{"id":66,"date":"2023-03-11T14:23:09","date_gmt":"2023-03-11T14:23:09","guid":{"rendered":"https:\/\/idmefv2.org\/?page_id=66"},"modified":"2026-02-03T23:55:42","modified_gmt":"2026-02-03T22:55:42","slug":"idmefv2-faq","status":"publish","type":"page","link":"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/","title":{"rendered":"IDMEFv2 FAQ"},"content":{"rendered":"\n<p>IDMEFv2 Frequently Asked Questions (if you don&#8217;t find your question please contact idmefv2@freelists.org)<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#What_does_IDMEF_stands_for\" >What does IDMEF stands for ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#How_do_you_pronounce_IDMEF\" >How do you pronounce IDMEF ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#Who_is_behind_the_IDMEFv2_Task_Force\" >Who is behind the IDMEFv2 Task Force ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#Who_is_using_IDMEFv2\" >Who is using IDMEFv2 ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#Is_IDMEFv2_a_mature_and_official_standard\" >Is IDMEFv2 a mature and official standard ?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#f_its_not_official_yet_why_should_I_implement_it_in_my_tool\" >f it&#8217;s not official yet why should I implement it in my tool ?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#What_are_the_main_differences_between_IDMEFv1_and_IDMEFv2\" >What are the main differences between IDMEFv1 and IDMEFv2 ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#Why_security_and_availability_incidents_are_mixed_in_the_same_format\" >Why security and availability incidents are mixed in the same format ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#Why_cyber_and_physical_incidents_are_mixed_in_the_same_format\" >Why cyber and physical incidents are mixed in the same format ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#What_is_a_simple_use_case_illustrating_the_need_for_cyber_and_physical_incident_detection_convergency\" >What is a simple use case illustrating the need for cyber and physical incident detection convergency ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#What_are_operational_benefits_of_using_IDMEFv2\" >What are operational benefits of using IDMEFv2 ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#I_am_a_security_tool_editor_how_can_I_make_my_tool_IDMEFv2_compliant\" >I am a security tool editor, how can I make my tool IDMEFv2 compliant ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#Where_can_I_get_help_to_transform_and_tuned_my_JSON_alert_format_in_IDMEFv2\" >Where can I get help to transform and tuned my JSON alert format in IDMEFv2 ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#Where_can_I_find_librairies_and_software_implementing_IDMEFv2\" >Where can I find librairies and software implementing IDMEFv2 ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#What_is_the_relationship_between_IDMEFv2_and_IODEFv2\" >What is the relationship between IDMEFv2 and IODEFv2 ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#What_is_the_relationship_between_IDMEFv2_and_OASIS_CTI_aka_STIX\" >What is the relationship between IDMEFv2 and OASIS CTI (aka STIX)?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#What_is_the_relationship_between_IDMEFv2_and_OCSF_Open_Cybersecurity_Schema_Framework\" >What is the relationship between IDMEFv2 and OCSF (Open Cybersecurity Schema Framework)?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#What_is_the_relationship_between_IDMEFv2_and_SNMP\" >What is the relationship between IDMEFv2 and SNMP ?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/#Can_I_use_IDMEFv2_for_cyber_incident_detection_only_or_physical_incident_detection\" >Can I use IDMEFv2 for cyber incident detection only , or physical incident detection ?<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_does_IDMEF_stands_for\"><\/span>What does IDMEF stands for ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>IDMEF v1 means for Intrusion Detection Message Exchange Format.<br>IDMEF v2 has been extented to all kind of incidents, not only intrusion, so IDMEF v2 stands for <strong>Incident Detection Message Exchange Format<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_do_you_pronounce_IDMEF\"><\/span>How do you pronounce IDMEF ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Up until now it has usually been pronounced I-D-M-E-F but it could also be pronounced I-D-MEF. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Who_is_behind_the_IDMEFv2_Task_Force\"><\/span>Who is behind the IDMEFv2 Task Force ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>IDMEFv2 is a &#8220;proposed&#8221; standard not an &#8220;imposed&#8221; one. There are no large companies behind the standard. The initiative is led by the Telecom SudParis research laboratory with the assistance of the <em>everlastly growing<\/em> <a href=\"https:\/\/idmefv2.org\/index.php\/members\/\">IDMEFv2 Task Force members<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Who_is_using_IDMEFv2\"><\/span>Who is using IDMEFv2 ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Since 2022 IDMEFv2 has been deployed in many <a href=\"https:\/\/www.idmefv2.org\/index.php\/partners\/\" data-type=\"page\" data-id=\"722\" target=\"_blank\" rel=\"noreferrer noopener\">European research projects<\/a> (global amount 50 M\u20ac) gathering tens of partner. