Incident

Every incident is represented by an instance of the Incident class. This class provides a standardized representation for commonly exchanged incident data.

Incident Incident Incident [] DetectTime (0..1) [] StartTime (0..1) [] EndTime (0..1) [] ReportTime (1..1) [ML_STRING] Description (0..*) [ENUM] purpose (Required) [STRING] ext-purpose (Optional) [ENUM] lang (Optional) [ENUM] restriction (Optional) IncidentID IncidentID [STRING] name (Required) [STRING] instance (Optional) [ENUM] restriction (Optional) Incident->IncidentID 1..1 AlternativeID AlternativeID [ENUM] restriction (Optional) Incident->AlternativeID 0..1 RelatedActivity RelatedActivity [URL] URL (1..*) [ENUM] restriction (Optional) Incident->RelatedActivity 0..1 Assessment Assessment [ENUM] occurrence (Optional) [ENUM] restriction (Optional) Incident->Assessment 1..* AdditionalData AdditionalData [ENUM] dtype (Required) [STRING] ext-dtype (Optional) [STRING] meaning (Optional) [STRING] formatid (Optional) [ENUM] restriction (Optional) Incident->AdditionalData 0..* Method Method [ML_STRING] Description (0..*) [ENUM] restriction (Optional) Incident->Method 0..* Contact Contact [ML_STRING] ContactName (0..1) [ML_STRING] Description (0..*) [] Telephone (0..*) [] Fax (0..1) [TIMEZONE] Timezone (0..1) [ENUM] role (Required) [STRING] ext-role (Optional) [ENUM] type (Required) [STRING] ext-type (Optional) [ENUM] restriction (Optional) Incident->Contact 1..* EventData EventData [ML_STRING] Description (0..*) [] DetectTime (0..1) [] StartTime (0..1) [] EndTime (0..1) [ENUM] restriction (Optional) Incident->EventData 0..* History History [ENUM] restriction (Optional) Incident->History 0..1 AlternativeID->IncidentID 1..* RelatedActivity->IncidentID 1..* Impact Impact [ENUM] lang (Required) [ENUM] severity (Optional) [ENUM] completion (Optional) [ENUM] type (Required) [STRING] ext-type (Optional) Assessment->Impact 0..* TimeImpact TimeImpact [ENUM] severity (Optional) [ENUM] metric (Required) [STRING] ext-metric (Optional) [ENUM] duration (Required) [STRING] ext-duration (Optional) Assessment->TimeImpact 0..* MonetaryImpact MonetaryImpact [ENUM] severity (Optional) [STRING] currency (Required) Assessment->MonetaryImpact 0..* Counter Counter [ENUM] type (Required) [STRING] ext-type (Optional) [ENUM] duration (Optional) [STRING] ext-duration (Optional) Assessment->Counter 0..* Confidence Confidence [ENUM] rating (Required) Assessment->Confidence 0..1 Assessment->AdditionalData 0..* Method->AdditionalData 0..* Reference Reference [ML_STRING] ReferenceName (1..1) [URL] URL (0..*) [ML_STRING] Description (0..*) Method->Reference 0..* Contact->AdditionalData 0..* Contact->Contact 0..* RegistryHandle RegistryHandle [ENUM] registry (Required) [STRING] ext-registry (Optional) Contact->RegistryHandle 0..* PostalAddress PostalAddress [ENUM] meaning (Optional) [ENUM] lang (Required) Contact->PostalAddress 0..1 Email Email [ENUM] meaning (Optional) Contact->Email 0..* EventData->Assessment 0..1 EventData->AdditionalData 0..* EventData->Method 0..* EventData->Contact 0..* EventData->EventData 0..* Flow Flow EventData->Flow 0..* Expectation Expectation [ML_STRING] Description (0..*) [] StartTime (0..1) [] EndTime (0..1) [ENUM] restriction (Optional) [ENUM] severity (Optional) [ENUM] action (Optional) [STRING] ext-action (Optional) EventData->Expectation 0..* Record Record [ENUM] restriction (Optional) EventData->Record 0..1 System System [ML_STRING] Description (0..*) [ENUM] restriction (Optional) [ENUM] category (Required) [STRING] ext-category (Optional) [STRING] interface (Optional) [ENUM] spoofed (Optional) Flow->System 1..* System->Counter 0..* System->AdditionalData 0..* Node Node [ML_STRING] NodeName (0..*) [ML_STRING] Location (0..1) [] DateTime (0..1) System->Node 1..1 Service Service [INTEGER] Port (0..1) [PORTLIST] Portlist (0..1) [INTEGER] ProtoCode (0..1) [INTEGER] ProtoType (0..1) [INTEGER] ProtoFlags (0..1) [INTEGER] ip_protocol (Required) System->Service 0..* OperatingSystem OperatingSystem [URL] URL (0..1) [STRING] swid (Optional) [STRING] configid (Optional) [STRING] vendor (Optional) [STRING] family (Optional) [STRING] name (Optional) [STRING] version (Optional) [STRING] patch (Optional) System->OperatingSystem 0..1 Node->Counter 0..* Address Address [ENUM] category (Required) [STRING] ext-category (Optional) [STRING] vlan-name (Optional) [STRING] vlan-num (Optional) Node->Address 0..* NodeRole NodeRole [ENUM] category (Required) [STRING] ext-category (Optional) [ENUM] lang (Required) Node->NodeRole 0..* Application Application [URL] URL (0..1) [STRING] swid (Optional) [STRING] configid (Optional) [STRING] vendor (Optional) [STRING] family (Optional) [STRING] name (Optional) [STRING] version (Optional) [STRING] patch (Optional) Service->Application 0..* Expectation->Contact 0..1 RecordData RecordData [] DateTime (0..1) [ML_STRING] Description (0..*) [ENUM] restriction (Optional) Record->RecordData 1..* RecordData->AdditionalData 0..1 RecordData->Application 0..1 RecordPattern RecordPattern [ENUM] type (Required) [STRING] ext-type (Optional) [INTEGER] offset (Optional) [ENUM] offsetunit (Optional) [STRING] ext-offsetunit (Optional) [INTEGER] instance (Optional) RecordData->RecordPattern 0..* RecordItem RecordItem [ENUM] dtype (Required) [STRING] ext-dtype (Optional) [STRING] meaning (Optional) [STRING] formatid (Optional) [ENUM] restriction (Optional) RecordData->RecordItem 1..* HistoryItem HistoryItem [] DateTime (1..1) [ML_STRING] Description (0..*) [ENUM] restriction (Optional) [ENUM] action (Required) [STRING] ext-action (Optional) History->HistoryItem 1..* HistoryItem->IncidentID 0..1 HistoryItem->AdditionalData 0..* HistoryItem->Contact 0..1

