Expectation

The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. The scope of the requested action is limited to purview of the EventData class in which this class is aggregated. 

digraph Expectation {
	graph [bb="0,0,762,380.5",
		rankdir=LR
	];
	node [label="\N"];
	Expectation	 [height=2.4444,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#737373" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. The scope of the requested action is limited to purview of the EventData class in which this class is aggregated. ">Expectation</td> </tr>" %<tr><td BGCOLOR="#bfbfbf"  HREF="/idmef_parser/IODEF/Expectation.html" TITLE="A free-form description of the desired action(s).">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#bfbfbf"  HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The time at which the action should be performed.  A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible.  The absence of this element leaves the execution of the expectation to the discretion of the recipient.">[] StartTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf"  HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed.">[] EndTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf"  HREF="/idmef_parser/IODEF/Expectation.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf"  HREF="/idmef_parser/IODEF/Expectation.html" TITLE="Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf"  HREF="/idmef_parser/IODEF/Expectation.html" TITLE="Classifies the type of action requested.  This attribute is an enumerated list with no default value.">[ENUM] action (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf"  HREF="/idmef_parser/IODEF/Expectation.html" TITLE="A means by which to extend the action attribute.  See Section 5.1.">[STRING] ext-action (Optional) </td></tr>%</table>>,
		pos="106,216",
		shape=plaintext,
		width=2.9444];
	Contact	 [height=3.3194,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The Contact class describes contact information for organizations and personnel involved in the incident. This class allows for the naming of the involved party, specifying contact information for them, and identifying their role in the incident. ">Contact</td> </tr>" %<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Contact.html" TITLE="The name of the contact.  The contact may either be an organization or a person.  The type attribute disambiguates the semantics.">[ML_STRING] ContactName (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Contact.html" TITLE="A free-form description of this contact.  In the case of a person, this is often the organizational title of the individual.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Contact.html" TITLE="The telephone number of the contact.">[] Telephone (0..*) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Contact.html" TITLE="The facsimile telephone number of the contact.">[] Fax (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Contact.html" TITLE="The timezone in which the contact resides formatted according to Section 2.9.">[TIMEZONE] Timezone (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Contact.html" TITLE="Indicates the role the contact fulfills.  This attribute is defined as an enumerated list:">[ENUM] role (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Contact.html" TITLE="A means by which to extend the role attribute. See Section 5.1.">[STRING] ext-role (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Contact.html" TITLE="Indicates the type of contact being described. This attribute is defined as an enumerated list:">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Contact.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Contact.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>,
		pos="382,216",
		shape=plaintext,
		width=3.1111];
	Expectation -> Contact	 [label="0..1",
		lp="241,223.5",
		pos="e,269.76,216 212.15,216 227.63,216 243.68,216 259.45,216"];
	Contact -> Contact	 [label="0..*",
		lp="382,361",
		pos="e,402.86,335.75 361.14,335.75 365.48,346.65 372.43,353.5 382,353.5 388.58,353.5 393.92,350.26 398.03,344.7"];
	RegistryHandle	 [height=0.98611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="The RegistryHandle class represents a handle into an Internet registry or community-specific database. The handle is specified in the element content and the type attribute specifies the database. ">RegistryHandle</td> </tr>" %<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="The database to which the handle belongs.  The default value is &#39;local&#39;.  The possible values are:">[ENUM] registry (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="A means by which to extend the registry attribute.  See Section 5.1.">[STRING] ext-registry (Optional) </td></tr>%</table>>,
		pos="657,345",
		shape=plaintext,
		width=2.9167];
	Contact -> RegistryHandle	 [label="0..*",
		lp="523,299.5",
		pos="e,570.67,309.43 494.31,273.28 513.45,282.76 533.22,292.32 552,301 555.12,302.44 558.3,303.89 561.52,305.35"];
	PostalAddress	 [height=0.98611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="The PostalAddress class specifies a postal address formatted according to the POSTAL data type (Section 2.11). ">PostalAddress</td> </tr>" %<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="A free-form description of the element content.">[ENUM] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;.  The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%</table>>,
		pos="657,256",
		shape=plaintext,
		width=2.5972];
	Contact -> PostalAddress	 [label="0..1",
		lp="523,244.5",
		pos="e,563.38,242.43 494.04,232.27 513.65,235.14 533.99,238.12 553.35,240.96"];
	Email	 [height=0.69444,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/Email.html" TITLE="The Email class specifies an email address formatted according to EMAIL data type (Section 2.14). ">Email</td> </tr>" %<tr><td BGCOLOR="#CCFF66"  HREF="/idmef_parser/IODEF/Email.html" TITLE="A free-form description of the element content (e.g., hours of coverage for a given number).">[ENUM] meaning (Optional) </td></tr>%</table>>,
		pos="657,177",
		shape=plaintext,
		width=2.5972];
	Contact -> Email	 [label="0..*",
		lp="523,203.5",
		pos="e,563.38,190.23 494.04,200.14 513.65,197.34 533.99,194.43 553.35,191.66"];
	AdditionalData	 [height=1.8611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a3d" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5. ">AdditionalData</td> </tr>" %<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The data type of the element content.  The permitted values for this attribute are shown below.  The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A means by which to extend the dtype attribute.  See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>,
		pos="657,67",
		shape=plaintext,
		width=2.7639];
	Contact -> AdditionalData	 [label="0..*",
		lp="523,149.5",
		pos="e,557.34,120.85 494.04,155.4 511.89,145.65 530.34,135.58 548.12,125.88"];
}

Aggregates

Description (0..*)

A free-form description of the desired action(s).

StartTime (0..1)

The time at which the action should be performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible. The absence of this element leaves the execution of the expectation to the discretion of the recipient.

EndTime (0..1)

The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed.

Contact (0..1)

The expected actor for the action.

Attributes

restriction (Optional)

This attribute is defined in Section 3.2.

severity (Optional)

Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent.
Rank Keyword Description
1 low Low priority
2 medium Medium priority
3 high High priority

action (Optional)

Classifies the type of action requested. This attribute is an enumerated list with no default value.
Rank Keyword Description
1 nothing No action is requested. Do nothing with the information.
2 contact-source-site Contact the site(s) identified as the source of the activity.
3 contact-target-site Contact the site(s) identified as the target of the activity.
4 contact-sender Contact the originator of the document.
5 investigate Investigate the systems(s) listed in the event.
6 block-host Block traffic from the machine(s) listed as sources the event.
7 block-network Block traffic from the network(s) lists as sources in the event.
8 block-port Block the port listed as sources in the event.
9 rate-limit-host Rate-limit the traffic from the machine(s) listed as sources in the event.
10 rate-limit-network Rate-limit the traffic from the network(s) lists as sources in the event.
11 rate-limit-port Rate-limit the port(s) listed as sources in the event.
12 remediate-other Remediate the activity in a way other than by rate limiting or blocking.
13 status-triage Conveys receipts and the triaging of an incident.
14 status-new-info Conveys that new information was received for this incident.
15 other Perform some custom action described in the Description class.
16 ext-value An escape value used to extend this attribute. See Section 5.1.

ext-action (Optional)

A means by which to extend the action attribute. See Section 5.1.

IDMEF

IODEF