Observable
The Observable class describes a feature and phenomenon that can be observed or measured for the purposes of detecting malicious behavior.
digraph Observable { graph [bb="0,0,3559,3237.5", rankdir=LR ]; node [label="\N"]; Observable [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Observable.html" TITLE="The Observable class describes a feature and phenomenon that can be observed or measured for the purposes of detecting malicious behavior. "><FONT FACE="Nimbus Sans L">Observable</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/Observable.html" TITLE="Mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Observable.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Observable.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="116.5,1777.5", shape=plaintext, width=3.2361]; System [height=4.4861, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#65779e" HREF="/idmef_parser/IODEFv2/System.html" TITLE="The System class describes a system or network involved in an event. "><FONT FACE="Nimbus Sans L">System</FONT></td> </tr>" %<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="The operating system running on the system."><FONT FACE="Nimbus Sans L">[SOFTWARE] OperatingSystem (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="An asset identifier for the System."><FONT FACE="Nimbus Sans L">[STRING] AssetID (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="A free-form text description of the System."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="A mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="Classifies the role the host or network played in the incident. These values are maintained in the "System- category" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] category (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="A means by which to extend the category attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-category (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning."><FONT FACE="Nimbus Sans L">[STRING] interface (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is "unknown"."><FONT FACE="Nimbus Sans L">[ENUM] spoofed (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="Indicates whether this System is a virtual or physical device. The default value is "unknown"."><FONT FACE="Nimbus Sans L">[ENUM] virtual (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="Describes the ownership of this System relative to the victim in the incident. These values are maintained in the "System-ownership" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] ownership (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="A means by which to extend the ownership attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-ownership (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5" HREF="/idmef_parser/IODEFv2/System.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="1910,2903.5", shape=plaintext, width=3.4583]; Observable -> System [label="0..1", lp="915.5,2884", pos="e,1785.3,2893.4 118.63,1823.7 129.47,2032.3 187.02,2876.5 408.5,2876.5 408.5,2876.5 408.5,2876.5 1391,2876.5 1521.7,2876.5 1670.6,\ 2885.1 1775.3,2892.6"]; DomainData [height=2.7361, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/DomainData.html" TITLE="The DomainData class describes a domain name and metadata associated with this domain. "><FONT FACE="Nimbus Sans L">DomainData</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/DomainData.html" TITLE="The domain name of a system."><FONT FACE="Nimbus Sans L">[STRING] Name (1..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DomainData.html" TITLE="A timestamp of when the domain listed in the Name class was resolved."><FONT FACE="Nimbus Sans L">[DATETIME] DateDomainWasChecked (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DomainData.html" TITLE="A timestamp of when domain listed in the Name class was registered."><FONT FACE="Nimbus Sans L">[DATETIME] RegistrationDate (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DomainData.html" TITLE="A timestamp of when the domain listed in the Name class is set to expire."><FONT FACE="Nimbus Sans L">[DATETIME] ExpirationDate (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DomainData.html" TITLE="Additional DNS records associated with this domain."><FONT FACE="Nimbus Sans L">[EXTENSION] RelatedDNS (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DomainData.html" TITLE="A means by which to extend the system-status attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] system-status (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DomainData.html" TITLE="A means by which to extend the domain-status attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] domain-status (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DomainData.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="2513,3052.5", shape=plaintext, width=4.0556]; Observable -> DomainData [label="0..1", lp="1391,3141", pos="e,2366.7,3106.9 119.71,1823.8 133.72,2018.4 193.39,2770.8 292,2984.5 327.23,3060.8 324.44,3133.5 408.5,3133.5 408.5,3133.5 408.5,\ 3133.5 2202,3133.5 2253.4,3133.5 2308.1,3123 2357,3109.6"]; Address [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#3daf3d" HREF="/idmef_parser/IODEFv2/Address.html" TITLE="The Address class represents a hardware (Layer 2), network (Layer 3), or application (Layer 7) address. "><FONT FACE="Nimbus Sans L">Address</FONT></td> </tr>" %</table>>, pos="3149.5,3052.5", shape=plaintext, width=1]; Observable -> Address [label="0..1", lp="1910,3187", pos="e,3124.7,3070.7 119.71,1823.6 130.99,1978.6 172.41,2494.7 251,2914.5 276.21,3049.2 271.49,3179.5 408.5,3179.5 408.5,3179.5 408.5,\ 3179.5 2843,3179.5 2949.4,3179.5 3061.8,3113.4 3116.2,3076.6"]; RegistryHandle [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IODEFv2/RegistryHandle.html" TITLE="The RegistryHandle class represents a handle into an Internet registry or community-specific database. "><FONT FACE="Nimbus Sans L">RegistryHandle</FONT></td> </tr>" %</table>>, pos="3445,3089.5", shape=plaintext, width=1.5972]; Observable -> RegistryHandle [label="0..1", lp="2066.5,3230", pos="e,3422.4,3107.7 119.35,1823.7 129.82,1985.6 169.82,2542 251,2994.5 264.27,3068.5 246.13,3099 292,3158.5 328.07,3205.3 349.42,3222.5 \ 408.5,3222.5 408.5,3222.5 408.5,3222.5 3149.5,3222.5 3254.2,3222.5 3362.9,3152.2 3414.4,3113.8"]; Service [height=2.7361, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca3a3" HREF="/idmef_parser/IODEFv2/Service.html" TITLE="The Service class describes a network service. The service is described by a protocol, port, protocol header field, and application providing or using the service. "><FONT FACE="Nimbus Sans L">Service</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IODEFv2/Service.html" TITLE="A port number."><FONT FACE="Nimbus Sans L">[INTEGER] Port (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IODEFv2/Service.html" TITLE="A list of port numbers."><FONT FACE="Nimbus Sans L">[PORTLIST] Portlist (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IODEFv2/Service.html" TITLE="A transport-layer (Layer 4) protocol- specific code field (e.g., ICMP code field)."><FONT FACE="Nimbus Sans L">[INTEGER] ProtoCode (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IODEFv2/Service.html" TITLE="A transport-layer (Layer 4) protocol- specific type field (e.g., ICMP type field)."><FONT FACE="Nimbus Sans L">[INTEGER] ProtoType (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IODEFv2/Service.html" TITLE="A transport-layer (Layer 4) protocol- specific flag field (e.g., TCP flag field)."><FONT FACE="Nimbus Sans L">[INTEGER] ProtoField (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IODEFv2/Service.html" TITLE="The application acting as either the client or the server for the service."><FONT FACE="Nimbus Sans L">[SOFTWARE] Application (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IODEFv2/Service.html" TITLE="The IANA-assigned IP protocol number per [IANA.Protocols]. The attribute MUST be set if a Port, Portlist, ProtoCode, ProtoType, or ProtoField class is present."><FONT FACE="Nimbus Sans L">[INTEGER] ip-protocol (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IODEFv2/Service.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="2202,2785.5", shape=plaintext, width=2.9444]; Observable -> Service [label="0..1", lp="1150,3095", pos="e,2102,2884.1 120.02,1823.7 131.25,1962.4 170.29,2387.3 251,2730.5 264.19,2786.6 269.99,2800.2 292,2853.5 336.37,2960.9 292.32,3087.5 \ 408.5,3087.5 408.5,3087.5 408.5,3087.5 1150,3087.5 1248.6,3087.5 1957.6,3132 2037,3073.5 2104.8,3023.6 2052.3,2965.4 2096,2893.5 \ 2096.2,2893.2 2096.4,2892.9 2096.5,2892.6"]; EmailData [height=3.0278, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/EmailData.html" TITLE="The EmailData class describes headers from an email message and cryptographic hashes and signatures applied to it. "><FONT FACE="Nimbus Sans L">EmailData</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/EmailData.html" TITLE="The value of the "To:" header field (Section 3.6.3 of [RFC5322]) in an email."><FONT FACE="Nimbus Sans L">[EMAIL] EmailTo (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/EmailData.html" TITLE="The value of the "From:" header field (Section 3.6.2 of [RFC5322]) in an email."><FONT FACE="Nimbus Sans L">[EMAIL] EmailFrom (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/EmailData.html" TITLE="The value of the "Subject:" header field in an email. See Section 3.6.5 of [RFC5322]."><FONT FACE="Nimbus Sans L">[STRING] EmailSubject (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/EmailData.html" TITLE="The value of the "X-Mailer:" header field in an email."><FONT FACE="Nimbus Sans L">[STRING] EmailX-Mailer (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/EmailData.html" TITLE="The header name and value of an arbitrary header field of the email message. The name attribute MUST be set to the header name. The header value MUST be set in the element body. The dtype attribute MUST be set to "string"."><FONT FACE="Nimbus Sans L">[EXTENSION] EmailHeaderField (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/EmailData.html" TITLE="The headers of an email message."><FONT FACE="Nimbus Sans L">[STRING] EmailHeaders (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/EmailData.html" TITLE="The body of an email message."