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Is_IDMEFv2_a_mature_and_official_standard\"><\/span>Is IDMEFv2 a mature and official standard ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>No, this would be lying to say the contrary. But IDMEFv2 is mature &#8220;experimental&#8221;. It&#8217;s the result of nearly ten years of research on multiple projects, inspired of the V1 version who has been around for 20 years, re-using some proven concepts. Being the only &#8220;cyber-physical-hazard&#8221; incident format it&#8217;s a &#8220;de facto&#8221; standard in the cyber-physical incident detection research community.<br>Please note that EVERY standards you are using today (HTTP, SMTP, NTP, LDAP, etc.) started as experimental and grown up to &#8220;official&#8221;.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"f_its_not_official_yet_why_should_I_implement_it_in_my_tool\"><\/span>f it&#8217;s not official yet why should I implement it in my tool ?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Two main reasons:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pragmatic: It&#8217;s very simple to implement and can save you a lot of time instead of using your own proprietary, not documented, incomplete, not IOT ready, no geolocation, boring to tune, <em>justname it<\/em> format to describe incident. <\/li>\n\n\n\n<li>Strategic: Because you don&#8217;t want to be late &#8230; A little bit of JSON, a touch of HTTPS and the job is done, your tool will be ready for the convergence of digital and physical environments that are rapidly approaching!<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_are_the_main_differences_between_IDMEFv1_and_IDMEFv2\"><\/span>What are the main differences between IDMEFv1 and IDMEFv2 ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Here is a list of the main differences :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>V2 is designed for Incident detection (larger than Intrusion)<\/li>\n\n\n\n<li>V1 dealt only with cyber intrusion, V2 deals with Cyber AND physical incident and cyber \/ physical Threat Intelligence, it includes availability incidents.<\/li>\n\n\n\n<li>VI reference implementation format was XML, preferred format for V2 is JSON (XML stays possible)<\/li>\n\n\n\n<li>V1 protocol is IDXP (never really broke throught) , V2 preferred transport protocol is HTTPs<\/li>\n\n\n\n<li>V1 had 32 main classes, V2 (V01) focuses on 7 main classes : Alert, Analyser, Sensor, Source, Target, Vector, Attachment. We realized that if our format aim to be universal it has to stay &#8220;high level&#8221; otherwise it will become unusable. <\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_security_and_availability_incidents_are_mixed_in_the_same_format\"><\/span>Why security and availability incidents are mixed in the same format ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The question should be &#8220;why are they usually separated&#8221; and monitored in different tools ? <\/p>\n\n\n\n<p>Security expert often define security with the CIA triad (Confidentiality, Integrity and Availability). Confidentiality means that data, objects and resources are protected from unauthorized viewing and other access. Integrity means that data is protected from unauthorized changes to ensure that it is reliable and correct. Availability means that authorized users have access to the systems and the resources they need.<\/p>\n\n\n\n<p>Without availability there is no security. If a server is broken or hacked, it doesn&#8217;t make huge difference for the company, the people can&#8217;t work (and the company looses money). Security incidents (e.g. DDos) can have effect on availability. Availability incidents (e.g. anti-virus process is down) can have effects on integrity. Security policies often include, and this is obvious, availability of critical applications. Thus it is impossible to monitoring the &#8220;global&#8221; security of your systems with no information about its availability.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_cyber_and_physical_incidents_are_mixed_in_the_same_format\"><\/span>Why cyber and physical incidents are mixed in the same format ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>As mentioned before, the need for security and availability monitoring is old and obvioous. The need for cyber and physical security convergence is newer and accelerating with the massive use of IoT and IIoT and smart systems.