digraph Incident { graph [bb="0,0,1771,1690.5", rankdir=LR ]; node [label="\N"]; Incident [height=3.0278, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c7a00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="Every incident is represented by an instance of the Incident class. This class provides a standardized representation for commonly exchanged incident data. ">Incident</td> </tr>" %<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="The time the incident was first detected.">[] DetectTime (0..1) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="The time the incident started.">[] StartTime (0..1) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="The time the incident ended.">[] EndTime (0..1) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="The time the incident was reported.">[] ReportTime (1..1) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="A free-form textual description of the incident.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="The purpose attribute represents the reason why the IODEF document was created. It is closely related to the Expectation class (Section 3.13). This attribute is defined as an enumerated list:">[ENUM] purpose (Required) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="A means by which to extend the purpose attribute. See Section 5.1.">[STRING] ext-purpose (Optional) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Optional) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/Incident.html" TITLE="This attribute indicates the disclosure guidelines to which the sender expects the recipient to adhere for the information represented in this class and its children. This guideline provides no security since there are no specified technical means to ensure that the recipient of the document handles the information as the sender requested.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="106,1348.5", shape=plaintext, width=2.9444]; IncidentID [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c7a00" HREF="/idmef_parser/IODEF/IncidentID.html" TITLE="The IncidentID class represents an incident tracking number that is unique in the context of the CSIRT and identifies the activity characterized in an IODEF Document. This identifier would serve as an index into the CSIRT incident handling system. The combination of the name attribute and the string in the element content MUST be a globally unique identifier describing the activity. Documents generated by a given CSIRT MUST NOT reuse the same value unless they are referencing the same incident. ">IncidentID</td> </tr>" %<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/IncidentID.html" TITLE="An identifier describing the CSIRT that created the document. In order to have a globally unique CSIRT name, the fully qualified domain name associated with the CSIRT MUST be used.">[STRING] name (Required) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/IncidentID.html" TITLE="An identifier referencing a subset of the named incident.">[STRING] instance (Optional) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/IncidentID.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="1100.5,1590.5", shape=plaintext, width=2.6944]; Incident -> IncidentID [label="1..1", lp="597,1636", pos="e,1003.4,1605.5 178.57,1457.7 204.05,1489.4 235.18,1521.4 270,1543.5 360.29,1600.9 394.21,1598.5 500,1614.5 671.31,1640.3 873.08,\ 1622.5 993.41,1606.8"]; AlternativeID [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c7a00" HREF="/idmef_parser/IODEF/AlternativeID.html" TITLE="The AlternativeID class lists the incident tracking numbers used by CSIRTs, other than the one generating the document, to refer to the identical activity described the IODEF document. A tracking number listed as an AlternativeID references the same incident detected by ">AlternativeID</td> </tr>" %<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/AlternativeID.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="597,1580.5", shape=plaintext, width=2.6944]; Incident -> AlternativeID [label="0..1", lp="241,1488", pos="e,499.71,1568.2 212.01,1453.7 217.96,1458.5 223.98,1463.1 230,1467.5 306.84,1523.1 411.64,1551.8 489.4,1566.3"]; RelatedActivity [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c7a00" HREF="/idmef_parser/IODEF/RelatedActivity.html" TITLE="The RelatedActivity class lists either incident tracking numbers of incidents or URLs (not both) that refer to activity related to the one described in the IODEF document. These references may be to local incident tracking numbers or to those of other CSIRTs. ">RelatedActivity</td> </tr>" %<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/RelatedActivity.html" TITLE="A URL to activity related to this incident.">[URL] URL (1..*) </td></tr>%<tr><td BGCOLOR="#99CC00" HREF="/idmef_parser/IODEF/RelatedActivity.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="597,1490.5", shape=plaintext, width=2.6944]; Incident -> RelatedActivity [label="0..1", lp="241,1456", pos="e,499.89,1492.4 212.27,1428.6 230.73,1439.6 250.35,1449.4 270,1456.5 340.41,1481.8 424.48,1490.1 489.61,1492.1"]; Assessment [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Assessment.html" TITLE="The Assessment class describes the technical and non-technical repercussions of the incident on the CSIRT&#39;s constituency. ">Assessment</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Assessment.html" TITLE="Specifies whether the assessment is describing actual or potential outcomes. The default is &quot;actual&quot; and is assumed if not specified.">[ENUM] occurrence (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Assessment.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="818,676.5", shape=plaintext, width=2.7639]; Incident -> Assessment [label="1..