><FONT FACE="Nimbus Sans L">[STRING] EmailBody (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/EmailData.html" TITLE="The headers and body of an email message."><FONT FACE="Nimbus Sans L">[STRING] EmailMessage (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/EmailData.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="2513,620.5", shape=plaintext, width=3.5139]; Observable -> EmailData [label="0..1", lp="1391,374", pos="e,2386.3,528.26 118.33,1731.4 125.51,1567.5 156.18,997.79 251,538.5 263.51,477.92 248.79,449.76 292,405.5 330.14,366.43 353.9,366.5 \ 408.5,366.5 408.5,366.5 408.5,366.5 1910,366.5 2087.4,366.5 2141,335.66 2308,395.5 2329,403.03 2336.6,405.97 2349,424.5 2368.8,454.04 \ 2348.1,472.34 2367,502.5 2370.9,508.67 2375.2,514.67 2379.8,520.47"]; WindowsRegistryKeysModified [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/WindowsRegistryKeysModified.html" TITLE="The WindowsRegistryKeysModified class describes Windows operating system registry keys and the operations that were performed on them. This class was derived from [RFC5901]. "><FONT FACE="Nimbus Sans L">WindowsRegistryKeysModified</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/WindowsRegistryKeysModified.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="2202,429.5", shape=plaintext, width=2.9028]; Observable -> WindowsRegistryKeysModified [label="0..1", lp="1150,417", pos="e,2097.5,423.47 117.86,1731.2 124.6,1526.7 159.63,704.33 292,489.5 324.95,436.03 345.69,409.5 408.5,409.5 408.5,409.5 408.5,409.5 \ 1648.5,409.5 1800.3,409.5 1975.3,417.1 2087.2,422.93"]; FileData [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/FileData.html" TITLE="The FileData class describes a file or set of files. "><FONT FACE="Nimbus Sans L">FileData</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/FileData.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/FileData.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/FileData.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="2202,185.5", shape=plaintext, width=2.7778]; Observable -> FileData [label="0..1", lp="1150,202", pos="e,2101.7,190.12 118.71,1731.2 130.15,1497.6 184.58,454.76 251,327.5 293.39,246.28 316.88,194.5 408.5,194.5 408.5,194.5 408.5,194.5 \ 1910,194.5 1970,194.5 2037,192.58 2091.6,190.51"]; CertificateData [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/CertificateData.html" TITLE="The CertificateData class describes X.509 certificates. "><FONT FACE="Nimbus Sans L">CertificateData</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/CertificateData.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/CertificateData.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/CertificateData.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="2202,295.5", shape=plaintext, width=2.7778]; Observable -> CertificateData [label="0..1", lp="1150,319", pos="e,2101.7,303.71 117.76,1731.3 124.5,1498.4 159.55,459.95 251,352.5 297.88,297.42 336.17,311.5 408.5,311.5 408.5,311.5 408.5,311.5 \ 1910,311.5 1970.1,311.5 2037.1,308.08 2091.7,304.4"]; RecordData [height=3.0278, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cccc52" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="The RecordData class describes or references log or audit data from a given type of tool and provides a means to annotate the output. "><FONT FACE="Nimbus Sans L">RecordData</FONT></td> </tr>" %<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="A timestamp of the data found in the RecordItem or URL classes."><FONT FACE="Nimbus Sans L">[DATETIME] DateTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="A free-form text description of the data provided in the RecordItem or URL classes."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="Identifies the tool used to generate the data in the RecordItem or URL classes."><FONT FACE="Nimbus Sans L">[SOFTWARE] Application (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="Log, audit, or forensic data to support the conclusions made during the course of analyzing the incident."><FONT FACE="Nimbus Sans L">[EXTENSION] RecordItem (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="A URL reference to a log or audit data."><FONT FACE="Nimbus Sans L">[URL] URL (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="An extension mechanism for data not explicitly represented in the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/RecordData.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="1910,546.5", shape=plaintext, width=3.2361]; Observable -> RecordData [label="0..1", lp="915.5,501", pos="e,1793.4,527.74 121.94,1731.4 149.66,1502 278.84,493.5 408.5,493.5 408.5,493.5 408.5,493.5 1391,493.5 1525.5,493.5 1678.5,511.32 \ 1783.4,526.3"]; EventData [height=3.3194, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#999999" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="The EventData class is a container class to organize data about events that occurred during an incident. "><FONT FACE="Nimbus Sans L">EventData</FONT></td> </tr>" %<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="A free-form text description of the event."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="The time the event was detected."><FONT FACE="Nimbus Sans L">[DATETIME] DetectTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="The time the event started."><FONT FACE="Nimbus Sans L">[DATETIME] StartTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="The time the event ended."><FONT FACE="Nimbus Sans L">[DATETIME] EndTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="The time the site recovered from the event."><FONT FACE="Nimbus Sans L">[DATETIME] RecoveryTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="The time the event was reported."><FONT FACE="Nimbus Sans L">[DATETIME] ReportTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="An extension mechanism for data not explicitly represented in the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="See Section 3.3.1. The default value is "default"."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/EventData.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="915.5,1445.5", shape=plaintext, width=3.2361]; Observable -> EventData [label="0..1", lp="408.5,1446", pos="e,864.38,1326 133.09,1731.4 159.36,1662.5 215.51,1531.1 292,1438.5 382.48,1328.9 408.76,1287.1 543,1240.5 592.97,1223.2 734.46,1215.4 \ 781,1240.5 813.18,1257.9 838.91,1286.7 858.9,1317.3"]; DetectionPattern [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/DetectionPattern.html" TITLE="The DetectionPattern class describes a configuration or signature that can be used by an Intrusion Detection System (IDS) / Intrusion Prevention System (IPS), SIEM, antivirus, endpoint protection, network analysis, malware analysis, or host forensics tool to identify a particular phenomenon. This class requires the identification of the target application and allows the configuration to be described in either free form or machine-readable form. "><FONT FACE="Nimbus Sans L">DetectionPattern</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/DetectionPattern.html" TITLE="The application for which the DetectionConfiguration or Description is being provided."><FONT FACE="Nimbus Sans L">[SOFTWARE] Application (1..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DetectionPattern.html" TITLE="A free-form text description of how to use the information provided in the Application or DetectionConfiguration classes."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DetectionPattern.html" TITLE="A machine-consumable configuration to find a pattern of activity."><FONT FACE="Nimbus Sans L">[STRING] DetectionConfiguration (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DetectionPattern.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DetectionPattern.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/DetectionPattern.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="1910,1409.5", shape=plaintext, width=3.5278]; Observable -> DetectionPattern [label="0..1", lp="915.5,2022", pos="e,1789.2,1487.1 144.67,1823.8 190.61,1892.7 288.69,2014.5 408.5,2014.5 408.5,2014.5 408.5,2014.5 1150,2014.5 1312,2014.5 1399.8,\ 2110.4 1514,1995.5 1544.6,1964.7 1502.5,1637.3 1532,1605.5 1603,1529.1 1687.8,1647.6 1765,1577.5 1792.6,1552.4 1762.1,1526.4 1783,\ 1495.5 1783.1,1495.4 1783.1,1495.3 1783.2,1495.2"]; Assessment [height=3.0278, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cc6a51" HREF="/idmef_parser/IODEFv2/Assessment.html" TITLE="The Assessment class describes the repercussions of the incident to the victim. "><FONT FACE="Nimbus Sans L">Assessment</FONT></td> </tr>" %<tr><td BGCOLOR="#ff8465" HREF="/idmef_parser/IODEFv2/Assessment.html" TITLE="A free-form text description categorizing the type of incident."><FONT FACE="Nimbus Sans L">[ML_STRING] IncidentCategory (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465" HREF="/idmef_parser/IODEFv2/Assessment.html" TITLE="The intended outcome to the victim sought by the threat actor. Defined identically to the BusinessImpact defined in Section 3.12.2 but describes intent rather than the realized impact."><FONT FACE="Nimbus Sans L">[] IntendedImpact (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465" HREF="/idmef_parser/IODEFv2/Assessment.html" TITLE="A description of a mitigating factor relative to the impact on the victim organization."><FONT FACE="Nimbus Sans L">[ML_STRING] MitigatingFactor (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465" HREF="/idmef_parser/IODEFv2/Assessment.html" TITLE="A description of an underlying cause of the impact."><FONT FACE="Nimbus Sans L">[ML_STRING] Cause (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465" HREF="/idmef_parser/IODEFv2/Assessment.html" TITLE="A mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465" HREF="/idmef_parser/IODEFv2/Assessment.html" TITLE="Specifies whether the assessment is describing actual or potential outcomes."><FONT FACE="Nimbus Sans L">[ENUM] occurrence (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465" HREF="/idmef_parser/IODEFv2/Assessment.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465" HREF="/idmef_parser/IODEFv2/Assessment.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465" HREF="/idmef_parser/IODEFv2/Assessment.