration (Optional) Assessment->TimeImpact 0..* MonetaryImpact MonetaryImpact [ENUM] severity (Optional) [STRING] currency (Required) Assessment->MonetaryImpact 0..* Counter Counter [ENUM] type (Required) [STRING] ext-type (Optional) [ENUM] duration (Optional) [STRING] ext-duration (Optional) Assessment->Counter 0..* Confidence Confidence [ENUM] rating (Required) Assessment->Confidence 0..1 Assessment->AdditionalData 0..* Method->AdditionalData 0..* Reference Reference [ML_STRING] ReferenceName (1..1) [URL] URL (0..*) [ML_STRING] Description (0..*) Method->Reference 0..* Contact->AdditionalData 0..* Contact->Contact 0..* RegistryHandle RegistryHandle [ENUM] registry (Required) [STRING] ext-registry (Optional) Contact->RegistryHandle 0..* PostalAddress PostalAddress [ENUM] meaning (Optional) [ENUM] lang (Required) Contact->PostalAddress 0..1 Email Email [ENUM] meaning (Optional) Contact->Email 0..* EventData->Assessment 0..1 EventData->AdditionalData 0..* EventData->Method 0..* EventData->Contact 0..* EventData->EventData 0..* Flow Flow EventData->Flow 0..* Expectation Expectation [ML_STRING] Description (0..*) [] StartTime (0..1) [] EndTime (0..1) [ENUM] restriction (Optional) [ENUM] severity (Optional) [ENUM] action (Optional) [STRING] ext-action (Optional) EventData->Expectation 0..* Record Record [ENUM] restriction (Optional) EventData->Record 0..1 System System [ML_STRING] Description (0..*) [ENUM] restriction (Optional) [ENUM] category (Required) [STRING] ext-category (Optional) [STRING] interface (Optional) [ENUM] spoofed (Optional) Flow->System 1..* System->Counter 0..* System->AdditionalData 0..* Node Node [ML_STRING] NodeName (0..*) [ML_STRING] Location (0..1) [] DateTime (0..1) System->Node 1..1 Service Service [INTEGER] Port (0..1) [PORTLIST] Portlist (0..1) [INTEGER] ProtoCode (0..1) [INTEGER] ProtoType (0..1) [INTEGER] ProtoFlags (0..1) [INTEGER] ip_protocol (Required) System->Service 0..* OperatingSystem OperatingSystem [URL] URL (0..1) [STRING] swid (Optional) [STRING] configid (Optional) [STRING] vendor (Optional) [STRING] family (Optional) [STRING] name (Optional) [STRING] version (Optional) [STRING] patch (Optional) System->OperatingSystem 0..1 Node->Counter 0..* Address Address [ENUM] category (Required) [STRING] ext-category (Optional) [STRING] vlan-name (Optional) [STRING] vlan-num (Optional) Node->Address 0..* NodeRole NodeRole [ENUM] category (Required) [STRING] ext-category (Optional) [ENUM] lang (Required) Node->NodeRole 0..* Application Application [URL] URL (0..1) [STRING] swid (Optional) [STRING] configid (Optional) [STRING] vendor (Optional) [STRING] family (Optional) [STRING] name (Optional) [STRING] version (Optional) [STRING] patch (Optional) Service->Application 0..* Expectation->Contact 0..1 RecordData RecordData [] DateTime (0..1) [ML_STRING] Description (0..*) [ENUM] restriction (Optional) Record->RecordData 1..* RecordData->AdditionalData 0..1 RecordData->Application 0..1 RecordPattern RecordPattern [ENUM] type (Required) [STRING] ext-type (Optional) [INTEGER] offset (Optional) [ENUM] offsetunit (Optional) [STRING] ext-offsetunit (Optional) [INTEGER] instance (Optional) RecordData->RecordPattern 0..* RecordItem RecordItem [ENUM] dtype (Required) [STRING] ext-dtype (Optional) [STRING] meaning (Optional) [STRING] formatid (Optional) [ENUM] restriction (Optional) RecordData->RecordItem 1..* HistoryItem HistoryItem [] DateTime (1..1) [ML_STRING] Description (0..*) [ENUM] restriction (Optional) [ENUM] action (Required) [STRING] ext-action (Optional) History->HistoryItem 1..* HistoryItem->IncidentID 0..1 HistoryItem->AdditionalData 0..* HistoryItem->Contact 0..1

digraph "IODEF-Document" { graph [rankdir=LR]; node [label="\N"]; graph [bb="0,0,2352,1650"]; "IODEF-Document" [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c7a00" HREF="/idmef_parser/IODEF/IODEF-Document.html" TITLE="The IODEF-Document class is the top level class in the IODEF data model. All IODEF documents are an instance of this class. ">IODEF-Document</td> </tr>" %<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/IODEF-Document.html" TITLE="The IODEF specification version number to which this IODEF document conforms. The value of this attribute MUST be &quot;1.00&quot;">[STRING] version (Required) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/IODEF-Document.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/IODEF-Document.html" TITLE="A free-form string to convey processing instructions to the recipient of the document. Its semantics must be negotiated out-of-band.">[STRING] formatid (Optional) </td></tr>%</table>>, shape=plaintext, pos="114,1319", width="3.1667", height="1.2361"]; Incident [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c7a00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="Every incident is represented by an instance of the Incident class. This class provides a standardized representation for commonly exchanged incident data. ">Incident</td> </tr>" %<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="The time the incident was first detected.">[] DetectTime (0..1) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="The time the incident started.">[] StartTime (0..1) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="The time the incident ended.">[] EndTime (0..1) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="The time the incident was reported.">[] ReportTime (1..1) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="A free-form textual description of the incident.