Network Working Group G. Lehmann Internet-Draft Telecom SudParis Obsoletes: 4765 (if approved) 26 April 2026 Intended status: Standards Track Expires: 28 October 2026 The Incident Detection Message Exchange Format version 2 (IDMEFv2) draft-lehmann-idmefv2-08 Abstract The Incident Detection Message Exchange Format version 2 (IDMEFv2) defines a data representation for security incidents detected on cyber and/or physical infrastructures. The format is agnostic so it can be used in standalone or combined cyber (SIEM), physical (PSIM) and availability (NMS) monitoring systems. IDMEFv2 can also be used to represent man made or natural hazards threats. IDMEFv2 improves situational awareness by facilitating correlation of multiple types of events using the same base format thus enabling efficient detection of complex and combined cyber and physical attacks and incidents. This draft is maintained by the IDMEFv2 Task Force. Please consult our website for more information: https://www.idmefv2.org. If approved this draft will obsolete RFC4765. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 28 October 2026. Lehmann Expires 28 October 2026 [Page 1] Internet-Draft IDMEFv2 April 2026 Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. IDMEFv2 deployment architecture . . . . . . . . . . . . . 5 1.2. IDMEFv1 (Intrusion Detection Message Exchange Format) - RFC 4765 - Legacy . . . . . . . . . . . . . . . . . . . . . . 5 1.3. Relationship between IDMEFv2 and other event/incident formats . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4. Existing Deployments and Adoption . . . . . . . . . . . . 7 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1. Keywords . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2. Normative sections . . . . . . . . . . . . . . . . . . . 7 2.3. Concepts related to event processing . . . . . . . . . . 7 2.3.1. Event . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3.2. Incident . . . . . . . . . . . . . . . . . . . . . . 8 2.3.3. Alert . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.4. Manager . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.5. Operator . . . . . . . . . . . . . . . . . . . . . . 8 2.3.6. Analyst . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.7. Attack . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.8. Correlation . . . . . . . . . . . . . . . . . . . . . 9 2.3.9. Aggregation . . . . . . . . . . . . . . . . . . . . . 9 3. The IDMEF Data Types . . . . . . . . . . . . . . . . . . . . 9 3.1. Classes . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2. Numbers . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2.1. Integers . . . . . . . . . . . . . . . . . . . . . . 9 3.2.2. Floating-point values . . . . . . . . . . . . . . . . 9 3.3. Strings . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.3.1. Enumerations . . . . . . . . . . . . . . . . . . . . 10 3.3.2. Timestamps . . . . . . . . . . . . . . . . . . . . . 10 3.3.3. Geographical Locations . . . . . . . . . . . . . . . 11 3.3.4. UNECE Location Codes (UN/LOCODE) . . . . . . . . . . 11 3.3.5. Uniform Resource Identifiers (URIs) . . . . . . . . . 11 3.3.6. IP Addresses . . . . . . . . . . . . . . . . . . . . 12 Lehmann Expires 28 October 2026 [Page 2] Internet-Draft IDMEFv2 April 2026 3.3.7. E-mail addresses . . . . . . . . . . . . . . . . . . 12 3.3.8. Attachment names . . . . . . . . . . . . . . . . . . 12 3.3.9. Media types . . . . . . . . . . . . . . . . . . . . . 12 3.3.10. Universally Unique IDentifiers (UUIDs) . . . . . . . 13 3.3.11. Protocol Names . . . . . . . . . . . . . . . . . . . 13 3.3.12. IDMEF Paths . . . . . . . . . . . . . . . . . . . . . 13 3.3.13. Hashes . . . . . . . . . . . . . . . . . . . . . . . 14 3.4. Lists . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4. The IDMEF extension . . . . . . . . . . . . . . . . . . . . . 15 4.1. Extending the Enumerated Values of Attributes . . . . . . 15 4.1.1. Private Extension of Enumerated Values . . . . . . . 16 4.1.2. Public Extension of Enumerated Values . . . . . . . . 16 4.2. Private Extension of Attributes . . . . . . . . . . . . . 17 5. The IDMEF Data Model . . . . . . . . . . . . . . . . . . . . 17 5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 17 5.2. The Alert Class . . . . . . . . . . . . . . . . . . . . . 18 5.3. The Analyzer Class . . . . . . . . . . . . . . . . . . . 26 5.4. The Sensor Class . . . . . . . . . . . . . . . . . . . . 28 5.5. The Source Class . . . . . . . . . . . . . . . . . . . . 