RFC 7970
The Incident Object Description Exchange Format Version 2
8. The IODEF Data Model (XML Schema)
<?xml version="1.0"?> <xs:schema xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0" xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" targetNamespace="urn:ietf:params:xml:ns:iodef-2.0" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/2002/ REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> <xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0" schemaLocation="http://www.iana.org/assignments/ xml-registry/schema/iodef-enum-1.0.xsd"/> <xs:import namespace="urn:ietf:params:xml:ns:iodef-sci-1.0" schemaLocation="http://www.iana.org/assignments/ xml-registry/schema/iodef-sci-1.0.xsd"/> <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3c.org/2001/xml.xsd"/> <xs:annotation> <xs:documentation> Incident Object Description Exchange Format v2.0
</xs:documentation>
</xs:annotation>
<!--
===================================================================
== IODEF-Document class ==
===================================================================
-->
<xs:element name="IODEF-Document">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Incident" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="version" type="xs:string" fixed="2.00"/>
<xs:attribute ref="xml:lang"/>
<xs:attribute name="format-id" type="xs:string" use="optional"/>
<xs:attribute name="private-enum-name"
type="xs:string" use="optional"/>
<xs:attribute name="private-enum-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Incident class ==
===================================================================
-->
<xs:element name="Incident">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"/>
<xs:element ref="iodef:AlternativeID" minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" minOccurs="0"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" minOccurs="0"/>
<xs:element ref="iodef:ReportTime" minOccurs="0"/>
<xs:element ref="iodef:GenerationTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:IndicatorData" minOccurs="0"/>
<xs:element ref="iodef:History" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose"
type="incident-purpose-type" use="required"/>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="status" type="incident-status-type"/>
<xs:attribute name="ext-status"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="private"
use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="incident-purpose-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="incident-status-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="new"/>
<xs:enumeration value="in-progress"/>
<xs:enumeration value="forwarded"/>
<xs:enumeration value="resolved"/>
<xs:enumeration value="future"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== IncidentID class ==
===================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!--
==================================================================
== AlternativeID class ==
==================================================================
-->
<xs:element name="AlternativeID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== RelatedActivity class ==
===================================================================
-->
<xs:element name="RelatedActivity">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:IndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActor">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ThreatActorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActorID" type="xs:string"/>
<xs:element name="Campaign">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:CampaignID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="CampaignID" type="xs:string"/>
<!--
===================================================================
== Contact class ==
===================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Timezone" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role"
type="contact-role-type" use="required"/>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type"
type="contact-type-type" use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="contact-role-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="vendor-services"/>
<xs:enumeration value="victim"/>
<xs:enumeration value="victim-notified"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="contact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ContactName" type="iodef:MLStringType"/>
<xs:element name="ContactTitle" type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="registry"
type="registryhandle-registry-type"/>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="registryhandle-registry-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="PostalAddress">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:PAddress"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="postaladdress-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="PAddress" type="iodef:MLStringType"/>
<xs:simpleType name="postaladdress-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="street"/>
<xs:enumeration value="mailing"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Telephone">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:TelephoneNumber"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="telephone-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="TelephoneNumber" type="xs:string"/>
<xs:simpleType name="telephone-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="wired"/>
<xs:enumeration value="mobile"/>
<xs:enumeration value="fax"/>
<xs:enumeration value="hotline"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Email">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:EmailTo"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="email-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="email-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="direct"/>
<xs:enumeration value="hotline"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Time-based classes ==
===================================================================
-->
<xs:element name="DateTime" type="xs:dateTime"/>
<xs:element name="ReportTime" type="xs:dateTime"/>
<xs:element name="DetectTime" type="xs:dateTime"/>
<xs:element name="StartTime" type="xs:dateTime"/>
<xs:element name="EndTime" type="xs:dateTime"/>
<xs:element name="RecoveryTime" type="xs:dateTime"/>
<xs:element name="GenerationTime" type="xs:dateTime"/>
<xs:element name="Timezone" type="iodef:TimezoneType"/>
<!--
===================================================================
== History class ==
===================================================================
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID" minOccurs="0"/>
<xs:element ref="iodef:Contact" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DefinedCOA"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="DefinedCOA" type="xs:string"/>
<!--
===================================================================
== Expectation class ==
===================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DefinedCOA"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:Contact" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Discovery class ==
===================================================================