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="The purpose attribute represents the reason why the IODEF document was created. It is closely related to the Expectation class (Section 3.13). This attribute is defined as an enumerated list:">[ENUM] purpose (Required) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="A means by which to extend the purpose attribute. See Section 5.1.">[STRING] ext-purpose (Optional) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Optional) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="This attribute indicates the disclosure guidelines to which the sender expects the recipient to adhere for the information represented in this class and its children. This guideline provides no security since there are no specified technical means to ensure that the recipient of the document handles the information as the sender requested.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="417,1319", width="3.5", height="2.9028"]; IncidentID [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c7a00" HREF="/idmef_parser/IODEF/IncidentID.html" TITLE="The IncidentID class represents an incident tracking number that is unique in the context of the CSIRT and identifies the activity characterized in an IODEF Document. This identifier would serve as an index into the CSIRT incident handling system. The combination of the name attribute and the string in the element content MUST be a globally unique identifier describing the activity. Documents generated by a given CSIRT MUST NOT reuse the same value unless they are referencing the same incident. ">IncidentID</td> </tr>" %<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/IncidentID.html" TITLE="An identifier describing the CSIRT that created the document. In order to have a globally unique CSIRT name, the fully qualified domain name associated with the CSIRT MUST be used.">[STRING] name (Required) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/IncidentID.html" TITLE="An identifier referencing a subset of the named incident.">[STRING] instance (Optional) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/IncidentID.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="1564,1564", width="3.1667", height="1.2361"]; AlternativeID [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c7a00" HREF="/idmef_parser/IODEF/AlternativeID.html" TITLE="The AlternativeID class lists the incident tracking numbers used by CSIRTs, other than the one generating the document, to refer to the identical activity described the IODEF document. A tracking number listed as an AlternativeID references the same incident detected by ">AlternativeID</td> </tr>" %<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/AlternativeID.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="985,1555", width="3.1667", height="0.68056"]; RelatedActivity [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c7a00" HREF="/idmef_parser/IODEF/RelatedActivity.html" TITLE="The RelatedActivity class lists either incident tracking numbers of incidents or URLs (not both) that refer to activity related to the one described in the IODEF document. These references may be to local incident tracking numbers or to those of other CSIRTs. ">RelatedActivity</td> </tr>" %<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/RelatedActivity.html" TITLE="A URL to activity related to this incident.">[URL] URL (1..*) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/RelatedActivity.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="985,1478", width="3.1667", height="0.95833"]; Assessment [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Assessment.html" TITLE="The Assessment class describes the technical and non-technical repercussions of the incident on the CSIRT&#39;s constituency. ">Assessment</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Assessment.html" TITLE="Specifies whether the assessment is describing actual or potential outcomes. The default is &quot;actual&quot; and is assumed if not specified.">[ENUM] occurrence (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Assessment.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="1240,649", width="3.25", height="0.95833"]; Impact [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Impact.html" TITLE="The Impact class allows for categorizing and describing the technical impact of the incident on the network of an organization. ">Impact</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="An indication whether the described activity was successful. The permitted values are shown below. There is no default value.">[ENUM] completion (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="Classifies the malicious activity into incident categories. The permitted values are shown below. The default value is &quot;other&quot;.