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="1391,1687.5", shape=plaintext, width=3.4167]; Observable -> Assessment [label="0..1", lp="662,1935", pos="e,1267.7,1765.1 233.2,1820.1 317.88,1848.6 435.89,1883.6 543,1898.5 647.77,1913.1 691.62,1955.1 781,1898.5 796.79,1888.5 784.24,\ 1872 799,1860.5 960.27,1735.2 1059.4,1845.9 1250,1772.5 1252.8,1771.4 1255.5,1770.3 1258.3,1769.2"]; Reference [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#92765a" HREF="/idmef_parser/IODEFv2/Reference.html" TITLE="The Reference class is an external reference to relevant information such as a vulnerability, IDS alert, malware sample, advisory, or attack technique. "><FONT FACE="Nimbus Sans L">Reference</FONT></td> </tr>" %<tr><td BGCOLOR="#b79370" HREF="/idmef_parser/IODEFv2/Reference.html" TITLE="Reference identifier per [RFC7495]."><FONT FACE="Nimbus Sans L">[] (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b79370" HREF="/idmef_parser/IODEFv2/Reference.html" TITLE="A URL to a reference."><FONT FACE="Nimbus Sans L">[URL] URL (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#b79370" HREF="/idmef_parser/IODEFv2/Reference.html" TITLE="A free-form text description of this reference."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#b79370" HREF="/idmef_parser/IODEFv2/Reference.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="1910,2331.5", shape=plaintext, width=2.9444]; Observable -> Reference [label="0..1", lp="915.5,2533", pos="e,1803.8,2371.7 124.14,1823.7 152.37,1986.8 257.07,2525.5 408.5,2525.5 408.5,2525.5 408.5,2525.5 1391,2525.5 1557.3,2525.5 1640.9,\ 2622.3 1765,2511.5 1804.9,2475.9 1751.2,2435.5 1783,2392.5 1786.8,2387.3 1791.2,2382.6 1796,2378.2"]; Expectation [height=3.3194, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#999999" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. "><FONT FACE="Nimbus Sans L">Expectation</FONT></td> </tr>" %<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="A free-form text description of the desired action(s)."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="A unique identifier meaningful to the sender and recipient of this document that references a course of action. This class MUST be present if the action attribute is set to "defined-coa"."><FONT FACE="Nimbus Sans L">[STRING] DefinedCOA (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="The time at which the sender would like the action performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the sender would like the action performed as soon as possible. The absence of this element indicates no expectations of when the recipient would like the action performed."><FONT FACE="Nimbus Sans L">[DATETIME] StartTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="The time by which the sender expects the recipient to complete the action. If the recipient cannot complete the action before EndTime, the recipient MUST NOT carry out the action. Because of transit delays and clock drift, the sender MUST be prepared for the recipient to have carried out the action, even if it completes past EndTime."><FONT FACE="Nimbus Sans L">[DATETIME] EndTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="Classifies the type of action requested. The default value of "other". These values are maintained in the "Expectation-action" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] action (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="A means by which to extend the action attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-action (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent."><FONT FACE="Nimbus Sans L">[ENUM] severity (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="See Section 3.3.1. The default value is "default"."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IODEFv2/Expectation.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="1391,730.5", shape=plaintext, width=2.9444]; Observable -> Expectation [label="0..1", lp="662,926", pos="e,1284.7,733.65 124.59,1731.5 147.99,1602.6 218.75,1241 292,1147.5 524.51,850.67 684.96,860.93 1050,766.5 1123.3,747.53 1208,738.53 \ 1274.6,734.27"]; Incident [height=4.7778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#90ac3d" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="The Incident class describes commonly exchanged information when reporting or sharing derived analysis from security incidents. "><FONT FACE="Nimbus Sans L">Incident</FONT></td> </tr>" %<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="The time the incident was first detected."><FONT FACE="Nimbus Sans L">[DATETIME] DetectTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="The time the incident started."><FONT FACE="Nimbus Sans L">[DATETIME] StartTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="The time the incident ended."><FONT FACE="Nimbus Sans L">[DATETIME] EndTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="The time the site recovered from the incident."><FONT FACE="Nimbus Sans L">[DATETIME] RecoveryTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="The time the incident was reported."><FONT FACE="Nimbus Sans L">[DATETIME] ReportTime (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="The time the content in this Incident class was generated."><FONT FACE="Nimbus Sans L">[DATETIME] GenerationTime (1..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="A free-form text description of the incident."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="Mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="A means by which to extend the purpose attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] purpose (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="The status attribute conveys the state in a workflow where the incident is currently found. These values are maintained in the "Incident-status" IANA registry per Section 10.2. This attribute is defined as an enumerated list:"><FONT FACE="Nimbus Sans L">[ENUM] status (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="A means by which to extend the status attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-status (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="A language identifier per Section 2.12 of [W3C.XML] whose values and form are described in [RFC5646]. The interpretation of this code is described in Section 6."><FONT FACE="Nimbus Sans L">[ENUM] (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="See Section 3.3.1. The default value is "private"."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/Incident.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="408.5,1634.5", shape=plaintext, width=3.2361]; Observable -> Incident [label="0..1", lp="262.5,1718", pos="e,291.9,1691.6 210.5,1731.5 233.49,1720.2 258.45,1708 282.67,1696.1"]; HistoryItem [height=2.7361, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca352" HREF="/idmef_parser/IODEFv2/HistoryItem.html" TITLE="The HistoryItem class is an entry in the History (Section 3.13) log that documents a particular action or event that occurred in the course of handling the incident. The details of the entry are a free-form text description, but each can be categorized with the type attribute. "><FONT FACE="Nimbus Sans L">HistoryItem</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEFv2/HistoryItem.html" TITLE="A timestamp of this entry in the history log."><FONT FACE="Nimbus Sans L">[DATETIME] DateTime (1..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEFv2/HistoryItem.html" TITLE="A free-form text description of the action or event."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEFv2/HistoryItem.html" TITLE="An identifier meaningful to the sender and recipient of this document that references a course of action (COA). This class MUST be present if the action attribute is set to "defined-coa"."><FONT FACE="Nimbus Sans L">[STRING] DefinedCOA (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEFv2/HistoryItem.html" TITLE="A mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEFv2/HistoryItem.html" TITLE="A means by which to extend the action attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] action (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEFv2/HistoryItem.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEFv2/HistoryItem.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEFv2/HistoryItem.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="1391,1119.5", shape=plaintext, width=3.2361]; Observable -> HistoryItem [label="0..1", lp="662,1155", pos="e,1274.4,1118.5 118.83,1731.3 126.39,1629.8 158.26,1385.2 292,1244.5 374.4,1157.8 425.81,1171.4 543,1147.5 676.96,1120.2 1062.5,\ 1117.8 1264.3,1118.5"]; BulkObservable [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/BulkObservable.html" TITLE="The BulkObservable class allows the enumeration of a single type of observable without requiring each one to be encoded individually in multiple instances of the same class. "><FONT FACE="Nimbus Sans L">BulkObservable</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/BulkObservable.html" TITLE="A list of observables, one per line. Each line is separated with either a LF character or CR and LF characters. The type attribute specifies which observables will be listed."><FONT FACE="Nimbus Sans L">[STRING] BulkObservableList (1..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/BulkObservable.html" TITLE="Mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/BulkObservable.html" TITLE="The type of the observable listed in the child ObservableList class. These values are maintained in the "BulkObservable-type" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] type (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/BulkObservable.html" TITLE="A means by which to extend the type attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-type (0..1)</FONT></td></tr>%</table>>, pos="662,111.5", shape=plaintext, width=3.3056]; Observable -> BulkObservable [label="0..1", lp="262.5,173", pos="e,542.58,90.981 116.97,1731.4 119.97,1479.9 140.04,281.85 251,165.5 321.61,91.457 440.56,83 532.37,90.118"]; "Node" [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#3daf3d" HREF="/idmef_parser/IODEFv2/Node.html" TITLE="The Node class identifies a system, asset, or network and its location. "><FONT FACE="Nimbus Sans L">Node</FONT></td> </tr>" %<tr><td BGCOLOR="#4cdb4c" HREF="/idmef_parser/IODEFv2/Node.html" TITLE="A free-form text description of the physical location of the node. This description may provide a more detailed description of where at the address specified by the PostalAddress class this node is found (e.g., room number, rack number, or slot number in a chassis)."