-->
<xs:element name="Discovery">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="source"
type="discovery-source-type" use="optional"
default="unknown"/>
<xs:attribute name="ext-source"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="discovery-source-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nidps"/>
<xs:enumeration value="hips"/>
<xs:enumeration value="siem"/>
<xs:enumeration value="av"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="incident"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="passive-dns"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="audit"/>
<xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="actor"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="DetectionPattern">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Method class ==
===================================================================
-->
<xs:element name="Method">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:AttackPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:Vulnerability"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:Weakness"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Reference class ==
===================================================================
-->
<xs:element name="Reference">
<xs:complexType>
<xs:sequence>
<xs:element ref="enum:ReferenceName" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Assessment class ==
===================================================================
-->
<xs:element name="Assessment">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentCategory"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:SystemImpact"/>
<xs:element ref="iodef:BusinessImpact"/>
<xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/>
<xs:element ref="iodef:IntendedImpact"/>
</xs:choice>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:MitigatingFactor"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Cause"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="occurrence">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/>
<xs:enumeration value="potential"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IncidentCategory" type="iodef:MLStringType"/>
<xs:element name="BusinessImpact" type="iodef:BusinessImpactType"/>
<xs:element name="IntendedImpact" type="iodef:BusinessImpactType"/>
<xs:element name="MitigatingFactor" type="iodef:MLStringType"/>
<xs:element name="Cause" type="iodef:MLStringType"/>
<xs:element name="SystemImpact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="severity"
type="iodef:severity-type" use="optional"/>
<xs:attribute name="completion"
type="iodef:systemimpact-completion-type"
use="optional"/>
<xs:attribute name="type"
type="systemimpact-type-type"
use="optional" default="unknown"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="systemimpact-completion-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="systemimpact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="takeover-account"/>
<xs:enumeration value="takeover-service"/>
<xs:enumeration value="takeover-system"/>
<xs:enumeration value="cps-manipulation"/>
<xs:enumeration value="cps-damage"/>
<xs:enumeration value="availability-data"/>
<xs:enumeration value="availability-account"/>
<xs:enumeration value="availability-service"/>
<xs:enumeration value="availability-system"/>
<xs:enumeration value="damaged-system"/>
<xs:enumeration value="damaged-data"/>
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="breach-configuration"/>
<xs:enumeration value="integrity-data"/>
<xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="traffic-redirection"/>
<xs:enumeration value="monitoring-traffic"/>
<xs:enumeration value="monitoring-host"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="BusinessImpactType">
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="severity"
type="businessimpact-severity-type" use="optional"/>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type"
type="businessimpact-type-type"
use="optional" default="unknown"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
<xs:simpleType name="businessimpact-severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="businessimpact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service"/>
<xs:enumeration value="theft-financial"/>
<xs:enumeration value="theft-service"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="TimeImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="metric"
type="timeimpact-metric-type" use="required"/>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration" type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="timeimpact-metric-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="MonetaryImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="currency" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType>
<xs:attribute name="rating"
type="confidence-rating-type" use="required"/>
<xs:attribute name="ext-rating"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="confidence-rating-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== EventData class ==
===================================================================
-->
<xs:element name="EventData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" minOccurs="0"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" minOccurs="0"/>
<xs:element ref="iodef:ReportTime" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record" minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Flow class ==
===================================================================
-->
<xs:element name="Flow">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:System" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
===================================================================
== System class ==
===================================================================
-->
<xs:element name="System">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Node"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="category" type="system-category-type"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface" type="xs:string"/>
<xs:attribute name="spoofed"
type="yes-no-unknown-type" default="unknown"/>
<xs:attribute name="virtual"
type="yes-no-unknown-type" use="optional"
default="unknown"/>
<xs:attribute name="ownership" type="system-ownership-type"
use="optional"/>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="OperatingSystem" type="iodef:SoftwareType"/>
<xs:simpleType name="system-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="system-ownership-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== Node class ==
==================================================================
-->
<xs:element name="Node">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:PostalAddress" minOccurs="0"/>
<xs:element ref="iodef:Location"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Address">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category"
type="address-category-type"
default="ipv6-addr"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name" type="xs:string"/>
<xs:attribute name="vlan-num" type="xs:integer"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="address-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-masked"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-masked"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="category"