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%</table>>, shape=plaintext, pos="1564,417", width="3.25", height="1.7917"]; TimeImpact [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="The TimeImpact class describes the impact of the incident on an organization as a function of time. It provides a way to convey down time and recovery time. ">TimeImpact</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="Defines the metric in which the time is expressed. The permitted values are shown below. There is no default value.">[ENUM] metric (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="A means by which to extend the metric attribute. See Section 5.1.">[STRING] ext-metric (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="Defines a unit of time, that when combined with the metric attribute, fully describes a metric of impact that will be conveyed in the element content. The permitted values are shown below. The default value is &quot;hour&quot;.">[ENUM] duration (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="A means by which to extend the duration attribute. See Section 5.1.">[STRING] ext-duration (Optional) </td></tr>%</table>>, shape=plaintext, pos="1564,715", width="3.5556", height="1.7917"]; MonetaryImpact [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/MonetaryImpact.html" TITLE="The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished ">MonetaryImpact</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/MonetaryImpact.html" TITLE="An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/MonetaryImpact.html" TITLE="Defines the currency in which the monetary impact is expressed. The permitted values are defined in ISO 4217:2001, Codes for the representation of currencies and funds [14]. There is no default value.">[STRING] currency (Required) </td></tr>%</table>>, shape=plaintext, pos="1564,599", width="3.2222", height="0.95833"]; Counter [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Counter.html" TITLE="The Counter class summarize multiple occurrences of some event, or conveys counts or rates on various features (e.g., packets, sessions, events). ">Counter</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="Specifies the units of the element content.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="If present, the Counter class represents a rate rather than a count over the entire event. In that case, this attribute specifies the denominator of the rate (where the type attribute specified the nominator). The possible values of this attribute are defined in Section 3.10.2">[ENUM] duration (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="A means by which to extend the duration attribute. See Section 5.1.">[STRING] ext-duration (Optional) </td></tr>%</table>>, shape=plaintext, pos="2223,54", width="3.5556", height="1.5139"]; Confidence [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Confidence.html" TITLE="The Confidence class represents a best estimate of the validity and accuracy of the described impact (see Section 3.10) of the incident activity. This estimate can be expressed as a category or a numeric calculation. ">Confidence</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Confidence.html" TITLE="A rating of the analytical validity of the specified Assessment. The permitted values are shown below. There is no default value.">[ENUM] rating (Required) </td></tr>%</table>>, shape=plaintext, pos="1564,523", width="2.8056", height="0.68056"]; AdditionalData [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a3d" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5. ">AdditionalData</td> </tr>" %<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The data type of the element content. The permitted values for this attribute are shown below. The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A means by which to extend the dtype attribute. See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="1899,979", width="3.2778", height="1.7917"]; Method [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c3d1f" HREF="/idmef_parser/IODEF/Method.html" TITLE="The Method class describes the methodology used by the intruder to perpetrate the events of the incident. This class consists of a list of references describing the attack method and a free form description of the technique. ">Method</td> </tr>" %<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Method.html" TITLE="A free-form text description of the methodology used by the intruder.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Method.