*", lp="376,853", pos="e,718.25,682.16 111.89,1239.3 123.09,1124.4 158.69,946.69 270,845.5 392.5,734.13 587.16,696.14 708.22,683.19"]; AdditionalData [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a3d" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5. ">AdditionalData</td> </tr>" %<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The data type of the element content. The permitted values for this attribute are shown below. The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A means by which to extend the dtype attribute. See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="1387.5,1000.5", shape=plaintext, width=2.7639]; Incident -> AdditionalData [label="0..*", lp="818,340", pos="e,1344.8,933.3 112.68,1239.3 129.3,976.88 189.04,332.5 375,332.5 375,332.5 375,332.5 1101.5,332.5 1154.4,332.5 1182.1,313.58 1219,\ 351.5 1286.9,421.24 1248.1,692.6 1277,785.5 1292.1,833.84 1317.3,884.45 1339.8,924.42"]; Method [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c3d1f" HREF="/idmef_parser/IODEF/Method.html" TITLE="The Method class describes the methodology used by the intruder to perpetrate the events of the incident. This class consists of a list of references describing the attack method and a free form description of the technique. ">Method</td> </tr>" %<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Method.html" TITLE="A free-form text description of the methodology used by the intruder.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Method.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="818,924.5", shape=plaintext, width=2.9444]; Incident -> Method [label="0..*", lp="376,936", pos="e,711.85,891.57 117.44,1239.2 133.1,1140.9 172.24,1001.2 270,928.5 394.16,836.18 581.83,859.75 701.89,889.09"]; Contact [height=3.3194, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The Contact class describes contact information for organizations and personnel involved in the incident. This class allows for the naming of the involved party, specifying contact information for them, and identifying their role in the incident. ">Contact</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The name of the contact. The contact may either be an organization or a person. The type attribute disambiguates the semantics.">[ML_STRING] ContactName (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="A free-form description of this contact. In the case of a person, this is often the organizational title of the individual.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The telephone number of the contact.">[] Telephone (0..*) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The facsimile telephone number of the contact.">[] Fax (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="The timezone in which the contact resides formatted according to Section 2.9.">[TIMEZONE] Timezone (0..1) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="Indicates the role the contact fulfills. This attribute is defined as an enumerated list:">[ENUM] role (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="A means by which to extend the role attribute. See Section 5.1.">[STRING] ext-role (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="Indicates the type of contact being described. This attribute is defined as an enumerated list:">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Contact.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="1100.5,1366.5", shape=plaintext, width=3.1111]; Incident -> Contact [label="1..*", lp="597,1367", pos="e,988.13,1364.5 212.28,1350.4 397.76,1353.8 781.69,1360.7 978.06,1364.3"]; EventData [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#737373" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The EventData class describes a particular event of the incident for a given set of hosts or networks. This description includes the systems from which the activity originated and those targeted, an assessment of the techniques used by the intruder, the impact of the activity on the organization, and any forensic evidence discovered. ">EventData</td> </tr>" %<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="A free-form textual description of the event.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The time the event was detected.">[] DetectTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The time the event started.">[] StartTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="The time the event ended.">[] EndTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/EventData.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="376,1019.5", shape=plaintext, width=2.9444]; Incident -> EventData [label="0..*", lp="241,1202", pos="e,320.35,1086.6 195.87,1239.4 234.6,1191.9 279.02,1137.3 313.94,1094.5"]; History [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#006a30" HREF="/idmef_parser/IODEF/History.html" TITLE="The History class is a log of the significant events or actions performed by the involved parties during the course of handling the incident. ">History</td> </tr>" %<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/History.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="376,1422.5", shape=plaintext, width=2.6944]; Incident -> History [label="0..1", lp="241,1396", pos="e,284.05,1397.4 212.15,1377.5 232.57,1383.2 253.92,1389.1 274.19,1394.7"]; AlternativeID -> IncidentID [label="1..*", lp="818,1595", pos="e,1003.3,1588.6 694.1,1582.4 779.68,1584.1 904.69,1586.6 993.23,1588.4"]; RelatedActivity -> IncidentID [label="1..*", lp="818,1569", pos="e,1003.2,1574.7 694.3,1515.5 700.28,1516.9 706.21,1518.2 712,1519.5 806.48,1540.1 914.81,1559.6 992.87,1573"]; Impact [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Impact.html" TITLE="The Impact class allows for categorizing and describing the technical impact of the incident on the network of an organization. ">Impact</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="An indication whether the described activity was successful. The permitted values are shown below. There is no default value.">[ENUM] completion (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="Classifies the malicious activity into incident categories. The permitted values are shown below. The default value is &quot;other&quot;.