><FONT FACE="Nimbus Sans L">[ML_STRING] Location (0..*)</FONT></td></tr>%</table>>, pos="2202,2927.5", shape=plaintext, width=2.7083]; System -> "Node" [label="1..1", lp="2066.5,2925", pos="e,2104.2,2919.5 2034.7,2913.7 2054.5,2915.4 2074.8,2917 2094.2,2918.6"]; Counter [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cc6a51" HREF="/idmef_parser/IODEFv2/Counter.html" TITLE="The Counter class summarizes multiple occurrences of an event or conveys counts or rates of various features. "><FONT FACE="Nimbus Sans L">Counter</FONT></td> </tr>" %</table>>, pos="2513,2638.5", shape=plaintext, width=0.98611]; System -> Counter [label="0..*", lp="2202,2670", pos="e,2477.4,2636.8 2027,2741.8 2057.6,2701.6 2085.1,2668.2 2096,2662.5 2159.3,2629.1 2372.8,2632.9 2467.3,2636.4"]; NodeRole [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#3daf3d" HREF="/idmef_parser/IODEFv2/NodeRole.html" TITLE="The NodeRole class describes the function performed by or role of a particular system, asset, or network. "><FONT FACE="Nimbus Sans L">NodeRole</FONT></td> </tr>" %<tr><td BGCOLOR="#4cdb4c" HREF="/idmef_parser/IODEFv2/NodeRole.html" TITLE="A free-form text description of the role of the system."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#4cdb4c" HREF="/idmef_parser/IODEFv2/NodeRole.html" TITLE="A means by which to extend the category attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] category (0..1)</FONT></td></tr>%</table>>, pos="2202,2581.5", shape=plaintext, width=2.9444]; System -> NodeRole [label="0..*", lp="2066.5,2632", pos="e,2096,2596.8 2030.5,2741.8 2032.8,2737 2035,2732.3 2037,2727.5 2055.1,2684.7 2024,2659.1 2055,2624.5 2063.8,2614.6 2074.8,2607 \ 2086.7,2601"]; System -> Service [label="0..*", lp="2066.5,2852", pos="e,2095.7,2828.5 2034.7,2853.1 2051.8,2846.2 2069.3,2839.1 2086.3,2832.3"]; "Node" -> DomainData [label="0..*", lp="2337.5,2994", pos="e,2367,2993.8 2264.6,2952.6 2291.6,2963.5 2324.7,2976.8 2357.7,2990.1"]; "Node" -> Address [label="0..*", lp="2688.5,2913", pos="e,3126.9,3034.3 2299.5,2915 2447.3,2899.3 2735.5,2881.8 2968,2947.5 3025.6,2963.8 3084.2,3002.5 3118.6,3028.1"]; PostalAddress [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IODEFv2/PostalAddress.html" TITLE="The PostalAddress class specifies a postal address and associated annotation. "><FONT FACE="Nimbus Sans L">PostalAddress</FONT></td> </tr>" %<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/PostalAddress.html" TITLE="A postal address."><FONT FACE="Nimbus Sans L">[POSTAL] PAddress (1..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/PostalAddress.html" TITLE="A free-form text description of the address."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/PostalAddress.html" TITLE="Categorizes the type of address described in the PAddress class. These values are maintained in the "PostalAddress-type" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] type (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/PostalAddress.html" TITLE="A means by which to extend the type attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-type (0..1)</FONT></td></tr>%</table>>, pos="3445,2636.5", shape=plaintext, width=2.9444]; "Node" -> PostalAddress [label="0..1", lp="2843,2870", pos="e,3406.5,2693.2 2278.1,2902.5 2340.5,2884.2 2431.5,2862.5 2513,2862.5 2513,2862.5 2513,2862.5 3149.5,2862.5 3256.4,2862.5 3348.6,\ 2768 3400.4,2701.2"]; "Node" -> Counter [label="0..*", lp="2337.5,2728", pos="e,2477.4,2638 2298.2,2902.3 2301.8,2899.4 2305.1,2896.1 2308,2892.5 2332.1,2862.6 2312,2756.3 2326,2720.5 2337.1,2692.1 2341.1,2681.6 \ 2367,2665.5 2397,2646.9 2436.6,2640.4 2467,2638.5"]; Nameservers [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Nameservers.html" TITLE="The Nameservers class describes the nameservers associated with a given domain. "><FONT FACE="Nimbus Sans L">Nameservers</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/Nameservers.html" TITLE="The domain name of the nameserver."><FONT FACE="Nimbus Sans L">[STRING] Server (1..1)</FONT></td></tr>%</table>>, pos="2843,3052.5", shape=plaintext, width=2.2361]; DomainData -> Nameservers [label="0..*", lp="2688.5,3060", pos="e,2762.1,3052.5 2659.2,3052.5 2690.8,3052.5 2723.3,3052.5 2752.1,3052.5"]; DomainContacts [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/DomainContacts.html" TITLE="The DomainContacts class describes the contact information for a given domain provided either by the registrar or through a whois query. "><FONT FACE="Nimbus Sans L">DomainContacts</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/DomainContacts.html" TITLE="A domain name already cited in this document or through previous exchange that contains the identical contact information as the domain name in question. The domain contact information associated with this domain should be used instead of an explicit definition with the Contact class."><FONT FACE="Nimbus Sans L">[STRING] SameDomainContact (0..1)</FONT></td></tr>%</table>>, pos="2843,2981.5", shape=plaintext, width=3.4722]; DomainData -> DomainContacts [label="0..1", lp="2688.5,3025", pos="e,2726.6,3006.5 2659.2,3021 2678.4,3016.9 2698,3012.7 2716.9,3008.6"]; Nameservers -> Address [label="1..*", lp="2997.5,3060", pos="e,3113.4,3052.5 2923.5,3052.5 2980.7,3052.5 3055.6,3052.5 3103.1,3052.5"]; Contact [height=3.0278, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IODEFv2/Contact.html" TITLE="The Contact class describes contact information for organizations and personnel involved in the incident. This class allows for the naming of the involved party, specifying contact information for them, and identifying their role in the incident. "><FONT FACE="Nimbus Sans L">Contact</FONT></td> </tr>" %<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Contact.html" TITLE="The name of the contact. The contact may either be an organization or a person. The type attribute disambiguates the semantics."><FONT FACE="Nimbus Sans L">[ML_STRING] ContactName (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Contact.html" TITLE="The title for the individual named in the ContactName."><FONT FACE="Nimbus Sans L">[ML_STRING] ContactTitle (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Contact.html" TITLE="A free-form text description of the contact."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Contact.html" TITLE="The timezone in which the contact resides."><FONT FACE="Nimbus Sans L">[TIMEZONE] Timezone (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Contact.html" TITLE="A mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Contact.html" TITLE="A means by which to extend the role attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] role (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Contact.html" TITLE="A means by which to extend the type attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] type (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Contact.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Contact.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="3149.5,1988.5", shape=plaintext, width=3.2361]; DomainContacts -> Contact [label="1..*", lp="2997.5,2853", pos="e,3136.7,2097.6 2888.2,2956.5 2915.5,2939 2948.7,2913.2 2968,2881.5 3046.7,2752.7 3108.9,2319.6 3135.5,2107.6"]; Contact -> Contact [label="0..*", lp="3149.5,2123", pos="e,3172.7,2097.8 3126.3,2097.8 3130.9,2108.6 3138.7,2115.5 3149.5,2115.5 3156.9,2115.5 3162.9,2112.2 3167.5,2106.7"]; Contact -> RegistryHandle [label="0..*", lp="3301.5,2632", pos="e,3439.4,3071.4 3175.9,2097.5 3210.2,2237.7 3272.6,2488.4 3331,2701.5 3368.2,2837.2 3417,2998.1 3436.5,3061.7"]; Contact -> PostalAddress [label="0..*", lp="3301.5,2340", pos="e,3419.2,2580 3199.3,2097.7 3261,2233.1 3364.4,2459.7 3415.1,2570.9"]; Email [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IODEFv2/Email.html" TITLE="The Email class specifies an email address and associated annotation. "><FONT FACE="Nimbus Sans L">Email</FONT></td> </tr>" %<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Email.html" TITLE="An email address."><FONT FACE="Nimbus Sans L">[EMAIL] EmailTo (1..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Email.html" TITLE="A free-form text description of the email address."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Email.html" TITLE="Categorizes the type of email address described in the EmailTo class. These values are maintained in the "Email- type" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] type (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IODEFv2/Email.html" TITLE="A means by which to extend the type attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-type (0..1)</FONT></td></tr>%</table>>, pos="3445,2054.5", shape=plaintext, width=2.9444]; Contact -> Email [label="0..*", lp="3301.5,2031", pos="e,3338.7,2030.7 3266.3,2014.6 3286.8,2019.2 3308.2,2023.9 3328.7,2028.5"]; Telephone [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Telephone.html" TITLE="The Telephone class describes a telephone number and associated annotation. "><FONT FACE="Nimbus Sans L">Telephone</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/Telephone.html" TITLE="A telephone number."><FONT FACE="Nimbus Sans L">[PHONE] TelephoneNumber (1..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Telephone.html" TITLE="A free-form text description of the phone number."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Telephone.html" TITLE="Categorizes the type of telephone number described in the TelephoneNumber class. These values are maintained in the "Telephone-type" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] type (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Telephone.html" TITLE="A means by which to extend the type attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-type (0..1)</FONT></td></tr>%</table>>, pos="3445,1923.5", shape=plaintext, width=3.1667]; Contact -> Telephone [label="0..*", lp="3301.5,1964", pos="e,3331,1948.6 3266.3,1962.8 3284.3,1958.9 3302.9,1954.8 3321,1950.8"]; ServiceName [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/ServiceName.html" TITLE="The ServiceName class identifies an application protocol. It can be described by referencing an IANA-registered protocol, by referencing a URL, or with free-form text. "><FONT FACE="Nimbus Sans L">ServiceName</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/ServiceName.html" TITLE="The name of the service per the "Service Name" field of the registry [IANA.Ports]."