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="1240,904", width="3.3611", height="0.95833"]; Reference [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c3d1f" HREF="/idmef_parser/IODEF/Reference.html" TITLE="The Reference class is a reference to a vulnerability, IDS alert, malware sample, advisory, or attack technique. A reference consists of a name, a URL to this reference, and an optional description. ">Reference</td> </tr>" %<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Reference.html" TITLE="Name of the reference.">[ML_STRING] ReferenceName (1..1) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Reference.html" TITLE="A URL associated with the reference.">[URL] URL (0..*) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Reference.html" TITLE="A free-form text description of this reference.">[ML_STRING] Description (0..*) </td></tr>%</table>>, shape=plaintext, pos="1564,894", width="3.8056", height="1.2361"]; Contact [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The Contact class describes contact information for organizations and personnel involved in the incident. This class allows for the naming of the involved party, specifying contact information for them, and identifying their role in the incident. ">Contact</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The name of the contact. The contact may either be an organization or a person. The type attribute disambiguates the semantics.">[ML_STRING] ContactName (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="A free-form description of this contact. In the case of a person, this is often the organizational title of the individual.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The telephone number of the contact.">[] Telephone (0..*) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The facsimile telephone number of the contact.">[] Fax (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The timezone in which the contact resides formatted according to Section 2.9.">[TIMEZONE] Timezone (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="Indicates the role the contact fulfills. This attribute is defined as an enumerated list:">[ENUM] role (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="A means by which to extend the role attribute. See Section 5.1.">[STRING] ext-role (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="Indicates the type of contact being described. This attribute is defined as an enumerated list:">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="1564,1340", width="3.6111", height="3.1806"]; RegistryHandle [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="The RegistryHandle class represents a handle into an Internet registry or community-specific database. The handle is specified in the element content and the type attribute specifies the database. ">RegistryHandle</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="The database to which the handle belongs. The default value is &#39;local&#39;. The possible values are:">[ENUM] registry (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="A means by which to extend the registry attribute. See Section 5.1.">[STRING] ext-registry (Optional) </td></tr>%</table>>, shape=plaintext, pos="1899,1550", width="3.5", height="0.95833"]; PostalAddress [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="The PostalAddress class specifies a postal address formatted according to the POSTAL data type (Section 2.11). ">PostalAddress</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="A free-form description of the element content.">[ENUM] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%</table>>, shape=plaintext, pos="1899,1464", width="3.0278", height="0.95833"]; Email [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/Email.html" TITLE="The Email class specifies an email address formatted according to EMAIL data type (Section 2.14). ">Email</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Email.html" TITLE="A free-form description of the element content (e.g., hours of coverage for a given number).">[ENUM] meaning (Optional) </td></tr>%</table>>, shape=plaintext, pos="1899,1626", width="3.0278", height="0.68056"]; EventData [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#737373" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The EventData class describes a particular event of the incident for a given set of hosts or networks. This description includes the systems from which the activity originated and those targeted, an assessment of the techniques used by the intruder, the impact of the activity on the organization, and any forensic evidence discovered. ">EventData</td> </tr>" %<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="A free-form textual description of the event.