30 5.6. The Target Class . . . . . . . . . . . . . . . . . . . . 32 5.7. The Attachment Class . . . . . . . . . . . . . . . . . . 34 5.8. The JavaScript Object Notation Serialization Method . . . 36 6. Security Considerations . . . . . . . . . . . . . . . . . . . 37 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 8. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 39 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 9.1. Normative References . . . . . . . . . . . . . . . . . . 40 9.2. Informative References . . . . . . . . . . . . . . . . . 41 Appendix A. Enumerations . . . . . . . . . . . . . . . . . . . . 42 A.1. Entity Sector . . . . . . . . . . . . . . . . . . . . . . 42 A.2. Alert Category . . . . . . . . . . . . . . . . . . . . . 54 A.3. Analyzer Category . . . . . . . . . . . . . . . . . . . . 73 A.4. Analyzer Data . . . . . . . . . . . . . . . . . . . . . . 79 A.5. Analyzer Method . . . . . . . . . . . . . . . . . . . . . 81 A.6. Source Category . . . . . . . . . . . . . . . . . . . . . 87 A.7. Target Category . . . . . . . . . . . . . . . . . . . . . 100 Appendix B. Examples . . . . . . . . . . . . . . . . . . . . . . 103 B.1. Physical intrusion . . . . . . . . . . . . . . . . . . . 103 B.2. Cyberattack . . . . . . . . . . . . . . . . . . . . . . . 104 B.3. Server outage . . . . . . . . . . . . . . . . . . . . . . 106 B.4. Combined incident . . . . . . . . . . . . . . . . . . . . 107 B.5. Hazard incident . . . . . . . . . . . . . . . . . . . . . 108 Appendix C. JSON Validation Schema (Non-normative) . . . . . . . 109 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 136 Lehmann Expires 28 October 2026 [Page 3] Internet-Draft IDMEFv2 April 2026 1. Introduction The Incident Detection Message Exchange Format (IDMEF) is intended to solve the problem of security monitoring compartmentalization by proposing a single format to represent any type of incident, whether cyber or physical, intentional or accidental, natural or man-made. Indeed security is often associated to the Confidentiality-Integrity- Availability triad, performance and availability management systems are still run independently from security management systems. Additionally, with the adoption and integration of Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices, and the exponential emergence of smart systems (transport, cities, buildings, etc), an increasingly interconnected mesh of cyber-physical systems (CPS) has emerged. This expansion of the attack and incident surfaces blurs the once-clear functions of cybersecurity and physical security. Finally, as IT infrastructure moves out of data centers it becomes more exposed to external threats, including natural and man-made hazards. Incident detection systems have traditionally focused on detecting cyber incidents or physical incident or availability incidents. There is an increasing need nowadays to have a unified view and management of all those incidents and their interconnection. To achieve this goal the Incident Detection Message Exchange Format offers a unique data representation for multiple types of events: * Cyber-security events (e.g. authentication failure/success, virus/ malware detection, bruteforce/scan detection, etc.) * Physical security events (e.g. intrusion detection, object detection, face or activity recognition, fire/smoke/noise/rain detection, etc.) * Availability/observability/performance events (e.g. system failure, service malfunction, performance decrease, etc.) * Natural and man made hazards events (e.g. wildfires, avalanches, droughts, earthquakes, pollution, fire, explosion, etc.) Lehmann Expires 28 October 2026 [Page 4] Internet-Draft IDMEFv2 April 2026 1.1. IDMEFv2 deployment architecture IDMEFv2 can be used to exchange incident detection information between specialized managers (SIEM, PSIM, NMS) and a universal "Cyber & Physical SIEM" (CPSIEM) or directly from specialized analyzers and a CPSIEM. +-----------------------------+ +---------+ | "Universal" CPSIEM |<---| Hazards | +-----------------------------+ +---------+ | | | +------+ +-----+ +------+ Managers | PSIM | | NMS | | SIEM | +------+ +-----+ +------+ | | | +--------+ +----------+ +-----+ Analyzers/Sensors |Physical| |Monitoring| |Cyber| +--------+ +----------+ +-----+ | | | +-------------------------------+ | Cyber & Physical System | +-------------------------------+ Figure 1: IDMEF Use Architecture IDMEFv2 improves situational awareness by enabling correlation of multiple types of events using the same base format. This document defines a model serialization methods for the purpose of describing and sharing these events. 