><FONT FACE="Nimbus Sans L">[STRING] IANAService (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/ServiceName.html" TITLE="A URL to a resource describing the service."><FONT FACE="Nimbus Sans L">[URL] URL (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/ServiceName.html" TITLE="A free-form text description of the service."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%</table>>, pos="2513,2788.5", shape=plaintext, width=2.9444]; Service -> ServiceName [label="0..1", lp="2337.5,2795", pos="e,2406.8,2787.5 2308.2,2786.5 2336.6,2786.8 2367.6,2787.1 2396.6,2787.4"]; ApplicationHeader [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/ApplicationHeader.html" TITLE="The ApplicationHeader class describes arbitrary fields from a protocol header and its corresponding value. "><FONT FACE="Nimbus Sans L">ApplicationHeader</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/ApplicationHeader.html" TITLE="A field name and value in a protocol header. The name attribute MUST be set to the field name. The field value MUST be set in the element content."><FONT FACE="Nimbus Sans L">[EXTENSION] ApplicationHeaderField (1..*)</FONT></td></tr>%</table>>, pos="2513,2699.5", shape=plaintext, width=3.9444]; Service -> ApplicationHeader [label="0..1", lp="2337.5,2752", pos="e,2401.6,2724.5 2308.2,2750.7 2327.7,2744.7 2347.9,2738.7 2367,2733.5 2375,2731.3 2383.3,2729.1 2391.7,2727"]; Service -> EmailData [label="0..1", lp="2337.5,1090", pos="e,2455.1,729.83 2301.2,2686.8 2303.8,2682.1 2306,2677.4 2308,2672.5 2341,2590.5 2308.6,1169.1 2326,1082.5 2350.4,960.7 2406.3,830.21 \ 2450.6,739.08"]; HashData [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/HashData.html" TITLE="The HashData class describes different types of hashes on a given object (e.g., file, part of a file, email). "><FONT FACE="Nimbus Sans L">HashData</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/HashData.html" TITLE="An identifier that references a subset of the object being hashed. The semantics of this identifier are specified by the scope attribute."><FONT FACE="Nimbus Sans L">[STRING] HashTargetID (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/HashData.html" TITLE="A means by which to extend the scope attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] scope (0..1)</FONT></td></tr>%</table>>, pos="2843,143.5", shape=plaintext, width=2.8194]; EmailData -> HashData [label="0..*", lp="2688.5,459", pos="e,2813.3,179.22 2639.8,526.54 2646.8,518.85 2653.3,510.82 2659,502.5 2671,485.18 2708.6,341.33 2718,322.5 2742.6,273.21 2779.6,222.19 \ 2806.9,187.29"]; SignatureData [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/SignatureData.html" TITLE="The SignatureData class describes different types of digital signatures on an object. "><FONT FACE="Nimbus Sans L">SignatureData</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/SignatureData.html" TITLE="A given signature. See Section 4.2 of [W3C.XMLSIG]."><FONT FACE="Nimbus Sans L">[] Signature (1..*)</FONT></td></tr>%</table>>, pos="2843,356.5", shape=plaintext, width=1.7222]; EmailData -> SignatureData [label="0..*", lp="2688.5,496", pos="e,2811.5,381.67 2639.6,519.19 2698,472.53 2763.1,420.45 2803.5,388.07"]; Hash [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Hash.html" TITLE="The Hash class describes a cryptographic hash value; the algorithm and application used to generate it; and the canonicalization method applied to the object being hashed. "><FONT FACE="Nimbus Sans L">Hash</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/Hash.html" TITLE="The canonicalization method used on the object being hashed. See Section 4.3.1 of [W3C.XMLSIG]."><FONT FACE="Nimbus Sans L">[] (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Hash.html" TITLE="The application used to calculate the hash."><FONT FACE="Nimbus Sans L">[SOFTWARE] Application (0..1)</FONT></td></tr>%</table>>, pos="3149.5,35.5", shape=plaintext, width=2.9444]; HashData -> Hash [label="0..*", lp="2997.5,101", pos="e,3048.7,71.034 2943.8,107.99 2974.3,97.234 3008,85.368 3039.1,74.405"]; FuzzyHash [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/FuzzyHash.html" TITLE="The FuzzyHash class describes a fuzzy hash and the application used to generate it. "><FONT FACE="Nimbus Sans L">FuzzyHash</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/FuzzyHash.html" TITLE="The computed fuzzy hash value."><FONT FACE="Nimbus Sans L">[EXTENSION] FuzzyHashValue (1..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/FuzzyHash.html" TITLE="The application used to calculate the hash."><FONT FACE="Nimbus Sans L">[SOFTWARE] Application (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/FuzzyHash.html" TITLE="Mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%</table>>, pos="3149.5,143.5", shape=plaintext, width=3.4028]; HashData -> FuzzyHash [label="0..*", lp="2997.5,151", pos="e,3026.8,143.5 2944.6,143.5 2967.7,143.5 2992.4,143.5 3016.5,143.5"]; Key [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Key.html" TITLE="The Key class describes a Windows operating system registry key name and value pair, as well as the operation performed on it. "><FONT FACE="Nimbus Sans L">Key</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/Key.html" TITLE="The name of a Windows operating system registry key (e.g., [HKEY_LOCAL_MACHINE\Software\Test\KeyName])."><FONT FACE="Nimbus Sans L">[STRING] KeyName (1..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Key.html" TITLE="The value of the registry key identified in the KeyName class encoded per the .reg file format [KB310516]."><FONT FACE="Nimbus Sans L">[STRING] KeyValue (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Key.html" TITLE="The type of action taken on the registry key. These values are maintained in the "Key-registryaction" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] registryaction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Key.html" TITLE="A means by which to extend the registryaction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-registryaction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Key.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="2513,426.5", shape=plaintext, width=3.0833]; WindowsRegistryKeysModified -> Key [label="1..*", lp="2337.5,436", pos="e,2401.9,427.57 2306.9,428.49 2334.1,428.23 2363.7,427.94 2391.7,427.67"]; File [height=2.4444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/File.html" TITLE="The File class describes a file; its associated metadata; and cryptographic hashes and signatures applied to it. "><FONT FACE="Nimbus Sans L">File</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/File.html" TITLE="The name of the file."><FONT FACE="Nimbus Sans L">[STRING] FileName (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/File.html" TITLE="The size of the file in bytes."><FONT FACE="Nimbus Sans L">[INTEGER] FileSize (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/File.html" TITLE="The type of file per the IANA "Media Types" registry [IANA.Media]. Valid values correspond to the text in the "Template" column (e.g., "application/pdf")."><FONT FACE="Nimbus Sans L">[STRING] FileType (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/File.html" TITLE="A URL reference to the file."><FONT FACE="Nimbus Sans L">[URL] URL (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/File.html" TITLE="The software application or operating system to which this file belongs or by which it can be processed."><FONT FACE="Nimbus Sans L">[SOFTWARE] AssociatedSoftware (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/File.html" TITLE="Mechanism by which to extend the data model to describe properties of the file."><FONT FACE="Nimbus Sans L">[EXTENSION] FileProperties (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/File.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="2513,143.5", shape=plaintext, width=3.6944]; FileData -> File [label="1..*", lp="2337.5,176", pos="e,2379.9,161.48 2302.1,171.98 2323.7,169.07 2346.9,165.93 2369.8,162.84"]; File -> HashData [label="0..1", lp="2688.5,151", pos="e,2741.5,143.5 2646.3,143.5 2674.4,143.5 2703.9,143.5 2731.1,143.5"]; File -> SignatureData [label="0..1", lp="2688.5,271", pos="e,2804.2,331.44 2646.3,229.52 2699.2,263.66 2756.6,300.71 2795.6,325.93"]; Certificate [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Certificate.html" TITLE="The Certificate class describes a given X.509 certificate or certificate chain. "><FONT FACE="Nimbus Sans L">Certificate</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/Certificate.html" TITLE="A given X.509 certificate or chain. See Section 4.4.4 of [W3C.XMLSIG]."><FONT FACE="Nimbus Sans L">[] (1..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Certificate.html" TITLE="A free-form text description explaining the context of this certificate."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Certificate.html" TITLE="See Section 3.3.2."><FONT FACE="Nimbus Sans L">[ID] observable-id (0..1)</FONT></td></tr>%</table>>, pos="2513,295.5", shape=plaintext, width=2.9444]; CertificateData -> Certificate [label="1..*", lp="2337.5,303", pos="e,2406.9,295.5 2302.1,295.5 2332.3,295.5 2365.7,295.5 2396.9,295.5"]; RecordData -> WindowsRegistryKeysModified [label="0..*", lp="2066.5,496", pos="e,2139.2,454.66 2026.7,499.75 2061.5,485.79 2098.7,470.9 2129.8,458.44"]; RecordData -> FileData [label="0..1", lp="2066.5,291", pos="e,2106.6,231.54 1957.9,437.19 1989.9,373.73 2037,295.69 2096,240.5 2096.8,239.72 2097.7,238.95 2098.5,238.19"]; RecordData -> CertificateData [label="0..*", lp="2066.5,429", pos="e,2148.3,341.62 2026.7,446.22 2065.6,412.72 2107.5,376.72 2140.6,348.3"]; RecordPattern [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cccc52" HREF="/idmef_parser/IODEFv2/RecordPattern.html" TITLE="The RecordPattern class describes where in the log data provided or referenced in the RecordData class relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data. "><FONT FACE="Nimbus Sans L">RecordPattern</FONT></td> </tr>" %</table>>, pos="2202,546.5", shape=plaintext, width=1.5139]; RecordData -> RecordPattern [label="0..*", lp="2066.5,554", pos="e,2147.2,546.5 2026.7,546.5 2064.2,546.5 2104.5,546.5 2136.9,546.5"]; EventData -> Contact [label="0..