<\/p>\n\n\n\n<p>Some major reasons for this convergency :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IoT\/IIoT ubiquity. All devices are now connected may they be &#8220;cyber&#8221; or &#8220;physic&#8221;<\/li>\n\n\n\n<li>Physical monitoring devices are also connected. Cameras and sensors have IPs, OS, etc.<\/li>\n\n\n\n<li>Cameras also have &#8220;vulnerabilities&#8221; and can be the target of cyber attacks as well as performance malfunction<\/li>\n\n\n\n<li>Attacks are getting increasingly complex and can be cyber and physicaly combined (e.g. : CCTV cyber attack before entering a building)<\/li>\n\n\n\n<li>The frontier between cyber and physical is more and more slight. As an example, it is not clear if a smart car is a car with a computer inside or a computer with four wheels ? What is the difference between hacking a regular server or hacking a &#8220;driving&#8221; server on wheels ?<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_a_simple_use_case_illustrating_the_need_for_cyber_and_physical_incident_detection_convergency\"><\/span>What is a simple use case illustrating the need for cyber and physical incident detection convergency ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If a server is not reachable, people can&#8217;t work. Whatever the reason is, it&#8217;s a problem for your organization.<\/p>\n\n\n\n<p>But there are many reasons why a server might be not working :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the cpu is is malfunctioning<\/li>\n\n\n\n<li>the power supply is broken or has been accidentally disconnected<\/li>\n\n\n\n<li>someone entered the server room and intentionally disconnected the server<\/li>\n\n\n\n<li>someone hacked the badger system then entered the server room and stole the server \u2026<\/li>\n\n\n\n<li>a suicide drone has crashed on the server room<\/li>\n\n\n\n<li>there is an accidental (or intentional) fire in the server room<\/li>\n\n\n\n<li>the server broke because there is a strong heat wave outside and the air conditioning in the datacenter is not working<\/li>\n\n\n\n<li>heavy storm, someone left the window open and the floor is flooded and created a short circuit<\/li>\n\n\n\n<li>etc.<\/li>\n<\/ul>\n\n\n\n<p>Those incidents are of different type and could be detected by different tools (cyber, physical or availability) but ultimately the result is the same and the server is not working.<\/p>\n\n\n\n<p>IDMEFv2 gives the possibility to detect, analyze, correlate all those type of incidents all together to improve the global security (securities) of organizations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_are_operational_benefits_of_using_IDMEFv2\"><\/span>What are operational benefits of using IDMEFv2 ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Unifying all securities management and monitoring around IDMEFv2 can :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>reduce cost by sharing security information and improving teams collaboration,<\/li>\n\n\n\n<li>improve capacities of detection through correlation of multiple signals,<\/li>\n\n\n\n<li>improve capacities of prevention by anticipating certain risks,<\/li>\n\n\n\n<li>improve capacity of forensic by access to all type of events\/incidents in the same tool,<\/li>\n\n\n\n<li>etc.<\/li>\n<\/ul>\n\n\n\n<p>IDMEFv2 fills an existing gap in CPS (Cyber Physical System) protection.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I_am_a_security_tool_editor_how_can_I_make_my_tool_IDMEFv2_compliant\"><\/span>I am a security tool editor, how can I make my tool IDMEFv2 compliant ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>To be IDMEFv2 compliant and able to interoperate with other IDMEFv2 systems, your tool :<\/p>\n\n\n\n<p>1) Must generate alerts in IDMEFv2 JSON format in compliance with the <a href=\"https:\/\/datatracker.ietf.org\/doc\/draft-lehmann-idmefv2\/\" target=\"_blank\" rel=\"noreferrer noopener\">IDMEFv2 Format IETF Draft<\/a><br>2) Should be able to send those alerts trough HTTPs in compliance with the <a href=\"https:\/\/datatracker.ietf.org\/doc\/draft-lehmann-idmefv2-https-transport\/\" target=\"_blank\" rel=\"noreferrer noopener\">IDMEFv2 Transport IETF Draft<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Where_can_I_get_help_to_transform_and_tuned_my_JSON_alert_format_in_IDMEFv2\"><\/span>Where can I get help to transform and tuned my JSON alert format in IDMEFv2 ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The <a href=\"https:\/\/idmefv2.github.io\/Validator\/validator.html\" target=\"_blank\" rel=\"noreferrer noopener\">IDMEFv2 validator online<\/a> will help you tune and correct your IDMEFv2 JSON files.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/www.freelists.org\/list\/idmefv2\" target=\"_blank\" rel=\"noreferrer noopener\">IDMEFv2 mailing list<\/a> is a good place to find help.