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The time the event was detected.">[] DetectTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The time the event started.">[] StartTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The time the event ended.">[] EndTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="730,992", width="3.3611", height="1.7917"]; Flow [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Flow.html" TITLE="The Flow class groups related the source and target hosts. ">Flow</td> </tr>" %</table>>, shape=plaintext, pos="1240,247", width="0.77778", height="0.5"]; System [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/System.html" TITLE="The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of &quot;source&quot;, then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of &quot;target&quot; or &quot;intermediary&quot;, then the machine or service is the one targeted in the activity. A value of &quot;sensor&quot; dictates that this System was part of an instrumentation to monitor the network. ">System</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="A free-form text description of the System.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="Classifies the role the host or network played in the incident. The possible values are:">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning.">[STRING] interface (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is &quot;unknown&quot;.">[ENUM] spoofed (Optional) </td></tr>%</table>>, shape=plaintext, pos="1564,223", width="3.5833", height="2.0694"]; "Node" [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Node.html" TITLE="The Node class names a system (e.g., PC, router) or network. ">Node</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="The name of the Node (e.g., fully qualified domain name). This information MUST be provided if no Address information is given.">[ML_STRING] NodeName (0..*) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="A free-from description of the physical location of the equipment.">[ML_STRING] Location (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="A timestamp of when the resolution between the name and address was performed. This information SHOULD be provided if both an Address and NodeName are specified.">[] DateTime (0..1) </td></tr>%</table>>, shape=plaintext, pos="1899,339", width="3.3333", height="1.2361"]; Address [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address. ">Address</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The type of address represented. The permitted values for this attribute are shown below. The default value is &quot;ipv4-addr&quot;.">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The name of the Virtual LAN to which the address belongs.">[STRING] vlan-name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The number of the Virtual LAN to which the address belongs.">[STRING] vlan-num (Optional) </td></tr>%</table>>, shape=plaintext, pos="2223,402", width="3.5833", height="1.5139"]; NodeRole [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="The NodeRole class describes the intended function performed by a particular host. ">NodeRole</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="Functionality provided by a node.">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%</table>>, shape=plaintext, pos="2223,286", width="3.5833", height="1.2361"]; Service [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Service.html" TITLE="The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port. ">Service</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A port number.">[INTEGER] Port (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A list of port numbers formatted according to Section 2.10.">[PORTLIST] Portlist (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol-specific code field (e.g., ICMP code field).">[INTEGER] ProtoCode (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol specific type field (e.g., ICMP type field).">[INTEGER] ProtoType (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol specific flag field (e.g., TCP flag field).">[INTEGER] ProtoFlags (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="The IANA protocol number.">[INTEGER] ip_protocol (Required) </td></tr>%</table>>, shape=plaintext, pos="1899,651", width="3.5556", height="2.0694"]; Application [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Application.html" TITLE="The Application class describes an application running on a System providing a Service. ">Application</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>, shape=plaintext, pos="2223,967", width="3.0833", height="2.625"]; OperatingSystem [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class (Section 3.17.1). ">OperatingSystem</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>, shape=plaintext, pos="1899,183", width="3.0833", height="2.625"]; Expectation [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#737373" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. The scope of the requested action is limited to purview of the EventData class in which this class is aggregated. ">Expectation</td> </tr>" %<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="A free-form description of the desired action(s).">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The time at which the action should be performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible. The absence of this