Numerous regulations (NIS2, CER, DORA, etc.) have introduced the obligation to report to authorities “significant” incidents affecting the availability, authenticity, integrity, or confidentiality of networks and information systems.
Currently, there is no standard incident reporting format. Consequently, it is not possible to store and analyze them over the short and long term to identify potential connections or correlations.
Due to its universality, IDMEFv2 can serve as a foundation for a universal incident reporting format. This can be achieved either by attaching IDMEFv2 message to a more functional format such as the MILE format (also known as IODEFv2: Incident Object Definition Exchange Format), or directly by leveraging the “Reporting” extensions of the IDMEFv2 format and supplementing them as necessary.
The objective is therefore to complement purely functional reporting with more technical information for deeper analysis.
As part of the streamlining effort led by Digital Omnibus initiative and the creation of a single entry point (SEP), IDMEFv2 could provide a solid, proven foundation for this standardization.
On the Safe4SOC (Standard Alert Format Exchange for SOCs) project, we have worked on transforming incidents from proprietary SIEMs (SPLUNK, QRadar, RSA, etc.) into the IDMEFv2 format via “SIEM Gateways.” This mechanism enables pre-populating an incident report directly from SIEM information. This body of information can then be supplemented by the operator with more organizational data such as impact, remediation actions, etc.
IDMEFv2 does not replace organizational information; rather, it complements it with technical standard data that will allow for a better understanding of incidents and, above all, a comprehensive analysis of the situation across all affected stakeholders.