IODEF | Overview

The Incident Object Description Exchange Format (IODEF) is a format for representing computer security information commonly exchanged between Computer Security Incident Response Teams (CSIRTs).

It provides an XML representation for conveying incident information across administrative domains between parties that have an operational responsibility of remediation or a watch-and-warning over a defined constituency. The data model encodes information about hosts, networks, and the services running on these systems; attack methodology and associated forensic evidence; impact of the activity; and limited approaches for documenting workflow.

The overriding purpose of the IODEF is to enhance the operational capabilities of CSIRTs. Community adoption of the IODEF provides an improved ability to resolve incidents and convey situational awareness by simplifying collaboration and data sharing. This structured format provided by the IODEF allows for:

  • Increased automation in processing of incident data, since the resources of security analysts to parse free-form textual documents will be reduced;
  • Decreased effort in normalizing similar data (even when highly structured) from different sources;
  • A common format on which to build interoperable tools for incident handling and subsequent analysis, specifically when data comes from multiple constituencies.

One of the design principles in the IODEF is the compatibility with the Intrusion Detection Message Exchange Format (IDMEF) developed for intrusion detection systems. For this reason, IODEF is heavily based on the IDMEF and provides upward compatibility with it.



The aggregate classes that constitute Incident are:

  • IncidentID : One. An incident tracking number assigned to this incident by the CSIRT that generated the IODEF document.
  • AlternativeID : Zero or one. The incident tracking numbers used by other CSIRTs to refer to the incident described in the document.
  • RelatedActivity : Zero or one. The incident tracking numbers of related incidents.
  • DetectTime : Zero or one. The time the incident was first detected.
  • StartTime : Zero or one. The time the incident started.
  • EndTime : Zero or one. The time the incident ended.
  • ReportTime : One. The time the incident was reported.
  • Description : Zero or more. ML_STRING. A free-form textual description of the incident.
  • Assessment : One or more. A characterization of the impact of the incident.
  • Method : Zero or more. The techniques used by the intruder in the incident.
  • Contact : One or more. Contact information for the parties involved in the incident.
  • EventData : Zero or more. Description of the events comprising the incident.
  • History : Zero or one. A log of significant events or actions that occurred during the course of handling the incident.
  • AdditionalData : Zero or more. Mechanism by which to extend the data model.