element leaves the execution of the expectation to the discretion of the recipient.">[] StartTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed.">[] EndTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="Classifies the type of action requested. This attribute is an enumerated list with no default value.">[ENUM] action (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="A means by which to extend the action attribute. See Section 5.1.">[STRING] ext-action (Optional) </td></tr>%</table>>, shape=plaintext, pos="1240,1154", width="3.3611", height="2.3472"]; Record [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/Record.html" TITLE="The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs should substantiate the activity described in the document. ">Record</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/Record.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="1240,1028", width="3.1667", height="0.68056"]; RecordData [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="The RecordData class groups log or audit data from a given sensor (e.g., IDS, firewall log) and provides a way to annotate the output. ">RecordData</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="Timestamp of the RecordItem data.">[] DateTime (0..1) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="Free-form textual description of the provided RecordItem data. At minimum, this description should convey the significance of the provided RecordItem data.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="1564,1144", width="3.3611", height="1.2361"]; RecordPattern [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="The RecordPattern class describes where in the content of the RecordItem relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data. ">RecordPattern</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Describes the type of pattern being specified in the element content. The default is &quot;regex&quot;.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Amount of units (determined by the offsetunit attribute) to seek into the RecordItem data before matching the pattern.">[INTEGER] offset (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Describes the units of the offset attribute. The default is &quot;line&quot;.">[ENUM] offsetunit (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="A means by which to extend the offsetunit attribute. See Section 5.1.">[STRING] ext-offsetunit (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Number of types to apply the specified pattern.">[INTEGER] instance (Optional) </td></tr>%</table>>, shape=plaintext, pos="1899,1338", width="3.6667", height="2.0694"]; RecordItem [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="The RecordItem class provides a way to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing the incident. The class supports both the direct encapsulation of the data, as well as, provides primitives to reference data stored elsewhere. ">RecordItem</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="The data type of the element content. The permitted values for this attribute are shown below. The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="A means by which to extend the dtype attribute. See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="1899,1182", width="3.2778", height="1.7917"]; History [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#006a30" HREF="/idmef_parser/IODEF/History.html" TITLE="The History class is a log of the significant events or actions performed by the involved parties during the course of handling the incident. ">History</td> </tr>" %<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/History.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="730,1389", width="3.1667", height="0.68056"]; HistoryItem [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#006a30" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="The HistoryItem class is an entry in the History (Section 3.11) log that documents a particular action or event that occurred in the course of handling the incident. The details of the entry are a free-form description, but each can be categorized with the type attribute. ">HistoryItem</td> </tr>" %<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="Timestamp of this entry in the history log (e.g., when the action described in the Description was taken).">[] DateTime (1..1) </td></tr>%<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="A free-form textual description of the action or event.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="Classifies a performed action or occurrence documented in this history log entry. As activity will likely have been instigated either through a previously conveyed expectation or internal investigation, this attribute is identical to the category attribute of the Expectation class. The difference is only one of tense. When an action is in this class, it has been completed. See Section 3.13.">[ENUM] action (Required) </td></tr>%<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="A means by which to extend the action attribute. See Section 5.1.">[STRING] ext-action (Optional) </td></tr>%</table>>, shape=plaintext, pos="1240,1411", width="3.3611", height="1.7917"]; Incident -> IncidentID [label="1..1", pos="e,1449.4,1589.7 498.52,1423.1 529.56,1456.7 567.34,1491.4 608,1515 870.99,1668 1246.7,1627.2 1439.5,1591.6", lp="985,1632.5"]; AlternativeID -> IncidentID [label="1..