*", lp="2202,1207", pos="e,3136.7,1879.3 1032.2,1413.8 1100.5,1396.2 1188.6,1375.2 1268,1361.5 1281.7,1359.1 1754.7,1316.8 1765,1307.5 1792.8,1282.6 1754.7,\ 1249.8 1783,1225.5 1818.4,1195.2 2155.4,1199.5 2202,1199.5 2202,1199.5 2202,1199.5 2843,1199.5 2900.8,1199.5 2928,1193.7 2968,1235.5 \ 3054.3,1325.6 3110.8,1680.7 3135.4,1869.3"]; EventData -> EventData [label="0..*", lp="915.5,1590.5", pos="e,950.37,1565.2 880.63,1565.2 887.88,1576.1 899.5,1583 915.5,1583 927.25,1583 936.64,1579.3 943.66,1573"]; Discovery [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Discovery.html" TITLE="The Discovery class describes how an incident was detected. "><FONT FACE="Nimbus Sans L">Discovery</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/Discovery.html" TITLE="A free-form text description of how this incident was detected."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Discovery.html" TITLE="Categorizes the techniques used to discover the incident. These values are partially derived from Table 3-1 of [NIST800.61rev2]. These values are maintained in the "Discovery- source" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] source (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Discovery.html" TITLE="A means by which to extend the source attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-source (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Discovery.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Discovery.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="1391,1437.5", shape=plaintext, width=2.9444]; EventData -> Discovery [label="0..*", lp="1150,1451", pos="e,1284.9,1439.3 1032.1,1443.5 1105.9,1442.3 1201,1440.7 1274.7,1439.5"]; EventData -> Assessment [label="0..1", lp="1150,1617", pos="e,1267.7,1624.8 1032.1,1504.9 1100.7,1539.7 1187.6,1584 1258.7,1620.2"]; Method [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#92765a" HREF="/idmef_parser/IODEFv2/Method.html" TITLE="The Method class describes the tactics, techniques, procedures, or weakness used by the threat actor in an incident. This class consists of both a list of references describing the attack methods and weaknesses and a free-form text description. "><FONT FACE="Nimbus Sans L">Method</FONT></td> </tr>" %<tr><td BGCOLOR="#b79370" HREF="/idmef_parser/IODEFv2/Method.html" TITLE="A free-form text description of techniques, tactics, or procedures used by the threat actor."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#b79370" HREF="/idmef_parser/IODEFv2/Method.html" TITLE="A reference to the exploited weakness per [RFC7203]."><FONT FACE="Nimbus Sans L">[] (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#b79370" HREF="/idmef_parser/IODEFv2/Method.html" TITLE="A mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#b79370" HREF="/idmef_parser/IODEFv2/Method.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b79370" HREF="/idmef_parser/IODEFv2/Method.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="1391,1919.5", shape=plaintext, width=3.2361]; EventData -> Method [label="0..*", lp="1150,1727", pos="e,1304.3,1852.3 996.55,1565.3 1016.9,1593.1 1036.7,1617.7 1050,1628.5 1125.8,1690.1 1189,1643.3 1250,1719.5 1274.4,1750 1248.8,1771.5 \ 1268,1805.5 1275.9,1819.5 1286.1,1832.7 1297.2,1844.8"]; Flow [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#65779e" HREF="/idmef_parser/IODEFv2/Flow.html" TITLE="The Flow class describes the systems and networks involved in the incident and the relationships between them. "><FONT FACE="Nimbus Sans L">Flow</FONT></td> </tr>" %</table>>, pos="1391,2629.5", shape=plaintext, width=0.75]; EventData -> Flow [label="0..*", lp="1150,1991", pos="e,1382.8,2611.4 1008.6,1565.4 1017.6,1580.7 1025.7,1596.6 1032,1612.5 1052.2,1663.4 1028.1,1684.3 1050,1734.5 1106.8,1864.6 1198.7,\ 1851.1 1250,1983.5 1273.2,2043.3 1255.5,2208.6 1268,2271.5 1293.4,2398.8 1352.8,2542.9 1378.7,2602"]; EventData -> Expectation [label="0..*", lp="1150,1131", pos="e,1285,832.8 990,1326 1005.9,1296.3 1021.1,1264 1032,1232.5 1048,1186.1 1026.9,1166.8 1050,1123.5 1107.4,1015.9 1188.9,1041.1 1250,\ 935.5 1267.4,905.45 1251.4,890.01 1268,859.5 1271.3,853.38 1275,847.34 1279,841.41"]; Record [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cccc52" HREF="/idmef_parser/IODEFv2/Record.html" TITLE="The Record class is a container class for log and audit data that provides supportive information about the events in an incident. The source of this data will often be the output of monitoring tools. These logs substantiate the activity described in the document. "><FONT FACE="Nimbus Sans L">Record</FONT></td> </tr>" %<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/Record.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IODEFv2/Record.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="1391,557.5", shape=plaintext, width=2.7778]; EventData -> Record [label="0..1", lp="1150,924", pos="e,1290.8,587.14 992.88,1325.9 1008.5,1296.4 1022.9,1264.2 1032,1232.5 1070.7,1097.3 1004.3,1049.5 1050,916.5 1105.4,755.49 1132.9,\ 705.14 1268,601.5 1272.4,598.13 1277.1,595.01 1281.9,592.11"]; Discovery -> Contact [label="0..*", lp="2337.5,1257", pos="e,3128,1879.5 1497.4,1419.9 1594.2,1401.9 1727.4,1371.1 1765,1333.5 1786.2,1312.3 1759.8,1287.4 1783,1268.5 1880.9,1188.7 1940.2,\ 1249.5 2066.5,1249.5 2066.5,1249.5 2066.5,1249.5 2843,1249.5 2975.6,1249.5 3080.9,1660.7 3125.9,1869.7"]; Discovery -> DetectionPattern [label="0..*", lp="1648.5,1437", pos="e,1782.8,1416.4 1497.3,1431.8 1576.9,1427.5 1686.4,1421.6 1772.7,1416.9"]; Assessment -> Counter [label="0..*", lp="2066.5,1976", pos="e,2508.2,2620.4 1503.6,1796.5 1507.2,1801.1 1510.7,1805.8 1514,1810.5 1524.8,1825.8 1518.7,1835.3 1532,1848.5 1613,1928.9 1666.5,\ 1898.8 1765,1956.5 1773.5,1961.5 1773.6,1966.5 1783,1969.5 1890.4,2004.2 1924.2,1972.6 2037,1969.5 2055.2,1969 2062,1959.8 2078,\ 1968.5 2345.7,2113.9 2474.3,2503.1 2505.4,2610.7"]; SystemImpact [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/SystemImpact.html" TITLE="The SystemImpact class describes the technical impact of the incident to the systems on the network. "><FONT FACE="Nimbus Sans L">SystemImpact</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/SystemImpact.html" TITLE="A free-form text description of the impact to the system."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/SystemImpact.html" TITLE="An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value."><FONT FACE="Nimbus Sans L">[ENUM] severity (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/SystemImpact.html" TITLE="An indication whether the described activity was successful. The permitted values are shown below. There is no default value."><FONT FACE="Nimbus Sans L">[ENUM] completion (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/SystemImpact.html" TITLE="A means by which to extend the type attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] type (0..1)</FONT></td></tr>%</table>>, pos="1910,1561.5", shape=plaintext, width=2.9444]; Assessment -> SystemImpact [label="0..*", lp="1648.5,1633", pos="e,1803.7,1572.4 1514.1,1631.3 1520.1,1629.2 1526.1,1627.3 1532,1625.5 1617.9,1599.8 1718,1583.4 1793.7,1573.7"]; BusinessImpact [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/BusinessImpact.html" TITLE="The BusinessImpact class describes and characterizes the degree to which the function of the organization was impacted by the incident. "><FONT FACE="Nimbus Sans L">BusinessImpact</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/BusinessImpact.html" TITLE="A free-form text description of the impact to the organization."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/BusinessImpact.html" TITLE="Characterizes the severity of the incident on business functions. The permitted values are shown below. They were derived from Table 3-2 of [NIST800.61rev2]. The default value is "unknown". These values are maintained in the "BusinessImpact-severity" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] severity (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/BusinessImpact.html" TITLE="A means by which to extend the severity attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-severity (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/BusinessImpact.html" TITLE="A means by which to extend the type attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] type (0..1)</FONT></td></tr>%</table>>, pos="1910,1852.5", shape=plaintext, width=2.9444]; Assessment -> BusinessImpact [label="0..*", lp="1648.5,1837", pos="e,1803.7,1836.7 1514.2,1759.1 1520.2,1761.8 1526.1,1764.2 1532,1766.5 1616.9,1799.2 1717.6,1821.3 1793.6,1834.9"]; TimeImpact [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cc6a51" HREF="/idmef_parser/IODEFv2/TimeImpact.html" TITLE="The TimeImpact class describes the impact of the incident on an organization as a function of time. It provides a way to convey down time and recovery time. "><FONT FACE="Nimbus Sans L">TimeImpact</FONT></td> </tr>" %</table>>, pos="1910,1759.5", shape=plaintext, width=1.3194]; Assessment -> TimeImpact [label="0..*", lp="1648.5,1755", pos="e,1862.3,1756.3 1514.3,1716.4 1520.2,1717.5 1526.2,1718.5 1532,1719.5 1644.7,1738.2 1777.8,1749.9 1852.2,1755.5"]; MonetaryImpact [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cc6a51" HREF="/idmef_parser/IODEFv2/MonetaryImpact.html" TITLE="The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished productivity of the staff, or a tarnished reputation that will affect future opportunities. "><FONT FACE="Nimbus Sans L">MonetaryImpact</FONT></td> </tr>" %</table>>, pos="1910,1705.5", shape=plaintext, width=1.6806]; Assessment -> MonetaryImpact [label="0..*", lp="1648.5,1708", pos="e,1849.5,1703.4 1514.3,1691.8 1615.8,1695.3 1756,1700.2 1839.4,1703.1"]; Confidence [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cc6a51" HREF="/idmef_parser/IODEFv2/Confidence.html" TITLE="The Confidence class represents an estimate of the validity and accuracy of data expressed in the document. This estimate can be expressed as a category or a numeric calculation. "><FONT FACE="Nimbus Sans L">Confidence</FONT></td> </tr>" %</table>>, pos="2202,1792.5", shape=plaintext, width=1.2639]; Assessment -> Confidence [label="0..1", lp="1910,1671", pos="e,2186.5,1774.3 1514.2,1672.4 1674.1,1654.7 1943.8,1631.4 2037,1663.5 2096.3,1683.9 2150.5,1735.3 2179.7,1766.7"]; Method -> Reference [label="0..*", lp="1648.5,2179", pos="e,1803.7,2286.6 1507.9,1984.8 1604.9,2041.3 1732,2121.5 1765,2171.5 1788.4,2207 1757.6,2231.4 1783,2265.5 1786.8,2270.7 1791.2,2275.5 \ 1796,2279.9"]; Flow -> System [label="1..