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Impact.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%</table>>, pos="1100.5,427.5", shape=plaintext, width=2.7917]; Assessment -> Impact [label="0..*", lp="953,546", pos="e,999.86,489.48 848.02,640.96 879.01,604.2 930.64,546.29 982,503.5 985.2,500.83 988.5,498.18 991.87,495.55"]; TimeImpact [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="The TimeImpact class describes the impact of the incident on an organization as a function of time. It provides a way to convey down time and recovery time. ">TimeImpact</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="Defines the metric in which the time is expressed. The permitted values are shown below. There is no default value.">[ENUM] metric (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="A means by which to extend the metric attribute. See Section 5.1.">[STRING] ext-metric (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="Defines a unit of time, that when combined with the metric attribute, fully describes a metric of impact that will be conveyed in the element content. The permitted values are shown below. The default value is &quot;hour&quot;.">[ENUM] duration (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/TimeImpact.html" TITLE="A means by which to extend the duration attribute. See Section 5.1.">[STRING] ext-duration (Optional) </td></tr>%</table>>, pos="1100.5,737.5", shape=plaintext, width=2.9722]; Assessment -> TimeImpact [label="0..*", lp="953,715", pos="e,993.41,714.43 917.89,698.01 939.09,702.62 961.68,707.53 983.46,712.27"]; MonetaryImpact [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/MonetaryImpact.html" TITLE="The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished ">MonetaryImpact</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/MonetaryImpact.html" TITLE="An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/MonetaryImpact.html" TITLE="Defines the currency in which the monetary impact is expressed. The permitted values are defined in ISO 4217:2001, Codes for the representation of currencies and funds [14]. There is no default value.">[STRING] currency (Required) </td></tr>%</table>>, pos="1100.5,616.5", shape=plaintext, width=2.7361]; Assessment -> MonetaryImpact [label="0..*", lp="953,658", pos="e,1002,637.36 917.89,655.35 941.88,650.22 967.63,644.71 991.99,639.5"]; Counter [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Counter.html" TITLE="The Counter class summarize multiple occurrences of some event, or conveys counts or rates on various features (e.g., packets, sessions, events). ">Counter</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="Specifies the units of the element content.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="If present, the Counter class represents a rate rather than a count over the entire event. In that case, this attribute specifies the denominator of the rate (where the type attribute specified the nominator). The possible values of this attribute are defined in Section 3.10.2">[ENUM] duration (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="A means by which to extend the duration attribute. See Section 5.1.">[STRING] ext-duration (Optional) </td></tr>%</table>>, pos="1663.5,56.5", shape=plaintext, width=2.9722]; Assessment -> Counter [label="0..*", lp="1248,35", pos="e,1556.3,34.479 832.54,640.96 854.63,581.75 898.51,458.8 924,351.5 936.06,300.74 927.86,285.72 942,235.5 954.52,191.01 948.61,171.46 \ 982,139.5 1132.3,-4.3959 1394.8,9.5577 1546.1,32.86"]; Confidence [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Confidence.html" TITLE="The Confidence class represents a best estimate of the validity and accuracy of the described impact (see Section 3.10) of the incident activity. This estimate can be expressed as a category or a numeric calculation. ">Confidence</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Confidence.html" TITLE="A rating of the analytical validity of the specified Assessment. The permitted values are shown below. There is no default value.">[ENUM] rating (Required) </td></tr>%</table>>, pos="1100.5,537.5", shape=plaintext, width=2.4028]; Assessment -> Confidence [label="0..1", lp="953,599", pos="e,1013.7,559.15 866.1,640.91 897.57,618.49 940.64,590.32 982,571.5 989.07,568.28 996.51,565.29 1004.1,562.53"]; Assessment -> AdditionalData [label="0..*", lp="1100.5,857", pos="e,1329.4,933.4 850.13,712 880.42,744.06 929.46,789.73 982,813.5 1079.1,857.41 1122.7,803.91 1219,849.5 1257.5,867.73 1293.5,897.73 \ 1322.2,926.21"]; Method -> AdditionalData [label="0..*", lp="1100.5,1006", pos="e,1287.6,1000.6 922.01,960.06 941.72,965.73 962.35,970.91 982,974.5 1081,992.61 1195.7,998.6 1277.6,1000.4"]; Reference [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c3d1f" HREF="/idmef_parser/IODEF/Reference.html" TITLE="The Reference class is a reference to a vulnerability, IDS alert, malware sample, advisory, or attack technique. A reference consists of a name, a URL to this reference, and an optional description. ">Reference</td> </tr>" %<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Reference.html" TITLE="Name of the reference.">[ML_STRING] ReferenceName (1..1) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Reference.html" TITLE="A URL associated with the reference.">[URL] URL (0..*) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IODEF/Reference.html" TITLE="A free-form text description of this reference.">[ML_STRING] Description (0..*) </td></tr>%</table>>, pos="1100.5,919.5", shape=plaintext, width=3.2917]; Method -> Reference [label="0..*", lp="953,930", pos="e,981.89,921.6 924.25,922.62 939.68,922.35 955.71,922.06 971.53,921.78"]; Contact -> AdditionalData [label="0..