*", pos="e,1449.5,1562.2 1099.7,1556.8 1197.7,1558.3 1338.5,1560.5 1439.3,1562.1", lp="1240,1568.5"]; Incident -> AlternativeID [label="0..1", pos="e,870.45,1541.4 543.67,1422.6 549.8,1426.9 555.92,1431 562,1435 652.29,1493.9 771.67,1524.3 860.58,1539.8", lp="576,1456.5"]; RelatedActivity -> IncidentID [label="1..*", pos="e,1449.5,1547 1099.7,1495 1197.8,1509.6 1338.7,1530.5 1439.6,1545.5", lp="1240,1541.5"]; Incident -> RelatedActivity [label="0..1", pos="e,870.44,1471.3 543.72,1395.1 564.66,1405.4 586.55,1414.9 608,1422 689.56,1449.1 785.41,1463.1 860.05,1470.4", lp="576,1422.5"]; Assessment -> Impact [label="0..*", pos="e,1447,476.54 1275.1,614.81 1311.2,580.76 1369.8,528.21 1426,490 1430,487.29 1434.1,484.6 1438.3,481.94", lp="1394,530.5"]; Assessment -> TimeImpact [label="0..*", pos="e,1435.5,688.82 1357.4,672.92 1379.5,677.42 1402.8,682.16 1425.5,686.78", lp="1394,690.5"]; Assessment -> MonetaryImpact [label="0..*", pos="e,1447.2,617.02 1357.4,630.88 1383.4,626.88 1411,622.62 1437.2,618.56", lp="1394,635.5"]; Assessment -> Counter [label="0..*", pos="e,2094.3,27.296 1256.7,614.9 1283.1,559.72 1334.2,446.86 1362,346 1375.8,296.13 1364.1,280.24 1380,231 1393.9,187.86 1391.7,169.65\ 1426,140 1608.4,-17.75 1909,-1.362 2084.2,25.709", lp="1734,26.5"]; Assessment -> Confidence [label="0..1", pos="e,1463,544.32 1299.6,614.81 1335.3,595.42 1382.2,571.93 1426,556 1434.8,552.81 1443.9,549.84 1453.2,547.1", lp="1394,582.5"]; Assessment -> AdditionalData [label="0..*", pos="e,1836,914.95 1274,683.05 1308.9,715.8 1366.4,763.81 1426,788 1540.6,834.54 1588,776.04 1702,824 1748.4,843.53 1793.1,877.09 1828.2\ ,907.99", lp="1564,832.5"]; Incident -> Assessment [label="1..*", pos="e,1122.8,649.78 426.66,1214.8 443.23,1098.5 487.93,913.46 608,812 751.23,690.97 973.37,658.3 1112.6,650.33", lp="730,820.5"]; Method -> Reference [label="0..*", pos="e,1426.2,898.25 1361.6,900.25 1379.4,899.7 1397.9,899.13 1416.1,898.56", lp="1394,908.5"]; Method -> AdditionalData [label="0..*", pos="e,1780.3,976.22 1361.5,935.03 1382.9,939.64 1405,943.89 1426,947 1541.7,964.17 1674.6,972.14 1770.1,975.83", lp="1564,981.5"]; Incident -> Method [label="0..*", pos="e,1134.5,869.95 433.78,1214.8 455.6,1116.4 504.05,973.58 608,902 761.07,796.59 988.27,831.55 1124.5,867.27", lp="730,910.5"]; Contact -> RegistryHandle [label="0..*", pos="e,1783.9,1515.9 1687.2,1454 1712.1,1473.5 1739,1492.2 1766,1507 1768.9,1508.6 1771.8,1510.1 1774.8,1511.6", lp="1734,1504.5"]; Contact -> PostalAddress [label="0..1", pos="e,1791.4,1429.9 1694.7,1393.9 1718.3,1403.2 1742.8,1412.6 1766,1421 1771.1,1422.9 1776.4,1424.7 1781.7,1426.6", lp="1734,1420.5"]; Contact -> Email [label="0..*", pos="e,1789.7,1605.4 1656.7,1454.3 1671.9,1473.2 1687.4,1492.6 1702,1511 1730.7,1547.2 1727.2,1567.8 1766,1593 1770.6,1596 1775.5,1598.7\ 1780.5,1601.2", lp="1734,1586.5"]; Contact -> Contact [label="0..*", pos="e,1589.8,1454.1 1538.2,1454.1 1543.5,1465 1552,1472 1564,1472 1572.4,1472 1579.1,1468.6 1584.2,1462.7", lp="1564,1480.5"]; Contact -> AdditionalData [label="0..*", pos="e,1784.9,1043 1682.4,1225.8 1689.5,1216.4 1696.2,1206.8 1702,1197 1715.4,1174.6 1708.9,1164.7 1720,1141 1729.8,1120 1736.6,1117.2\ 1748,1097 1756.8,1081.4 1753.9,1074.2 1766,1061 1769.5,1057.2 1773.3,1053.4 1777.2,1049.8", lp="1734,1149.5"]; Incident -> Contact [label="1..*", pos="e,1433.1,1337.6 543.58,1321.3 759.47,1325.3 1197.4,1333.3 1422.8,1337.4", lp="985,1339.5"]; EventData -> Contact [label="0..*", pos="e,1433.4,1304.7 785.09,1056.2 809.35,1082 839.29,1110.5 870,1132 969.6,1201.6 1001.9,1211.1 1118,1247 1223,1279.5 1254.4,1265.2 \ 1362,1288 1382,1292.3 1403.1,1297.2 1423.7,1302.2", lp="1240,1296.5"]; EventData -> Assessment [label="0..1", pos="e,1209.2,683.24 826,927.83 840.59,918.59 855.59,909.38 870,901 969.48,843.12 1006.2,848.74 1100,782 1137.7,755.14 1175.5,718.54 \ 1202.3,690.53", lp="985,909.5"]; EventData -> Method [label="0..*", pos="e,1118.2,919.86 851.72,949.35 857.87,947.76 863.98,946.29 870,945 970.44,923.41 997.93,933.66 1100,922 1102.7,921.69 1105.4,921.38\ 1108.2,921.05", lp="985,953.5"]; "Node" -> Address [label="0..*", pos="e,2093.8,376.87 2019.2,362.37 2040.3,366.47 2062.4,370.77 2083.9,374.96", lp="2063,381.5"]; "Node" -> NodeRole [label="0..*", pos="e,2093.8,307.14 2019.2,319.34 2040.2,315.91 2062.2,312.31 2083.6,308.8", lp="2063,323.5"]; "Node" -> Counter [label="0..*", pos="e,2190.1,108.11 2018.5,294.99 2023.2,292.15 2027.7,289.15 2032,286 2095.3,239.81 2150,168 2184.5,116.51", lp="2063,280.5"]; System -> "Node" [label="1..1", pos="e,1778.9,297.96 1693.1,203.23 1712.9,205.75 1732.1,211.97 1748,224 1770.9,241.29 1746.7,264.75 1766,286 1767.6,287.76 1769.3,289.46\ 1771,291.1", lp="1734,232.5"]; Service -> Application [label="0..