*", lp="1648.5,2847", pos="e,1785.3,2849 1416.1,2647.5 1443.8,2667.1 1490,2698.7 1532,2722.5 1611,2767.2 1702.7,2811.3 1776,2844.7"]; Expectation -> Contact [label="0..1", lp="2337.5,753", pos="e,3144,1879.3 1497.4,720.84 1576.2,714.19 1686.2,705.95 1783,702.5 2338.9,682.67 2530.2,762.26 2968,1105.5 3086.4,1198.4 3129.4,\ 1650.1 3143.4,1869"]; Record -> RecordData [label="1..*", lp="1648.5,562", pos="e,1793.5,548.97 1491.1,555.38 1574.3,553.61 1693.3,551.09 1783.2,549.19"]; Incident -> Contact [label="1..*", lp="2066.5,2051", pos="e,3032.6,2000.7 525.17,1674 652.55,1715.3 863.31,1778.6 1050,1810.5 1100.9,1819.2 1474.5,1810.2 1514,1843.5 1539.6,1865 1509,1892.3 \ 1532,1916.5 1573.1,1959.9 1995.5,2037.1 2055,2042.5 2065.2,2043.4 2067.8,2042.7 2078,2042.5 2492.1,2033.6 2595.9,2031.9 3009,2002.5 \ 3013.5,2002.2 3018,2001.8 3022.6,2001.5"]; Incident -> EventData [label="0..*", lp="662,1592", pos="e,798.99,1488.9 525.13,1591 604.09,1561.6 708.34,1522.7 789.24,1492.6"]; Incident -> Discovery [label="0..*", lp="915.5,1648", pos="e,1284.8,1501.2 525.07,1642.8 651.81,1648.7 859.36,1649.2 1032,1606.5 1117.6,1585.3 1207.4,1543.1 1275.7,1506.1"]; Incident -> Assessment [label="0..*", lp="915.5,1683", pos="e,1268,1684.1 525.11,1647.1 531.15,1647.6 537.15,1648.1 543,1648.5 795.4,1667.4 1090.8,1678.5 1257.9,1683.8"]; Incident -> Method [label="0..*", lp="915.5,1893", pos="e,1274.4,1908.6 506.13,1806.6 517.39,1817.6 529.67,1827.5 543,1835.5 550.66,1840.1 1029.4,1885.6 1264.1,1907.6"]; IncidentID [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#90ac3d" HREF="/idmef_parser/IODEFv2/IncidentID.html" TITLE="The IncidentID class represents a tracking number that is unique in the context of the CSIRT. It serves as an identifier for an incident or a document identifier when sharing indicators. This identifier would serve as an index into a CSIRT's incident handling or knowledge management system. "><FONT FACE="Nimbus Sans L">IncidentID</FONT></td> </tr>" %</table>>, pos="1910,1165.5", shape=plaintext, width=1.1528]; Incident -> IncidentID [label="1..1", lp="1150,1314", pos="e,1868.4,1165.2 525.36,1500.7 596.33,1430.4 693.43,1351.6 799,1316.5 904.94,1281.3 938.43,1310.5 1050,1306.5 1089.7,1305.1 1734.6,\ 1309.1 1765,1283.5 1794.9,1258.4 1756,1225.7 1783,1197.5 1802.3,1177.4 1832.3,1169.2 1858.3,1166.1"]; AlternativeID [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#90ac3d" HREF="/idmef_parser/IODEFv2/AlternativeID.html" TITLE="The AlternativeID class lists the tracking numbers used by CSIRTs, other than the one generating the document, to refer to the identical activity described in the IODEF document. A tracking number listed as an AlternativeID references the same incident detected by another CSIRT. The tracking numbers of the CSIRT that generated the IODEF document must never be considered an AlternativeID. "><FONT FACE="Nimbus Sans L">AlternativeID</FONT></td> </tr>" %<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/AlternativeID.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/AlternativeID.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="1150,1238.5", shape=plaintext, width=2.7778]; Incident -> AlternativeID [label="0..1", lp="662,1276", pos="e,1049.8,1237.5 452.08,1462.3 476.7,1379.7 509.25,1293.3 543,1268.5 581.9,1239.9 875.49,1236.9 1039.7,1237.5"]; RelatedActivity [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#90ac3d" HREF="/idmef_parser/IODEFv2/RelatedActivity.html" TITLE="The RelatedActivity class relates the information described in the rest of the document to previously observed incidents or activity and allows attribution to a specific actor or campaign. "><FONT FACE="Nimbus Sans L">RelatedActivity</FONT></td> </tr>" %<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/RelatedActivity.html" TITLE="A URL to activity related to this incident."><FONT FACE="Nimbus Sans L">[URL] URL (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/RelatedActivity.html" TITLE="A description of how these relationships were derived."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/RelatedActivity.html" TITLE="A mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/RelatedActivity.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#b4d74c" HREF="/idmef_parser/IODEFv2/RelatedActivity.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="1391,935.5", shape=plaintext, width=3.2361]; Incident -> RelatedActivity [label="0..*", lp="915.5,1003", pos="e,1274.2,940.68 523.31,1462.5 523.89,1460.8 524.46,1459.2 525,1457.5 537.35,1419.8 517.5,1130.9 543,1100.5 633.77,992.12 1050.7,\ 953.89 1264.2,941.26"]; IndicatorData [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/IndicatorData.html" TITLE="The IndicatorData class describes indicators and metadata associated with them. "><FONT FACE="Nimbus Sans L">IndicatorData</FONT></td> </tr>" %</table>>, pos="915.5,1941.5", shape=plaintext, width=1.4306]; Incident -> IndicatorData [label="0..1", lp="662,1891", pos="e,877.17,1923.4 486.12,1806.6 502.16,1827.6 521.02,1846.6 543,1860.5 587.87,1889 729.54,1870.3 781,1883.5 798.13,1887.9 836.36,1904.6 \ 867.7,1919"]; History [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca352" HREF="/idmef_parser/IODEFv2/History.html" TITLE="The History class is a log of the significant events or actions performed by the involved parties during the course of handling the incident. "><FONT FACE="Nimbus Sans L">History</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEFv2/History.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEFv2/History.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="915.5,1188.5", shape=plaintext, width=2.7778]; Incident -> History [label="0..1", lp="662,1230", pos="e,815.15,1169.8 455.11,1462.3 485.34,1356.7 522.74,1238.7 543,1222.5 615.79,1164.5 723.88,1160.8 804.9,1168.7"]; AlternativeID -> IncidentID [label="1..*", lp="1391,1246", pos="e,1868.3,1173.6 1250.2,1238.4 1323.5,1237.6 1425.1,1234.8 1514,1226.5 1638.2,1214.9 1782.7,1189.6 1858.1,1175.5"]; RelatedActivity -> Confidence [label="0..1", lp="1910,1131", pos="e,2200,1774.4 1507.8,969.11 1693.3,1022.5 2034.6,1121 2037,1123.5 2128.7,1219 2185.2,1649.6 2198.8,1764.3"]; RelatedActivity -> IncidentID [label="0..*", lp="1648.5,1122", pos="e,1868.3,1149.1 1506.4,1002.6 1509,1005.5 1511.6,1008.4 1514,1011.5 1530.1,1032.1 1512.5,1050.1 1532,1067.5 1610.8,1137.9 1663.1,\ 1086.5 1765,1114.5 1796.6,1123.2 1831.4,1135.3 1858.9,1145.6"]; ThreatActor [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/ThreatActor.html" TITLE="The ThreatActor class describes a threat actor. "><FONT FACE="Nimbus Sans L">ThreatActor</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/ThreatActor.html" TITLE="An identifier for the threat actor."><FONT FACE="Nimbus Sans L">[STRING] ThreatActorID (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/ThreatActor.html" TITLE="A URL to a reference describing the threat actor."><FONT FACE="Nimbus Sans L">[URL] URL (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/ThreatActor.html" TITLE="A description of the threat actor."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/ThreatActor.html" TITLE="A mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/ThreatActor.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/ThreatActor.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="1910,962.5", shape=plaintext, width=3.2361]; RelatedActivity -> ThreatActor [label="0..*", lp="1648.5,963", pos="e,1793.2,956.42 1507.8,941.58 1589.7,945.83 1699,951.52 1783,955.9"]; Campaign [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Campaign.html" TITLE="The Campaign class describes a campaign of attacks by a threat actor. "><FONT FACE="Nimbus Sans L">Campaign</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/Campaign.html" TITLE="An identifier for the campaign."><FONT FACE="Nimbus Sans L">[STRING] CampaignID (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Campaign.html" TITLE="A URL to a reference describing the campaign."><FONT FACE="Nimbus Sans L">[URL] URL (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Campaign.html" TITLE="A description of the campaign."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Campaign.html" TITLE="A mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Campaign.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Campaign.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="1910,789.5", shape=plaintext, width=3.2361]; RelatedActivity -> Campaign [label="0..*", lp="1648.5,900", pos="e,1793.2,822.37 1507.8,902.64 1589.7,879.59 1699.2,848.79 1783.3,825.14"]; IndicatorID [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/IndicatorID.html" TITLE="The IndicatorID class identifies an indicator with a globally unique identifier. The combination of the name and version attributes and the element content form this identifier. Indicators generated by given CSIRT MUST NOT reuse the same value unless they are referencing the same indicator. "><FONT FACE="Nimbus Sans L">IndicatorID</FONT></td> </tr>" %</table>>, pos="1910,1295.5", shape=plaintext, width=1.2222]; RelatedActivity -> IndicatorID [label="0..*", lp="1648.5,1293", pos="e,1865.7,1295.5 1507.7,1002.6 1509.9,1005.5 1512.1,1008.4 1514,1011.5 1552.5,1072.3 1486.5,1116.7 1532,1172.5 1612,1270.7 1771.7,\ 1291.3 1855.6,1295.1"]; Indicator [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/Indicator.html" TITLE="The Indicator class describes an indicator. An indicator consists of observable features and phenomenon that aid in the forensic or proactive detection of malicious activity and associated metadata. An indicator can be described outright by referencing or composing previously defined indicators or by referencing observables described in the incident report found in this document. "><FONT FACE="Nimbus Sans L">Indicator</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/Indicator.html" TITLE="A free-form text description of the indicator."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Indicator.html" TITLE="A timestamp of the start of the time period during which this indicator is valid."><FONT FACE="Nimbus Sans L">[DATETIME] StartTime (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Indicator.html" TITLE="A timestamp of the end of the time period during which this indicator is valid."><FONT FACE="Nimbus Sans L">[DATETIME] EndTime (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Indicator.html" TITLE="Mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Indicator.