*", lp="1248,1175", pos="e,1289.6,1067.6 1205.7,1246.7 1210.5,1239.4 1214.9,1231.9 1219,1224.5 1231.7,1201.2 1227.4,1192.3 1237,1167.5 1238.9,1162.6 1273.7,\ 1085.6 1277,1081.5 1278.8,1079.3 1280.7,1077.1 1282.7,1074.9"]; Contact -> Contact [label="0..*", lp="1100.5,1511.5", pos="e,1122.3,1486.2 1078.7,1486.2 1083.3,1497.1 1090.5,1504 1100.5,1504 1107.4,1504 1112.9,1500.8 1117.2,1495.2"]; RegistryHandle [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="The RegistryHandle class represents a handle into an Internet registry or community-specific database. The handle is specified in the element content and the type attribute specifies the database. ">RegistryHandle</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="The database to which the handle belongs. The default value is &#39;local&#39;. The possible values are:">[ENUM] registry (Required) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/RegistryHandle.html" TITLE="A means by which to extend the registry attribute. See Section 5.1.">[STRING] ext-registry (Optional) </td></tr>%</table>>, pos="1387.5,1586.5", shape=plaintext, width=2.9167]; Contact -> RegistryHandle [label="0..*", lp="1248,1534", pos="e,1292.6,1550.9 1208.5,1486.2 1229.9,1506.2 1253.2,1525.7 1277,1541.5 1279.2,1542.9 1281.4,1544.4 1283.7,1545.7"]; PostalAddress [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="The PostalAddress class specifies a postal address formatted according to the POSTAL data type (Section 2.11). ">PostalAddress</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="A free-form description of the element content.">[ENUM] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/PostalAddress.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%</table>>, pos="1387.5,1497.5", shape=plaintext, width=2.5972]; Contact -> PostalAddress [label="0..1", lp="1248,1452", pos="e,1298.4,1461.9 1212.9,1422.4 1234,1432.7 1256.1,1443.1 1277,1452.5 1280.9,1454.3 1284.9,1456 1288.9,1457.8"]; Email [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#7a993d" HREF="/idmef_parser/IODEF/Email.html" TITLE="The Email class specifies an email address formatted according to EMAIL data type (Section 2.14). ">Email</td> </tr>" %<tr><td BGCOLOR="#CCFF66" HREF="/idmef_parser/IODEF/Email.html" TITLE="A free-form description of the element content (e.g., hours of coverage for a given number).">[ENUM] meaning (Optional) </td></tr>%</table>>, pos="1387.5,1665.5", shape=plaintext, width=2.5972]; Contact -> Email [label="0..*", lp="1248,1621", pos="e,1293.8,1641.4 1186.1,1486.4 1197.3,1502.8 1208.6,1519.5 1219,1535.5 1246,1576.9 1238.1,1599.9 1277,1630.5 1279.6,1632.5 1282.3,\ 1634.5 1285.1,1636.3"]; EventData -> Assessment [label="0..1", lp="597,926", pos="e,771.21,712.19 463.14,952.35 552.22,882.91 688.51,776.66 763.29,718.37"]; EventData -> AdditionalData [label="0..*", lp="953,1025", pos="e,1287.9,1012.6 482.24,1018.3 548.23,1017.6 635.08,1016.8 712,1016.5 806.22,1016.1 829.78,1015.7 924,1016.5 949.78,1016.7 956.22,\ 1017.3 982,1017.5 1087.3,1018.4 1113.7,1021.4 1219,1017.5 1238,1016.8 1258.2,1015.3 1277.7,1013.6"]; EventData -> Method [label="0..*", lp="597,976", pos="e,711.71,942.84 482.03,973.76 488.05,971.82 494.07,970.05 500,968.5 584.01,946.55 608.07,957.92 694,945.5 696.53,945.13 699.09,944.76 \ 701.67,944.37"]; EventData -> Contact [label="0..*", lp="818,1327", pos="e,988.39,1335.5 431.62,1086.7 451.8,1109.3 475.7,1133.8 500,1153.5 585.02,1222.3 609.7,1239.8 712,1278.5 801.75,1312.5 830.48,1298 \ 924,1319.5 941.72,1323.6 960.35,1328.2 978.6,1332.9"]; EventData -> EventData [label="0..*", lp="376,1112", pos="e,399.03,1086.8 352.97,1086.8 356.42,1097.3 364.09,1104.5 376,1104.5 384,1104.5 390.09,1101.3 394.27,1096"]; Flow [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Flow.html" TITLE="The Flow class groups related the source and target hosts. ">Flow</td> </tr>" %</table>>, pos="818,252.5", shape=plaintext, width=0.75]; EventData -> Flow [label="0..*", lp="597,767", pos="e,790.73,261.65 457.37,952.21 467.01,940.89 475.66,928.54 482,915.5 512.52,852.73 480.85,826.61 500,759.5 560.56,547.29 560.99,471.42 \ 712,310.5 731.12,290.13 759.03,275.18 781.27,265.57"]; Expectation [height=2.4444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#737373" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. The scope of the requested action is limited to purview of the EventData class in which this class is aggregated. ">Expectation</td> </tr>" %<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="A free-form description of the desired action(s).">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The time at which the action should be performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible. The absence of this element leaves the execution of the expectation to the discretion of the recipient.">[] StartTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed.">[] EndTime (0..1) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent.">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="Classifies the type of action requested. This attribute is an enumerated list with no default value.">[ENUM] action (Optional) </td></tr>%<tr><td BGCOLOR="#bfbfbf" HREF="/idmef_parser/IODEF/Expectation.html" TITLE="A means by which to extend the action attribute. See Section 5.1.">[STRING] ext-action (Optional) </td></tr>%</table>>, pos="818,1181.5", shape=plaintext, width=2.9444]; EventData -> Expectation [label="0..*", lp="597,1142", pos="e,711.96,1142.8 482.11,1058.2 548.52,1082.6 634.33,1114.2 702.47,1139.3"]; Record [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/Record.html" TITLE="The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs should substantiate the activity described in the document. ">Record</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/Record.