*", pos="e,2126.6,872.96 1975,725.09 2018,767.08 2072.5,820.21 2119.4,865.97", lp="2063,827.5"]; System -> Service [label="0..*", pos="e,1852.4,576.82 1693.4,231.01 1714,237.72 1733.3,248.13 1748,264 1767.5,285.1 1757.3,364.62 1766,392 1785.6,453.82 1819,518.72 1847.4\ ,568.1", lp="1734,272.5"]; System -> OperatingSystem [label="0..1", pos="e,1787.5,179.5 1693.4,188.16 1702.3,186.52 1711.3,185.1 1720,184 1738.5,181.67 1758.2,180.38 1777.5,179.76", lp="1734,192.5"]; System -> Counter [label="0..*", pos="e,2094.4,35.06 1634,148.78 1669.9,115.93 1716.5,80.768 1766,63 1868.1,26.316 1991.6,26.26 2084.4,34.165", lp="1899,71.5"]; System -> AdditionalData [label="0..*", pos="e,1853.6,914.92 1693.2,268.44 1718.7,279.93 1740,292.33 1748,304 1775,343.49 1753.3,687.91 1766,734 1783.1,795.92 1818.2,859.5 1848.1\ ,906.37", lp="1734,312.5"]; Flow -> System [label="1..*", pos="e,1434.8,232.57 1268.8,244.87 1304,242.26 1366.4,237.64 1424.7,233.32", lp="1394,245.5"]; EventData -> Flow [label="0..*", pos="e,1211.4,254.43 824.21,927.87 834.99,917.03 844.71,905.02 852,892 880.71,840.72 851.71,816.85 870,761 942.03,541.01 949.01,461.2\ 1118,303 1141.7,280.83 1175.7,266.21 1201.8,257.49", lp="985,769.5"]; Expectation -> Contact [label="0..1", pos="e,1433.3,1257.8 1361.7,1217.2 1377.4,1225.7 1393.1,1234.4 1408,1243 1413.4,1246.1 1419,1249.4 1424.5,1252.6", lp="1394,1251.5"]; EventData -> Expectation [label="0..*", pos="e,1118.1,1116.9 851.74,1033.1 857.91,1035.1 864.02,1037.1 870,1039 948.86,1064.5 1037.5,1092.1 1108.3,1113.8", lp="985,1119.5"]; RecordData -> Application [label="0..1", pos="e,2111.3,1022.7 1685.6,1110.6 1712,1103.9 1739.8,1097.3 1766,1092 1883.2,1068.2 1917.2,1085.5 2032,1052 2055.1,1045.3 2079.1,1036.3\ 2101.9,1026.7", lp="1899,1100.5"]; RecordData -> RecordPattern [label="0..*", pos="e,1779.8,1263.9 1649.5,1188.1 1667,1197.5 1685.2,1207.4 1702,1217 1716.5,1225.3 1742.5,1241 1770.9,1258.5", lp="1734,1250.5"]; RecordData -> RecordItem [label="1..*", pos="e,1780.3,1168.5 1685.9,1157.8 1713.3,1160.9 1742.5,1164.2 1770.2,1167.4", lp="1734,1173.5"]; RecordData -> AdditionalData [label="0..1", pos="e,1785.7,1043.1 1671.8,1099.9 1682.1,1095.3 1692.3,1090.7 1702,1086 1726.5,1074.3 1752.2,1061 1776.7,1047.9", lp="1734,1084.5"]; Record -> RecordData [label="1..*", pos="e,1443.1,1099.9 1354.7,1026.1 1373.8,1030 1392.4,1036.8 1408,1048 1423.2,1058.9 1412.5,1073.1 1426,1086 1428.9,1088.8 1431.9,1091.4\ 1435,1093.9", lp="1394,1056.5"]; EventData -> Record [label="0..1", pos="e,1125.1,1019.9 851.51,1000.6 931.04,1006.2 1034.7,1013.5 1114.9,1019.2", lp="985,1026.5"]; EventData -> EventData [label="0..*", pos="e,756.72,1056.3 703.28,1056.3 707.11,1066.8 716.01,1074 730,1074 739.62,1074 746.83,1070.6 751.64,1065", lp="730,1082.5"]; EventData -> AdditionalData [label="0..*", pos="e,1780.3,989.5 851.6,992.51 1103,993.53 1660.3,995.58 1702,994 1724.1,993.16 1747.6,991.79 1770.3,990.22", lp="1394,1003.5"]; Incident -> EventData [label="0..*", pos="e,668.32,1056.4 516.9,1214.6 564.01,1165.4 619.03,1107.9 661.37,1063.7", lp="576,1174.5"]; HistoryItem -> IncidentID [label="0..1", pos="e,1461.5,1519.9 1361.8,1454.2 1377.9,1461.9 1393.7,1470.5 1408,1480 1417.4,1486.3 1416.8,1491.5 1426,1498 1434.4,1503.9 1443.4,1509.6\ 1452.6,1514.9", lp="1394,1488.5"]; HistoryItem -> Contact [label="0..1", pos="e,1433.3,1368.6 1361.6,1384.4 1381.8,1379.9 1402.9,1375.3 1423.6,1370.8", lp="1394,1387.5"]; HistoryItem -> AdditionalData [label="0..*", pos="e,1780.1,1021.5 1330.2,1346.8 1342.2,1335.3 1353.3,1322.6 1362,1309 1376.6,1286.2 1405.7,1091.9 1426,1074 1480.3,1026.4 1677.7,1046.5\ 1748,1030 1755.3,1028.3 1762.8,1026.4 1770.2,1024.3", lp="1564,1082.5"]; History -> HistoryItem [label="1..*", pos="e,1118.1,1405.7 844.77,1394 922.8,1397.3 1026.2,1401.8 1107.7,1405.3", lp="985,1412.5"]; Incident -> History [label="0..1", pos="e,622.52,1365 543.86,1347.4 566.59,1352.5 590.19,1357.7 612.64,1362.8", lp="576,1364.5"]; Incident -> AdditionalData [label="0..*", pos="e,1856.5,914.94 427.39,1215 455.73,960.07 544.89,325 730,325 730,325 730,325 1394,325 1462.6,325 1651.1,298.02 1702,344 1832.3,461.77\ 1709.1,567.83 1766,734 1786.9,795.1 1822.2,859.07 1851.1,906.32", lp="1240,333.5"]; "IODEF-Document" -> Incident [label="1..*", pos="e,290.29,1319 228.12,1319 245.09,1319 262.72,1319 280.1,1319", lp="259,1327.5"]; }


Aggregates

Incident (1..*)

The information related to a single incident.

Attributes

version (Required)

The IODEF specification version number to which this IODEF document conforms. The value of this attribute MUST be "1.00"

lang (Required)

A valid language code per RFC 4646 [7] constrained by the definition of "xs:language". The interpretation of this code is described in Section 6.

formatid (Optional)

A free-form string to convey processing instructions to the recipient of the document. Its semantics must be negotiated out-of-band.


IDMEF


IODEF