Expectation

The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. The scope of the requested action is limited to purview of the EventData class in which this class is aggregated. 

digraph Expectation {
	graph [bb="0,0,775,380.5",
		rankdir=LR
	];
	node [label="\N"];
	Expectation	 [height=2.4444,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#999999" HREF="/idmef_parser/IODEFv1/Expectation.html" TITLE="The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. The scope of the requested action is limited to purview of the EventData class in which this class is aggregated. "><FONT FACE="Nimbus Sans L">Expectation</FONT></td> </tr>" %<tr><td BGCOLOR="#BFBFBF"  HREF="/idmef_parser/IODEFv1/Expectation.html" TITLE="A free-form description of the desired action(s)."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF"  HREF="/idmef_parser/IODEFv1/Expectation.html" TITLE="The time at which the action should be performed.  A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible.  The absence of this element leaves the execution of the expectation to the discretion of the recipient."><FONT FACE="Nimbus Sans L">[] StartTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF"  HREF="/idmef_parser/IODEFv1/Expectation.html" TITLE="The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed."><FONT FACE="Nimbus Sans L">[] EndTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF"  HREF="/idmef_parser/IODEFv1/Expectation.html" TITLE="This attribute is defined in Section 3.2."><FONT FACE="Nimbus Sans L">[ENUM] restriction (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF"  HREF="/idmef_parser/IODEFv1/Expectation.html" TITLE="Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent."><FONT FACE="Nimbus Sans L">[ENUM] severity (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF"  HREF="/idmef_parser/IODEFv1/Expectation.html" TITLE="Classifies the type of action requested.  This attribute is an enumerated list with no default value."><FONT FACE="Nimbus Sans L">[ENUM] action (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF"  HREF="/idmef_parser/IODEFv1/Expectation.html" TITLE="A means by which to extend the action attribute.  See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-action (Optional)</FONT></td></tr>%</table>>,
		pos="106,216",
		shape=plaintext,
		width=2.9444];
	Contact	 [height=3.3194,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="The Contact class describes contact information for organizations and personnel involved in the incident. This class allows for the naming of the involved party, specifying contact information for them, and identifying their role in the incident. "><FONT FACE="Nimbus Sans L">Contact</FONT></td> </tr>" %<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="The name of the contact.  The contact may either be an organization or a person.  The type attribute disambiguates the semantics."><FONT FACE="Nimbus Sans L">[ML_STRING] ContactName (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="A free-form description of this contact.  In the case of a person, this is often the organizational title of the individual."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="The telephone number of the contact."><FONT FACE="Nimbus Sans L">[] Telephone (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="The facsimile telephone number of the contact."><FONT FACE="Nimbus Sans L">[] Fax (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="The timezone in which the contact resides formatted according to Section 2.9."><FONT FACE="Nimbus Sans L">[TIMEZONE] Timezone (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="Indicates the role the contact fulfills.  This attribute is defined as an enumerated list:"><FONT FACE="Nimbus Sans L">[ENUM] role (Required)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="A means by which to extend the role attribute. See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-role (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="Indicates the type of contact being described. This attribute is defined as an enumerated list:"><FONT FACE="Nimbus Sans L">[ENUM] type (Required)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="A means by which to extend the type attribute. See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-type (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Contact.html" TITLE="This attribute is defined in Section 3.2."><FONT FACE="Nimbus Sans L">[ENUM] restriction (Optional)</FONT></td></tr>%</table>>,
		pos="386,216",
		shape=plaintext,
		width=3.1944];
	Expectation -> Contact	 [label="0..1",
		lp="241.5,223.5",
		pos="e,270.94,216 212.26,216 228.14,216 244.64,216 260.88,216"];
	Contact -> Contact	 [label="0..*",
		lp="386,361",
		pos="e,407.46,335.75 364.54,335.75 369,346.65 376.16,353.5 386,353.5 392.77,353.5 398.26,350.26 402.49,344.7"];
	RegistryHandle	 [height=0.98611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IODEFv1/RegistryHandle.html" TITLE="The RegistryHandle class represents a handle into an Internet registry or community-specific database. The handle is specified in the element content and the type attribute specifies the database. "><FONT FACE="Nimbus Sans L">RegistryHandle</FONT></td> </tr>" %<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/RegistryHandle.html" TITLE="The database to which the handle belongs.  The default value is &#39;local&#39;.  The possible values are:"><FONT FACE="Nimbus Sans L">[ENUM] registry (Required)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/RegistryHandle.html" TITLE="A means by which to extend the registry attribute.  See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-registry (Optional)</FONT></td></tr>%</table>>,
		pos="667.5,345",
		shape=plaintext,
		width=2.9861];
	Contact -> RegistryHandle	 [label="0..*",
		lp="530.5,299.5",
		pos="e,579.3,309.45 501.09,273.54 520.64,282.94 540.83,292.4 560,301 563.23,302.45 566.51,303.9 569.84,305.36"];
	PostalAddress	 [height=0.98611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IODEFv1/PostalAddress.html" TITLE="The PostalAddress class specifies a postal address formatted according to the POSTAL data type (Section 2.11). "><FONT FACE="Nimbus Sans L">PostalAddress</FONT></td> </tr>" %<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/PostalAddress.html" TITLE="A free-form description of the element content."><FONT FACE="Nimbus Sans L">[ENUM] meaning (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/PostalAddress.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;.  The interpretation of this code is described in Section 6."><FONT FACE="Nimbus Sans L">[ENUM] lang (Required)</FONT></td></tr>%</table>>,
		pos="667.5,256",
		shape=plaintext,
		width=2.6528];
	Contact -> PostalAddress	 [label="0..1",
		lp="530.5,244.5",
		pos="e,571.67,242.38 501.31,232.38 521.31,235.23 542.02,238.17 561.76,240.97"];
	Email	 [height=0.69444,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IODEFv1/Email.html" TITLE="The Email class specifies an email address formatted according to EMAIL data type (Section 2.14). "><FONT FACE="Nimbus Sans L">Email</FONT></td> </tr>" %<tr><td BGCOLOR="#66CCFF"  HREF="/idmef_parser/IODEFv1/Email.html" TITLE="A free-form description of the element content (e.g., hours of coverage for a given number)."><FONT FACE="Nimbus Sans L">[ENUM] meaning (Optional)</FONT></td></tr>%</table>>,
		pos="667.5,177",
		shape=plaintext,
		width=2.6528];
	Contact -> Email	 [label="0..*",
		lp="530.5,203.5",
		pos="e,571.67,190.28 501.31,200.02 521.31,197.25 542.02,194.38 561.76,191.65"];
	AdditionalData	 [height=1.8611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#87689e" HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5. "><FONT FACE="Nimbus Sans L">AdditionalData</FONT></td> </tr>" %<tr><td BGCOLOR="#a982c6"  HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="The data type of the element content.  The permitted values for this attribute are shown below.  The default value is &quot;string&quot;."><FONT FACE="Nimbus Sans L">[ENUM] dtype (Required)</FONT></td></tr>%<tr><td BGCOLOR="#a982c6"  HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="A means by which to extend the dtype attribute.  See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-dtype (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#a982c6"  HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="A free-form description of the element content."><FONT FACE="Nimbus Sans L">[STRING] meaning (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#a982c6"  HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="An identifier referencing the format and semantics of the element content."><FONT FACE="Nimbus Sans L">[STRING] formatid (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#a982c6"  HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="This attribute has been defined in Section 3.2."><FONT FACE="Nimbus Sans L">[ENUM] restriction (Optional)</FONT></td></tr>%</table>>,
		pos="667.5,67",
		shape=plaintext,
		width=2.8194];
	Contact -> AdditionalData	 [label="0..*",
		lp="530.5,148.5",
		pos="e,565.9,120.78 501.31,154.97 519.71,145.23 538.71,135.17 556.99,125.49"];
}