1.2. IDMEFv1 (Intrusion Detection Message Exchange Format) - RFC 4765 - Legacy IDMEFv2 (Incident Detection Message Exchange Format) is based on IDMEFv1 (Intrusion Detection Message Exchange Format) concepts. But IDMEFv1 was cyber intrusion focused as IDMEFv2 perimeter is much larger. Thus retro-compatibility although partly possible has not been a priority. 1.3. Relationship between IDMEFv2 and other event/incident formats IDMEFv2 focuses essentialy on high level event/incident correlation and detection.There are many standard and proprietary formats on the incident detection market and in particular on the cybersecurity market. IDMEFv2 is complementary to most of these formats. Lehmann Expires 28 October 2026 [Page 5] Internet-Draft IDMEFv2 April 2026 IDMEFv1 (Intrusion Detection Message Exchange Format - RFC 4765) : IDMEFv2 (Incident Detection) replaces and obsoletes IDMEFv1 (Intrusion Detection) by covering a wider spectrum. IODEFv2 (Incident Object Definition Exchange Format - RFC 5070) : IDMEFv2 helps detect incident. When an incident is detected it will be analysed and eventually fully described and shared with other security teams through IODEFv2. IDMEF is used upstream IODEFv2. IDMEFv2 alerts can be “attached” to IODEFv2 object to provide technical details about incidents. Syslog (System Logging) : Syslog is a lossy format with no formal structure. Syslog can be used by sensors to send information to analyzers. Out of those multi-format syslogs the analyzer might detect an incident or an event of interest. The analyzer will then use IDMEFv2 to notify the manager which might correlate this information with other data to confirm the incident. SNMP (Simple Network Management Protocol) : SNMP polls information from devices which is then compared to thresholds to detect incident. IDMEFv2 can be used when incident is detected downstream of SNMP to communicate the incident to the manager. IDMEFv2 can have a similar role as SNMP Traps. STIX (Structured Threat Information Expression) : is a language and serialization format used to exchange cyber threat intelligence (CTI). IDMEFv2 can help detect incidents which might lead to the creation and sharing of STIX information. Cyber analyzer can also rely on STIX information to detect incidents that will be notified in IDMEFv2 format. OCSF (The Open Cybersecurity Schema Framework) is an open-source, vendor-agnostic standard designed to normalize security telemetry from diverse tools. It provides a common language and consistent structure for security event data, simplifying data ingestion, correlation, and analysis. OCSF can be seen as a “super” syslog to describe events before IDMEFv2 extract “incidents”. OCSF is limited to cyber security. SIEM proprietory formats (CEF, LEEF, ECS, CIM, ...) : By covering cyber, physical and monitoring incidents type, IDMEFv2 offers a wider spectrum than those formats. Gateways between IDMEFv2 and those formats can be developped to connect legacy cyber detection systems to an IDMEFv2 architecture. Lehmann Expires 28 October 2026 [Page 6] Internet-Draft IDMEFv2 April 2026 1.4. Existing Deployments and Adoption IDMEFv2 is not a theoretical proposal. It has been developed, validated, and deployed within the framework of eight large-scale European research projects, funded by the Horizon 2020 and Digital Europe programmes. These projects — namely 7SHIELD, PRECINCT, CyberSEAS, ATLANTIS, ENDURANCE, KINAITICS, TESTUDO, and SAFE4SOC — address critical sectors such as space systems, energy grids, transportation, and government infrastructure. These implementations span multiple domains, including Security Operations Centers (SOCs), Physical Security Information Management (PSIM) systems, and critical infrastructure protection pilots. This document aims to formalize this existing practice as an IETF Experimental RFC, to ensure interoperability, gather broader community feedback, and provide a stable foundation for future developments. 2. Terminology 2.1. Keywords The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2.2. Normative sections Implementations of IDMEFv2 are REQUIRED to fully implement: * The data types defined in Section 3 * The data model defined in Section 5 * The JavaScript Object Notation (JSON) serialization method Section 5.8. 