type="noderole-category-type" use="required"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="noderole-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="webmail"/>
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="assessment"/>
<xs:enumeration value="source-control"/>
<xs:enumeration value="config-management"/>
<xs:enumeration value="monitoring"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Service class ==
===================================================================
-->
<xs:element name="Service">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ServiceName" minOccurs="0"/>
<xs:element ref="iodef:Port" minOccurs="0"/>
<xs:element ref="iodef:Portlist" minOccurs="0"/>
<xs:element ref="iodef:ProtoType" minOccurs="0"/>
<xs:element ref="iodef:ProtoCode" minOccurs="0"/>
<xs:element ref="iodef:ProtoField" minOccurs="0"/>
<xs:element ref="iodef:ApplicationHeader" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="ip-protocol"
type="xs:integer" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Port" type="xs:integer"/>
<xs:element name="Portlist" type="iodef:PortlistType"/>
<xs:element name="ProtoType" type="xs:integer"/>
<xs:element name="ProtoCode" type="xs:integer"/>
<xs:element name="ProtoField" type="xs:integer"/>
<xs:element name="ApplicationHeader">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ApplicationHeaderField"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="ApplicationHeaderField"
type="iodef:ExtensionType"/>
<xs:element name="ServiceName">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IANAService"
minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="IANAService" type="xs:string"/>
<xs:element name="Application" type="iodef:SoftwareType"/>
<!--
===================================================================
== Counter class ==
===================================================================
-->
<xs:element name="Counter">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:float">
<xs:attribute name="type"
type="counter-type-type" use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="unit"
type="counter-unit-type" use="required"/>
<xs:attribute name="ext-unit"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration" type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="counter-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="counter"/>
<xs:enumeration value="rate"/>
<xs:enumeration value="average"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="counter-unit-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="mbit"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== EmailData class ==
===================================================================
-->
<xs:element name="EmailData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:EmailTo"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailFrom" minOccurs="0"/>
<xs:element ref="iodef:EmailSubject" minOccurs="0"/>
<xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/>
<xs:element ref="iodef:EmailHeaderField"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailHeaders" minOccurs="0"/>
<xs:element ref="iodef:EmailBody" minOccurs="0"/>
<xs:element ref="iodef:EmailMessage" minOccurs="0"/>
<xs:element ref="iodef:HashData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="SignatureData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="EmailTo" type="xs:string"/>
<xs:element name="EmailFrom" type="xs:string"/>
<xs:element name="EmailSubject" type="xs:string"/>
<xs:element name="EmailX-Mailer" type="xs:string"/>
<xs:element name="EmailHeaderField" type="iodef:ExtensionType"/>
<xs:element name="EmailHeaders" type="xs:string"/>
<xs:element name="EmailBody" type="xs:string"/>
<xs:element name="EmailMessage" type="xs:string"/>
<!--
===================================================================
== DomainData class ==
===================================================================
-->
<xs:element name="DomainData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Name"/>
<xs:element ref="iodef:DateDomainWasChecked"
minOccurs="0"/>
<xs:element ref="iodef:RegistrationDate"
minOccurs="0"/>
<xs:element ref="iodef:ExpirationDate"
minOccurs="0"/>
<xs:element ref="iodef:RelatedDNS"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Nameservers"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DomainContacts"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="system-status"
type="domaindata-system-status-type"/>
<xs:attribute name="ext-system-status"
type="xs:string" use="optional"/>
<xs:attribute name="domain-status"
type="domaindata-domain-status-type"/>
<xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Name" type="xs:string"/>
<xs:element name="DateDomainWasChecked" type="xs:dateTime"/>
<xs:element name="RegistrationDate" type="xs:dateTime"/>
<xs:element name="ExpirationDate" type="xs:dateTime"/>
<xs:simpleType name="domaindata-system-status-type">
<xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="domaindata-domain-status-type">
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="RelatedDNS" type="iodef:ExtensionType"/>
<xs:element name="Nameservers">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Server"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Server" type="xs:string"/>
<xs:element name="DomainContacts">
<xs:complexType>
<xs:choice>
<xs:element ref="iodef:SameDomainContact"/>
<xs:element ref="iodef:Contact"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="SameDomainContact" type="xs:string"/>
<!--
===================================================================
== Record class ==
===================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:RecordData" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordPattern">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type"
type="recordpattern-type-type"
use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
type="recordpattern-offsetunit-type"
use="optional" default="line"/>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="recordpattern-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="recordpattern-offsetunit-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="RecordItem" type="iodef:ExtensionType"/>
<!--
===================================================================
== WindowsRegistryKeysModified class ==
===================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Key" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Key">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:KeyName"/>
<xs:element ref="iodef:Value" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction"
type="key-registryaction-type"/>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value" type="xs:string"/>
<xs:simpleType name="key-registryaction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
====================================================================
== FileData class ==
====================================================================
-->
<xs:element name="FileData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:File"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
(next page on part 8)
