Give me an (simple) example of IDMEF power?

All alerts have “Source IP”. In IDMEF the source IP is a table where you can define multiple addresses. This is very interesting in case of DoS attacks for example or “Many to one” scan. Most of the alternative format have only a single attribute to describe source IP so it is not possible to have a list. Same problem for target IP.