2.3. Concepts related to event processing 2.3.1. Event An event is something that triggered a notice. Any incident starts off as an event or a combination of events, but not all events result in an incident. An event does not need be an indication of wrongdoing. E.g. someone successfully logging in or entering a building is an event. Lehmann Expires 28 October 2026 [Page 7] Internet-Draft IDMEFv2 April 2026 2.3.2. Incident An incident is an event that compromises or has a significant probability of compromising at least one of the organization's security criteria such as Confidentiality, Integrity or Availability. An incident may affect a production tool, personnel, etc. It may be logical, physical or organizational in nature. Last but not least, an incident may be caused on purpose or by accident. 2.3.3. Alert An alert is a notification/message that a particular event/incident (or series of events/incidents) has occurred. 2.3.4. Manager The manager is the central console toward which all analyzers send their alerts. The manager collects, correlates, stores and displays the alerts to the operators. Example : - A SIEM (Security Information & Event Management) or a Log Manager) - A PSIM (Physical Security Information Management) - A NMS (Network Management System) - A CPSIEM (Cyber & Physical Security Information Management System) 2.3.5. Operator The level 1 operator is in charge of receiving manager notifications and identify or confirm when an event should be considered as an incident. The operator must also decide if there is a known resolution for this incident or if it needs a deeper analysys. 2.3.6. Analyst The analyst will be contacted by the operator to analyze complex incidents that can’t be easily resolved. The investigation starts with the IDMEFv2 information but the analyst might need more information like raw logs for a deeper forensics. 2.3.7. Attack An attack is an attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of a cyber or physical asset. An attack is one or many kinds of incidents. Lehmann Expires 28 October 2026 [Page 8] Internet-Draft IDMEFv2 April 2026 2.3.8. Correlation Correlation is the identification of relationships between two or more events. 2.3.9. Aggregation Aggregation is the consolidation of similar events into a single event. 3. The IDMEF Data Types Each object inside the IDMEF data model has an associated data type. This type may be used to validate the content of incoming IDMEF messages. 3.1. Classes The classes are meant to group related attributes together. Some of the classes may be instanciated multiple times (e.g. Source, Target, etc.) while others may only appear once in an IDMEF message (e.g. Analyzer). 3.2. Numbers 3.2.1. Integers Integers inside the IDMEF data model are expressed using the following ABNF [RFC5234] grammar: integer = *1minus int int = zero / ( digit1-9 *DIGIT ) minus = %x2D ; - zero = %0x30 ; 0 digit1-9 = %x31-39 ; 1-9 E.g. 123. Such values are indicated with the "INT" type annotation in the model. 3.2.2. Floating-point values Floating-point values inside the IDMEF data model are expressed using the following ABNF grammar: Lehmann Expires 28 October 2026 [Page 9] Internet-Draft IDMEFv2 April 2026 float = integer *1frac frac = decimal-point 1*DIGIT decimal-point = %x2E ; . This grammar reuses some of the production rules listed in Section 3.2.1. E.g. 12.34. Such values are indicated with the "FLOAT" type annotation in the model. 3.3. Strings Strings are series of characters from the [UNICODE] standard and are used to represent a text. For readability, this document uses quotes (") to delimit strings, but please note that these quotes are not syntactically part of the actual strings. E.g. "Hello world". Some of the strings used in the IDMEFv2 data model follow a stricter syntax. These are included below for completeness. Such values are indicated with the "STRING" type annotation in the model. 3.3.1. Enumerations Enumerations are special strings used when valid values for an IDMEF attribute are restricted to those present in a predefined list. Such values are indicated with the "ENUM" type annotation in the model. 