Skip to content


IDMEFv2 Frequently Asked Questions (if you don’t find your question please contact

Table of content

What does IDMEF stands for ?

IDMEF v1 means for Intrusion Detection Message Exchange Format.
IDMEF v2 has been extented to all kind of incidents, not only intrusion, so IDMEF v2 stands for Incident Detection Message Exchange Format.

What are the main differences between IDMEFv1 and IDMEFv2 ?

Here is a list of the main differences :

  • V2 is designed for Incident detection (larger than Intrusion)
  • V1 dealt only with cyber intrusion, V2 deals with Cyber AND physical incident and cyber / physical Threat Intelligence, it includes availability incidents.
  • VI reference implementation format was XML, preferred format for V2 is JSON (XML stays possible)
  • V1 protocol is IDXP, V2 preferred transport protocol is HTTPs
  • V1 had 32 main classes, V2 (V01) focuses on 7 main classes : Alert, Analyser, Sensor, Source, Target, Vector, Attachment

Why security and availability incidents are mixed in the same format ?

The question should be “why are they usually separated” and monitored in different tools ?

Security expert often define security with the CIA triad (Confidentiality, Integrity and Availability). Confidentiality means that data, objects and resources are protected from unauthorized viewing and other access. Integrity means that data is protected from unauthorized changes to ensure that it is reliable and correct. Availability means that authorized users have access to the systems and the resources they need.

Without availability there is no security. If a server is broken or hacked, it doesn’t make huge difference for the company, the people can’t work (and the company looses money). Security incidents (e.g. DDos) can have effect on availability. Availability incidents (e.g. anti-virus process is down) can have effects on integrity. Security policies often include, and this is obvious, availability of critical applications. Thus it is impossible to monitoring the “global” security of your systems with no information about its availability.

Why cyber and physical incidents are mixed in the same format ?

As mentioned before, the need for security and availability monitoring is old and obvioous. The need for cyber and physical security convergence is newer and accelerating with the massive use of IoT and IIoT and smart systems.

Some major reasons for this convergency :

  • IoT/IIoT ubiquity. All devices are now connected may they be “cyber” or “physic”
  • Physical monitoring devices are also connected. Cameras and sensors have IPs, OS, etc.
  • Cameras also have “vulnerabilities” and can be the target of cyber attacks as well as performance malfunction
  • Attacks are getting increasingly complex and can be cyber and physicaly combined (e.g. : CCTV cyber attack before entering a building)
  • The frontier between cyber and physical is more and more slight. As an example, it is not clear if a smart car is a car with a computer inside or a computer with four wheels ? What is the difference between hacking a regular server or hacking a “driving” server on wheels ?

What is a simple use case illustrating the need for cyber and physical incident detection convergency ?

If a server is not reachable, people can’t work. Whatever the reason is, it’s a problem for your organization.

But there are many reasons why a server might be not working :

  • the cpu is is malfunctioning
  • the power supply is broken or has been accidentally disconnected
  • someone entered the server room and intentionally disconnected the server
  • someone hacked the badger system then entered the server room and stole the server …
  • a suicide drone has crashed on the server room
  • there is an accidental (or intentional) fire in the server room
  • the server broke because there is a strong heat wave outside and the air conditioning in the datacenter is not working
  • heavy storm, someone left the window open and the floor is flooded and created a short circuit
  • etc.

Those incidents are of different type and could be detected by different tools (cyber, physical or availability) but ultimately the result is the same and the server is not working.

IDMEFv2 gives the possibility to detect, analyze, correlate all those type of incidents all together to improve the global security (securities) of organizations.

What are operational benefits of using IDMEFv2 ?

Unifying all securities management and monitoring around IDMEFv2 can :

  • reduce cost by sharing security information and improving teams collaboration,
  • improve capacities of detection through correlation of multiple signals,
  • improve capacities of prevention by anticipating certain risks,
  • improve capacity of forensic by access to all type of events/incidents in the same tool,
  • etc.

IDMEFv2 fills an existing gap in CPS (Cyber Physical System) protection.

Has IDMEFv2 been used in real systems ?

IDMEFv2 has been designed in collaboration with a large international research project with collaboration of physical and cyber security tools editors. During this project IDMEv2 has been deployed and tested on real scale on large architecture.

IDMEFv2 inherits also from IDMEFv1 which has been around for 15 years.

I am a security tool editor, how can I make my tool IDMEFv2 compliant ?

To be IDMEFv2 compliant and able to interoperate with other IDMEFv2 systems, your tool :

1) Must generate alerts in IDMEFv2 JSON format in compliance with the IDMEFv2 Format IETF Draft V00
2) Should be able to send those alerts trough HTTPs in compliance with the IDMEFv2 Transport IETF Draft V00

Where can I get help to transform and tuned my JSON alert format in IDMEFv2 ?

The IDMEFv2 validator online will help you tune and correct your IDMEFv2 JSON files.

The IDMEFv2 mailing list is a good place to find help.

Where can I find librairies and software implementing IDMEFv2 ?

The IDMEFv2 official github host IDMEFv2 tools, libraries and a prototype.

What is the relationship between IDMEFv2 and IODEFv2 ?

IDMEF and IODEF are complementary. IDMEF is used upstream in probes and security management tools to detect incidents. IODEF is used after detection to describe and transmit and share information about incidents to other security teams. IDMEF alert can be attached to IODEF message for describing in details technical information about incidents.

What is the relationship between IDMEFv2 and OASIS CTI (aka STIX) ?

IDMEF and STIX are complementary. STIX is a format to model, analyze, and share cyber threat intelligence. There are two relations between IDMEFv2 and STIX. IDMEFv2 is used to detect incidents thus can help create CTI information. IDMEFv2 can also profit from existing CTI to detect incidents or enrich incident information.

What is the relationship between IDMEFv2 and SNMP ?

SNMP pools information from devices and application toward performance/observability monitoring consoles. Those managers are then able to detect malfunction or incidents. Using IDMEFv2 they can transmit those information to downstream global security management systems.

Can I use IDMEFv2 for cyber incident detection only , or physical incident detection ?

YES you can !

You can used IDMEFv2 for example in a SIEM (Security Information & Event Management) architecture or in a PSIM (Physical Security Information Management) architecture. IDMEFv2 proposes a unique format for cyber and physical incident detection but it can efficiently be deployed in only one of those domains. Using IDMEFv2 will anyway prepare the future in case of a security perimeter enlargement.