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Where_can_I_find_librairies_and_software_implementing_IDMEFv2\"><\/span>Where can I find librairies and software implementing IDMEFv2 ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/IDMEFv2\" target=\"_blank\">IDMEFv2 official github<\/a> host IDMEFv2 tools, libraries and a prototype.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_the_relationship_between_IDMEFv2_and_IODEFv2\"><\/span>What is the relationship between IDMEFv2 and IODEFv2 ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>IDMEF and IODEF are complementary. IDMEF is used upstream in probes and security management tools to detect incidents. IODEF is used after detection to describe and transmit and share information about incidents to other security teams. IDMEF alert can be attached to IODEF message for describing in details technical information about incidents.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_the_relationship_between_IDMEFv2_and_OASIS_CTI_aka_STIX\"><\/span>What is the relationship between IDMEFv2 and OASIS CTI (aka STIX)?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>IDMEF and STIX are complementary. STIX is a format to model, analyze, and share cyber threat intelligence. There are two relations between IDMEFv2 and STIX. IDMEFv2 is used to detect incidents thus can help create CTI information. IDMEFv2 can also profit from existing CTI to detect incidents or enrich incident information.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_the_relationship_between_IDMEFv2_and_OCSF_Open_Cybersecurity_Schema_Framework\"><\/span>What is the relationship between IDMEFv2 and OCSF (Open Cybersecurity Schema Framework)?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>OCSF is an open-source framework designed to standardize cybersecurity data formats across different security tools and platforms. OCSF and IDMEFv2 are complementary but&nbsp; do not have the same objectives. OCSF allows to describe exhaustively any (cyber) security event, IDMEFv2 is focused on (cyber &amp; physical) incident detection. Naturally some information are shared between the two formats but OCSF is closer to a standard log format. Incident detection concept like &#8220;sensor&#8221;, &#8220;analyser&#8221;, &#8220;correlation&#8221; don&#8217;t exist in OCSF. Last but not least OCSF doesn&#8217;t deal with physical incidents.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_the_relationship_between_IDMEFv2_and_SNMP\"><\/span>What is the relationship between IDMEFv2 and SNMP ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>SNMP pools information from devices and application toward performance\/observability monitoring consoles. Those managers are then able to detect malfunction or incidents. Using IDMEFv2 they can transmit those information to downstream global security management systems.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Can_I_use_IDMEFv2_for_cyber_incident_detection_only_or_physical_incident_detection\"><\/span>Can I use IDMEFv2 for cyber incident detection only , or physical incident detection ?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>YES you can !<\/p>\n\n\n\n<p>You can used IDMEFv2 for example in a SIEM (Security Information &amp; Event Management) architecture or in a PSIM (Physical Security Information Management) architecture. IDMEFv2 proposes a unique format for cyber and physical incident detection but it can efficiently be deployed in only one of those domains. Using IDMEFv2 will anyway prepare the future in case of a security perimeter enlargement.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>IDMEFv2 Frequently Asked Questions (if you don&#8217;t find your question please contact idmefv2@freelists.org) What does IDMEF stands for ? IDMEF v1 means for Intrusion Detection Message Exchange Format.IDMEF v2 has been extented to all kind of incidents, not only intrusion, so IDMEF v2 stands for Incident Detection Message Exchange Format. How do you pronounce IDMEF&hellip;&nbsp;<a href=\"https:\/\/www.idmefv2.org\/index.php\/idmefv2-faq\/\" rel=\"bookmark\">Read More &raquo;<span class=\"screen-reader-text\">IDMEFv2 FAQ<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"class_list":["post-66","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.idmefv2.org\/index.php\/wp-json\/wp\/v2\/pages\/66","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.idmefv2.org\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.idmefv2.org\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.idmefv2.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.idmefv2.org\/index.php\/wp-json\/wp\/v2\/comments?post=66"}],"version-history":[{"count":20,"href":"https:\/\/www.idmefv2.org\/index.php\/wp-json\/wp\/v2\/pages\/66\/revisions"}],"predecessor-version":[{"id":826,"href":"https:\/\/www.idmefv2.org\/index.php\/wp-json\/wp\/v2\/pages\/66\/revisions\/826"}],"wp:attachment":[{"href":"https:\/\/www.idmefv2.org\/index.php\/wp-json\/wp\/v2\/media?parent=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}