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="818,1050.5", shape=plaintext, width=2.6944]; EventData -> Record [label="0..1", lp="597,1049", pos="e,720.98,1043.7 482.11,1026.9 551.29,1031.8 641.53,1038.1 710.9,1043"]; System [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/System.html" TITLE="The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of &quot;source&quot;, then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of &quot;target&quot; or &quot;intermediary&quot;, then the machine or service is the one targeted in the activity. A value of &quot;sensor&quot; dictates that this System was part of an instrumentation to monitor the network. ">System</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="A free-form text description of the System.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="Classifies the role the host or network played in the incident. The possible values are:">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning.">[STRING] interface (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is &quot;unknown&quot;.">[ENUM] spoofed (Optional) </td></tr>%</table>>, pos="1100.5,226.5", shape=plaintext, width=2.9861]; Flow -> System [label="1..*", lp="953,249", pos="e,992.94,236.38 845.14,250.08 876.69,247.15 931.89,242.04 982.82,237.32"]; System -> Counter [label="0..*", lp="1387.5,73", pos="e,1556.2,39.396 1163.6,148.68 1194,116.66 1233.5,83.031 1277,65.5 1362.5,31.086 1467.4,31.07 1546.3,38.415"]; System -> AdditionalData [label="0..*", lp="1248,311", pos="e,1342.7,933.35 1208.2,268.76 1231.7,280.24 1251.9,292.53 1259,303.5 1288.2,348.43 1263.5,733.63 1277,785.5 1289.7,834.31 1314.7,\ 884.76 1337.6,924.52"]; "Node" [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Node.html" TITLE="The Node class names a system (e.g., PC, router) or network. ">Node</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="The name of the Node (e.g., fully qualified domain name). This information MUST be provided if no Address information is given.">[ML_STRING] NodeName (0..*) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="A free-from description of the physical location of the equipment.">[ML_STRING] Location (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="A timestamp of when the resolution between the name and address was performed. This information SHOULD be provided if both an Address and NodeName are specified.">[] DateTime (0..1) </td></tr>%</table>>, pos="1387.5,351.5", shape=plaintext, width=2.9444]; System -> "Node" [label="1..1", lp="1248,235", pos="e,1286.2,305.39 1208.2,208.94 1226.6,210.78 1244.4,216.2 1259,227.5 1283.7,246.65 1257.4,271.16 1277,295.5 1277.7,296.37 1278.4,\ 297.23 1279.2,298.08"]; Service [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Service.html" TITLE="The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port. ">Service</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A port number.">[INTEGER] Port (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A list of port numbers formatted according to Section 2.10.">[PORTLIST] Portlist (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol-specific code field (e.g., ICMP code field).">[INTEGER] ProtoCode (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol specific type field (e.g., ICMP type field).">[INTEGER] ProtoType (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol specific flag field (e.g., TCP flag field).">[INTEGER] ProtoFlags (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="The IANA protocol number.">[INTEGER] ip_protocol (Required) </td></tr>%</table>>, pos="1387.5,699.5", shape=plaintext, width=3.0694]; System -> Service [label="0..*", lp="1248,273", pos="e,1351.8,621.78 1208.1,234.63 1227.4,240.78 1245.6,250.46 1259,265.5 1280,289.09 1269.4,375.84 1277,406.5 1294.6,477.54 1324,554.97 \ 1347.9,612.38"]; OperatingSystem [height=2.7361, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class (Section 3.17.1). ">OperatingSystem</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>, pos="1387.5,188.5", shape=plaintext, width=2.6806]; System -> OperatingSystem [label="0..1", lp="1248,197", pos="e,1290.9,185.45 1208.2,194.61 1217.9,192.55 1227.6,190.8 1237,189.5 1251.1,187.56 1266,186.41 1280.8,185.79"]; "Node" -> Counter [label="0..*", lp="1527,282", pos="e,1634.1,113.18 1485.5,305.41 1489.9,302.25 1494.1,298.95 1498,295.5 1554,246.34 1600.2,174.18 1629.3,122.02"]; Address [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address. ">Address</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The type of address represented. The permitted values for this attribute are shown below. The default value is &quot;ipv4-addr&quot;.">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The name of the Virtual LAN to which the address belongs.">[STRING] vlan-name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The number of the Virtual LAN to which the address belongs.">[STRING] vlan-num (Optional) </td></tr>%</table>>, pos="1663.5,411.5", shape=plaintext, width=2.9861]; "Node" -> Address [label="0..*", lp="1527,391", pos="e,1555.8,388.14 1493.7,374.53 1510.7,378.26 1528.4,382.14 1545.7,385.92"]; NodeRole [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="The NodeRole class describes the intended function performed by a particular host. ">NodeRole</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="Functionality provided by a node.">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%</table>>, pos="1663.5,290.5", shape=plaintext, width=2.9861]; "Node" -> NodeRole [label="0..*", lp="1527,331", pos="e,1555.8,314.25 1493.7,328.09 1510.7,324.3 1528.4,320.35 1545.7,316.5"]; Application [height=2.7361, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Application.html" TITLE="The Application class describes an application running on a System providing a Service. ">Application</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>, pos="1663.5,722.5", shape=plaintext, width=2.6806]; Service -> Application [label="0..