IDMEF Frequently Asked Questions
SIEM market is comparable to messaging market in late 90s. Editors trying to impose their own format to the users and thus, impossibility to interoperate between SIEMs. This is becoming a real problem as it prevents interoperability between tools thus collaboration. Even more serious, the same SIEM tool implemented by different team will produce different security result also using the same taxonomy.
A standard is important for collaboration and interoperability but also for conformity.
IODEF (Incident Object Definition Exchange Format) is a format to define an Incident and share it between security teams. It’s a “human” format.
IDMEF is a format to exchange alerts between security tools and security manager (SIEM). It’s a “technical” format, even if at the end it is read by a human operator.
IDMEF and IODEF are complementary. An incident can be described by joining IDMEF object in the IODEF message.
The OASIS CTI is used to share CTI information. IDMEF information can lead/help to create CTI IOC but it’s not systematic. Those format are also complementary.