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/Indicator.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="1391,2185.5", shape=plaintext, width=3.2361]; IndicatorData -> Indicator [label="1..*", lp="1150,2103", pos="e,1274.4,2109.5 957.42,1959.5 979.65,1969.1 1007.4,1981.3 1032,1992.5 1129.5,2036.9 1156.2,2043.7 1250,2095.5 1255.1,2098.3 1260.3,\ 2101.3 1265.5,2104.3"]; Indicator -> Observable [label="0..1", lp="662,2212", pos="e,127.46,1823.6 1274.1,2201.8 1052.8,2226.2 566.9,2248.3 251,2028.5 184.44,1982.2 147.96,1892.2 130.34,1833.5"]; Indicator -> Contact [label="0..*", lp="2337.5,1997", pos="e,3032.7,1988.5 1505.1,2108 1514,2103.7 1523,2099.8 1532,2096.5 1574.4,2081.1 2292.3,1988.5 2337.5,1988.5 2337.5,1988.5 2337.5,1988.5 \ 2843,1988.5 2902,1988.5 2967.4,1988.5 3022.5,1988.5"]; Indicator -> NodeRole [label="0..*", lp="1910,2127", pos="e,2096,2579.8 1507.6,2153.2 1672.9,2110.7 1963.6,2049.1 2037,2119.5 2071.9,2153 2023.3,2518 2055,2554.5 2063.5,2564.3 2074.3,2571.3 \ 2086.2,2576.2"]; Indicator -> Confidence [label="0..1", lp="1910,1958", pos="e,2184.2,1810.9 1454.9,2107.9 1474.5,2083 1495.8,2055 1514,2028.5 1522.8,2015.7 1519.1,2007.2 1532,1998.5 1720.3,1871.1 1828,2006.8 \ 2037,1917.5 2092.8,1893.7 2146.7,1847 2177,1817.9"]; Indicator -> Reference [label="0..*", lp="1648.5,2296", pos="e,1803.8,2301.6 1507.8,2218.4 1593.3,2242.4 1708.8,2274.9 1794,2298.9"]; Indicator -> IndicatorID [label="1..1", lp="1648.5,1567", pos="e,1865.9,1293 1454.9,2107.6 1477.9,2075 1501.3,2035.4 1514,1995.5 1528.7,1949.3 1505.3,1600 1532,1559.5 1595.2,1463.8 1697,1540.9 \ 1765,1448.5 1798.5,1402.9 1744.4,1363.8 1783,1322.5 1801.4,1302.8 1830.3,1295.6 1855.9,1293.6"]; AlternativeIndicatorID [height=0.98611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/AlternativeIndicatorID.html" TITLE="The AlternativeIndicatorID class lists alternative identifiers for an indicator. "><FONT FACE="Nimbus Sans L">AlternativeIndicatorID</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/AlternativeIndicatorID.html" TITLE="See Section 3.3.1."><FONT FACE="Nimbus Sans L">[ENUM] restriction (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/AlternativeIndicatorID.html" TITLE="A means by which to extend the restriction attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-restriction (0..1)</FONT></td></tr>%</table>>, pos="1910,2636.5", shape=plaintext, width=2.7778]; Indicator -> AlternativeIndicatorID [label="0..*", lp="1648.5,2608", pos="e,1809.8,2614.8 1413.1,2263.2 1434.6,2326.7 1472.7,2415.1 1532,2473.5 1605.9,2546.2 1717.3,2588.8 1800.1,2612.1"]; IndicatorReference [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/IndicatorReference.html" TITLE="The IndicatorReference describes a reference to an indicator. This reference may be to an indicator described in this IODEF document or in a previously exchanged IODEF document. "><FONT FACE="Nimbus Sans L">IndicatorReference</FONT></td> </tr>" %</table>>, pos="2202,2509.5", shape=plaintext, width=1.9028]; Indicator -> IndicatorReference [label="0..1", lp="1910,2721", pos="e,2133.3,2518.9 1406.8,2263.3 1430.8,2374.5 1479.5,2570.8 1532,2619.5 1614.9,2696.3 1948.5,2750.9 2037,2680.5 2064.8,2658.4 2041.4,\ 2635.4 2055,2602.5 2068.2,2570.6 2068.1,2556.9 2096,2536.5 2104.3,2530.4 2113.8,2525.7 2123.7,2522"]; ObservableReference [height=0.5, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/ObservableReference.html" TITLE="The ObservableReference describes a reference to an observable feature or phenomenon described elsewhere in the document. "><FONT FACE="Nimbus Sans L">ObservableReference</FONT></td> </tr>" %</table>>, pos="2202,2440.5", shape=plaintext, width=2.1528]; Indicator -> ObservableReference [label="0..1", lp="1910,2440", pos="e,2124.3,2437.8 1470.6,2263.3 1489.7,2279.3 1510.7,2295.1 1532,2307.5 1634.3,2367 1667.6,2370.4 1783,2396.5 1895.6,2422 2028.6,2432.8 \ 2114.1,2437.3"]; IndicatorExpression [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/IndicatorExpression.html" TITLE="The IndicatorExpression describes an expression composed of observed phenomenon, features, or indicators. Elements of the expression can be described directly, reference relevant data from other parts of a given IODEF document, or reference previously defined indicators. "><FONT FACE="Nimbus Sans L">IndicatorExpression</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/IndicatorExpression.html" TITLE="Mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/IndicatorExpression.html" TITLE="The operator to be applied between the child elements. See Section 3.29.5 for parsing guidance. The default value is "and". These values are maintained in the "IndicatorExpression-operator" IANA registry per Section 10.2."><FONT FACE="Nimbus Sans L">[ENUM] operator (0..1)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/IndicatorExpression.html" TITLE="A means by which to extend the operator attribute. See Section 5.1.1."><FONT FACE="Nimbus Sans L">[STRING] ext-operator (0..1)</FONT></td></tr>%</table>>, pos="1910,2503.5", shape=plaintext, width=3.2361]; Indicator -> IndicatorExpression [label="0..1", lp="1648.5,2466", pos="e,1793.4,2465.1 1413.3,2263.2 1434.2,2320.8 1471.4,2396 1532,2435.5 1575.6,2463.9 1714,2448.2 1765,2458.5 1771.1,2459.7 1777.3,2461.1 \ 1783.6,2462.6"]; AttackPhase [height=1.5694, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/AttackPhase.html" TITLE="The AttackPhase class describes a particular phase of an attack life cycle. "><FONT FACE="Nimbus Sans L">AttackPhase</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/AttackPhase.html" TITLE="An identifier for the phase of the attack."><FONT FACE="Nimbus Sans L">[STRING] Specified (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/AttackPhase.html" TITLE="A URL to a resource describing this phase of the attack."><FONT FACE="Nimbus Sans L">[URL] URL (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/AttackPhase.html" TITLE="A free-form text description of this phase of the attack."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IODEFv2/AttackPhase.html" TITLE="A mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%</table>>, pos="1910,2200.5", shape=plaintext, width=3.2361]; Indicator -> AttackPhase [label="0..*", lp="1648.5,2204", pos="e,1793.2,2197.1 1507.8,2188.9 1589.7,2191.2 1699,2194.4 1783,2196.8"]; AlternativeIndicatorID -> IndicatorReference [label="1..*", lp="2066.5,2543", pos="e,2133.3,2507 2010.1,2611.4 2020,2606 2029.3,2599.5 2037,2591.5 2055.2,2572.7 2035.3,2552.7 2055,2535.5 2073.7,2519.2 2099,2511.4 \ 2123.3,2508.1"]; IndicatorExpression -> Observable [label="0..*", lp="915.5,2741", pos="e,120.39,1823.6 1828.2,2549.6 1706.1,2616.8 1480.9,2733.5 1391,2733.5 408.5,2733.5 408.5,2733.5 408.5,2733.5 219.16,2733.5 140.45,\ 2038.9 121.33,1833.9"]; IndicatorExpression -> Confidence [label="0..1", lp="2066.5,2035", pos="e,2190,1810.6 2025.6,2457.3 2029.9,2453.1 2033.7,2448.5 2037,2443.5 2062.6,2405 2041.3,2071.7 2055,2027.5 2062.1,2004.7 2146.9,1875.5 \ 2184.4,1819"]; IndicatorExpression -> IndicatorReference [label="0..*", lp="2066.5,2505", pos="e,2133.2,2501.7 2026.6,2496.8 2043.8,2496.6 2061.4,2496.7 2078,2497.5 2092.6,2498.2 2108.1,2499.4 2123,2500.7"]; IndicatorExpression -> ObservableReference [label="0..*", lp="2066.5,2480", pos="e,2124.5,2457.2 2026.7,2478.3 2056,2472 2086.9,2465.3 2114.5,2459.4"]; IndicatorExpression -> IndicatorExpression [label="0..*", lp="1910,2575", pos="e,1938.5,2549.5 1881.5,2549.5 1884,2559.9 1893.5,2567.5 1910,2567.5 1921.1,2567.5 1929,2564.1 1933.8,2558.7"]; History -> HistoryItem [label="1..*", lp="1150,1176", pos="e,1274.1,1136.5 1015.8,1174 1088,1163.5 1186,1149.2 1263.8,1138"]; HistoryItem -> Contact [label="0..1", lp="2337.5,1127", pos="e,3143.4,1879.4 1507.7,1119.5 1612.9,1119.5 1771.8,1119.5 1910,1119.5 1910,1119.5 1910,1119.5 2843,1119.5 2922.4,1119.5 2958.9,1123.9 \ 3009,1185.5 3092.8,1288.5 3129.2,1671.8 3142.7,1869.3"]; HistoryItem -> IncidentID [label="0..1", lp="1648.5,1161", pos="e,1868.3,1162.2 1507.6,1131.2 1515.8,1132 1524,1132.8 1532,1133.5 1648.4,1144.2 1785.1,1155.5 1858,1161.3"]; BulkObservableFormat [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IODEFv2/BulkObservableFormat.html" TITLE="The ObservableFormat class specifies metadata about the format of an observable enumerated in a sibling BulkObservableList class. "><FONT FACE="Nimbus Sans L">BulkObservableFormat</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IODEFv2/BulkObservableFormat.html" TITLE="Mechanism by which to extend the data model."><FONT FACE="Nimbus Sans L">[EXTENSION] AdditionalData (0..*)</FONT></td></tr>%</table>>, pos="1648.5,38.5", shape=plaintext, width=3.2361]; BulkObservable -> BulkObservableFormat [label="0..1", lp="1150,90", pos="e,1531.9,47.128 781.49,102.66 968.83,88.795 1330.1,62.065 1521.8,47.878"]; BulkObservableFormat -> Hash [label="0..1", lp="2337.5,35", pos="e,3043.5,31.371 1765.1,33.787 1849,30.802 1964.7,27.5 2066.5,27.5 2066.5,27.5 2066.5,27.5 2843,27.5 2905.9,27.5 2976,29.204 3033.3,\ 31.039"]; }
Aggregates
System (0..1)
A System observable. See Section 3.17.
Address (0..1)
An Address observable. See Section 3.18.1.
DomainData (0..1)
A DomainData observable. See Section 3.19.
Service (0..1)
A Service observable. See Section 3.20.
EmailData (0..1)
An EmailData observable. See Section 3.21.
WindowsRegistryKeysModified (0..1)
A WindowsRegistryKeysModified observable. See Section 3.23.
FileData (0..1)
A FileData observable. See Section 3.25.
CertificateData (0..1)
A CertificateData observable. See Section 3.24.
RegistryHandle (0..1)
A RegistryHandle observable. See Section 3.9.1.
RecordData (0..1)
A RecordData observable. See Section 3.22.1.
EventData (0..1)
An EventData observable. See Section 3.14.
Incident (0..1)
An Incident observable. See Section 3.2.
Expectation (0..1)
An Expectation observable. See Section 3.15.
Reference (0..1)
A Reference observable. See Section 3.11.1.
Assessment (0..1)
An Assessment observable. See Section 3.12.
DetectionPattern (0..1)
A DetectionPattern observable. See Section 3.10.1.
HistoryItem (0..1)
A HistoryItem observable. See Section 3.13.1.
BulkObservable (0..1)
A bulk list of observables. See Section 3.29.3.1.
AdditionalData (0..*)
Mechanism by which to extend the data model.
restriction (0..1)
See Section 3.3.1.
ext-restriction (0..1)
A means by which to extend the restriction attribute. See Section 5.1.1.