*", lp="1527,720", pos="e,1566.7,714.46 1498.4,708.72 1517.6,710.33 1537.5,712 1556.5,713.61"]; Expectation -> Contact [label="0..1", lp="953,1284", pos="e,988.25,1292.5 924.38,1250.4 937.73,1259.2 951.19,1268 964,1276.5 969.18,1279.9 974.47,1283.4 979.82,1286.9"]; RecordData [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="The RecordData class groups log or audit data from a given sensor (e.g., IDS, firewall log) and provides a way to annotate the output. ">RecordData</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="Timestamp of the RecordItem data.">[] DateTime (0..1) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="Free-form textual description of the provided RecordItem data. At minimum, this description should convey the significance of the provided RecordItem data.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="1100.5,1169.5", shape=plaintext, width=2.9444]; Record -> RecordData [label="1..*", lp="953,1081", pos="e,998.06,1123.4 915.37,1052.8 932.74,1056.6 949.81,1063.1 964,1073.5 978.43,1084.1 969.4,1096.8 982,1109.5 984.61,1112.1 987.37,\ 1114.7 990.23,1117.1"]; RecordData -> AdditionalData [label="0..1", lp="1248,1106", pos="e,1287.9,1067.1 1194,1123.4 1202.5,1118.8 1211,1114.1 1219,1109.5 1238.8,1098 1259.6,1085.2 1279.5,1072.5"]; RecordData -> Application [label="0..1", lp="1387.5,1120", pos="e,1643.3,821.11 1206.5,1134.7 1239.3,1124 1269,1114.4 1277,1112.5 1373.7,1089.1 1418.7,1136.6 1498,1076.5 1576.4,1017.1 1618.7,911.3 \ 1640.8,830.8"]; RecordPattern [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="The RecordPattern class describes where in the content of the RecordItem relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data. ">RecordPattern</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Describes the type of pattern being specified in the element content. The default is &quot;regex&quot;.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Amount of units (determined by the offsetunit attribute) to seek into the RecordItem data before matching the pattern.">[INTEGER] offset (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Describes the units of the offset attribute. The default is &quot;line&quot;.">[ENUM] offsetunit (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="A means by which to extend the offsetunit attribute. See Section 5.1.">[STRING] ext-offsetunit (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Number of types to apply the specified pattern.">[INTEGER] instance (Optional) </td></tr>%</table>>, pos="1387.5,1366.5", shape=plaintext, width=3.0694]; RecordData -> RecordPattern [label="0..*", lp="1248,1272", pos="e,1287.8,1288.8 1184.2,1215.5 1196,1222.6 1207.9,1230.1 1219,1237.5 1232,1246.2 1254.9,1263.4 1279.7,1282.5"]; RecordItem [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="The RecordItem class provides a way to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing the incident. The class supports both the direct encapsulation of the data, as well as, provides primitives to reference data stored elsewhere. ">RecordItem</td> </tr>" %<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="The data type of the element content. The permitted values for this attribute are shown below. The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="A means by which to extend the dtype attribute. See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, pos="1387.5,1203.5", shape=plaintext, width=2.7639]; RecordData -> RecordItem [label="1..*", lp="1248,1196", pos="e,1287.8,1191.7 1206.8,1182.1 1229.9,1184.8 1254.3,1187.7 1277.6,1190.5"]; HistoryItem [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#006a30" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="The HistoryItem class is an entry in the History (Section 3.11) log that documents a particular action or event that occurred in the course of handling the incident. The details of the entry are a free-form description, but each can be categorized with the type attribute. ">HistoryItem</td> </tr>" %<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="Timestamp of this entry in the history log (e.g., when the action described in the Description was taken).">[] DateTime (1..1) </td></tr>%<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="A free-form textual description of the action or event.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="Classifies a performed action or occurrence documented in this history log entry. As activity will likely have been instigated either through a previously conveyed expectation or internal investigation, this attribute is identical to the category attribute of the Expectation class. The difference is only one of tense. When an action is in this class, it has been completed. See Section 3.13.">[ENUM] action (Required) </td></tr>%<tr><td BGCOLOR="#00B050" HREF="/idmef_parser/IODEF/HistoryItem.html" TITLE="A means by which to extend the action attribute. See Section 5.1.">[STRING] ext-action (Optional) </td></tr>%</table>>, pos="818,1443.5", shape=plaintext, width=2.9444]; History -> HistoryItem [label="1..*", lp="597,1438", pos="e,711.7,1431.8 473.16,1422.9 536.05,1423.7 619.98,1425.7 694,1430.5 696.53,1430.7 699.09,1430.8 701.67,1431"]; HistoryItem -> IncidentID [label="0..1", lp="953,1525", pos="e,1013.1,1544.4 924.16,1496.6 937.61,1503.6 951.15,1510.7 964,1517.5 972.08,1521.8 973.97,1523.1 982,1527.5 989.23,1531.4 996.72,\ 1535.5 1004.3,1539.6"]; HistoryItem -> AdditionalData [label="0..*", lp="1100.5,1107", pos="e,1287.8,1045.9 896.61,1376.2 906.96,1364.5 916.55,1351.8 924,1338.5 950.76,1290.8 941.83,1136.6 982,1099.5 1027.8,1057.2 1199.1,\ 1072.9 1259,1055.5 1265.4,1053.6 1271.9,1051.6 1278.3,1049.3"]; HistoryItem -> Contact [label="0..1", lp="953,1418", pos="e,988.04,1397.1 924.25,1414.6 941.82,1409.8 960.18,1404.7 978.12,1399.8"]; }