Aggregates

Description (0..*)

A free-form description of the desired action(s).

StartTime (0..1)

The time at which the action should be performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible. The absence of this element leaves the execution of the expectation to the discretion of the recipient.

EndTime (0..1)

The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed.

Contact (0..1)

The expected actor for the action.

Attributes

restriction (Optional)

This attribute is defined in Section 3.2.

severity (Optional)

Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent.
Rank Keyword Description
1 low Low priority
2 medium Medium priority
3 high High priority

action (Optional)

Classifies the type of action requested. This attribute is an enumerated list with no default value.
Rank Keyword Description
1 nothing No action is requested. Do nothing with the information.
2 contact-source-site Contact the site(s) identified as the source of the activity.
3 contact-target-site Contact the site(s) identified as the target of the activity.
4 contact-sender Contact the originator of the document.
5 investigate Investigate the systems(s) listed in the event.
6 block-host Block traffic from the machine(s) listed as sources the event.
7 block-network Block traffic from the network(s) lists as sources in the event.
8 block-port Block the port listed as sources in the event.
9 rate-limit-host Rate-limit the traffic from the machine(s) listed as sources in the event.
10 rate-limit-network Rate-limit the traffic from the network(s) lists as sources in the event.
11 rate-limit-port Rate-limit the port(s) listed as sources in the event.
12 remediate-other Remediate the activity in a way other than by rate limiting or blocking.
13 status-triage Conveys receipts and the triaging of an incident.
14 status-new-info Conveys that new information was received for this incident.
15 other Perform some custom action described in the Description class.
16 ext-value An escape value used to extend this attribute. See Section 5.1.

ext-action (Optional)

A means by which to extend the action attribute. See Section 5.1.

IDMEFv1

IDMEFv2

IODEFv1

IODEFv2