Aggregates

IncidentID (1..1)

An incident tracking number assigned to this incident by the CSIRT that generated the IODEF document.

AlternativeID (0..1)

The incident tracking numbers used by other CSIRTs to refer to the incident described in the document.

RelatedActivity (0..1)

The incident tracking numbers of related incidents.

DetectTime (0..1)

The time the incident was first detected.

StartTime (0..1)

The time the incident started.

EndTime (0..1)

The time the incident ended.

ReportTime (1..1)

The time the incident was reported.

Description (0..*)

A free-form textual description of the incident.

Assessment (1..*)

A characterization of the impact of the incident.

Method (0..*)

The techniques used by the intruder in the incident.

Contact (1..*)

Contact information for the parties involved in the incident.

EventData (0..*)

Description of the events comprising the incident.

History (0..1)

A log of significant events or actions that occurred during the course of handling the incident.

AdditionalData (0..*)

Mechanism by which to extend the data model.

Attributes

purpose (Required)

The purpose attribute represents the reason why the IODEF document was created. It is closely related to the Expectation class (Section 3.13). This attribute is defined as an enumerated list:
Rank Keyword Description
1 traceback The document was sent for trace-back purposes.
2 mitigation The document was sent to request aid in mitigating the described activity.
3 reporting The document was sent to comply with reporting requirements.
4 other The document was sent for purposes specified in the Expectation class.
5 ext-value An escape value used to extend this attribute. See Section 5.1.

ext-purpose (Optional)

A means by which to extend the purpose attribute. See Section 5.1.

lang (Optional)

A valid language code per RFC 4646 [7] constrained by the definition of "xs:language". The interpretation of this code is described in Section 6.

restriction (Optional)

This attribute indicates the disclosure guidelines to which the sender expects the recipient to adhere for the information represented in this class and its children. This guideline provides no security since there are no specified technical means to ensure that the recipient of the document handles the information as the sender requested.
Rank Keyword Description
1 public There are no restrictions placed in the information.
2 need-to-know The information may be shared with other parties that are involved in the incident as determined by the recipient of this document (e.g., multiple victim sites can be informed of each other).
3 private The information may not be shared.
4 default The information can be shared according to an information disclosure policy pre-arranged by the communicating parties.


IDMEF


IODEF