3.3.2. Timestamps Timestamps are used to indicate a specific moment in time. The timestamps used in the IDMEF data model follow the syntax defined by the "date-time" production rule of the grammar in [RFC3339] ch 5.6. E.g. "1985-04-12T23:59:59.52Z" represents a moment just before April 5th, 1985 in Coordinated Universal Time (UTC). Such values are indicated with the "TIMESTAMP" type annotation in the model. Lehmann Expires 28 October 2026 [Page 10] Internet-Draft IDMEFv2 April 2026 3.3.3. Geographical Locations Some attributes inside the IDMEF data model may refer to geographical locations using a set of coordinates. The reference system for all geographical coordinates is a geographic coordinate reference system, using the World Geodetic System 1984 [WGS84]. The reference system used is the same as for the Global Positioning System (GPS). The format for such values can be either "latitude,longitude" or "latitude,longitude,altitude". Each of these coordinates is represented as a floating-point value. The latitude and longitude are expressed in degrees while the altitude is expressed in meters. E.g. "48.8584,2.2945,276.13" matches the (3-dimensional) geographical location for the top floor or the Eiffel Tower located in Paris, France, while "48.8584,2.2945" matches the same location in two dimensions (with the altitude removed). Such values are indicated with the "GEOLOC" type annotation in the model. 3.3.4. UNECE Location Codes (UN/LOCODE) Some attributes inside the IDMEF data model may refer to geographical locations using Locations Codes. These codes can be assimilated to an enumeration, where the list of possible values is defined in the United Nations Economic Commission for Europe (UNECE) Codes for Trade [UN-LOCODE]. E.g. "FR PAR" is the Location Code for the city of Paris, France. Such values are indicated with the "UNLOCODE" type annotation in the model. 3.3.5. Uniform Resource Identifiers (URIs) The IDMEF data model uses Uniform Resource Identifiers (URIs), as defined in [RFC3986], when referring to external resources. Unless otherwise specified, either a Uniform Resource Location (URL) or a Uniform Resource Name (URN) may be used where a URI is expected. E.g. both "https://example.com/resource" and "urn:myapp:resource" are valid Uniform Resource Identifiers. Such values are indicated with the "URI" type annotation in the model. Lehmann Expires 28 October 2026 [Page 11] Internet-Draft IDMEFv2 April 2026 3.3.6. IP Addresses IP addresses inside the IDMEF data model are expressed as strings using the traditional dotted-decimal notation for IPv4 addresses (defined by the "dotnum" production rule in the grammar in [RFC5321]), while IPv6 addresses are expressed using the text representation defined in [RFC4291] ch 2.2. E.g. "192.0.2.1" represents a valid IPv4 address, while "::1/128" represents a valid IPv6 address. It is RECOMMENDED that implementations follow the recommendations for IPv6 text representation stated in [RFC5952]. Such values are indicated with the "IP" type annotation in the model. 3.3.7. E-mail addresses E-mail addresses inside the IDMEF data model are expressed as strings using the address specification syntax defined in [RFC5322] ch 3.4.1. E.g. "root@example.com". Such values are indicated with the "EMAIL" type annotation in the model. 3.3.8. Attachment names Attachments inside the IDMEF data model are identified using a unique name, composed of a string whose character set is limited to the ASCII letters (A-Z a-z) and digits (0-9). E.g. "state" is a valid name for an attachment. The constraint on name unicity is enforced per class. That is, but it is not possible for two attachments to share the same name inside the same alert. Such values are indicated with the "ID" type annotation in the model. 3.3.9. Media types Media types are used in the IDMEF data model to describe an attachment's content. The syntax for such values is defined in [RFC2046]. IANA keeps a list of all currently registered media types in the Media Types registry . Lehmann Expires 28 October 2026 [Page 12] Internet-Draft IDMEFv2 April 2026 E.g. "application/xml" or "text/plain; charset=utf-8". Such values are indicated with the "MEDIATYPE" type annotation in the model. 3.3.10. Universally Unique IDentifiers (UUIDs) Universally Unique Identifiers (UUIDs) are used to uniquely identify IDMEF messages. It is also possible for an IDMEF message to reference other IDMEF messages using their UUIDs. The syntax for UUIDs is defined in [RFC4122]. To limit the risk of UUID collisions, implementors SHOULD NOT generate version 4 UUIDs (randomly or pseudo-randomly generated UUIDs). E.g. "ba2e4ef4-8719-42bb-a712-d6e8871c5c5a". UUIDs are case-insensitive when used in comparisons. Such values are indicated with the "UUID" type annotation in the model. 3.3.11. Protocol Names Such values are indicated with the "PROTOCOL" type annotation in the model. 3.3.12. IDMEF Paths This document defines a way to represent the path to every possible attribute inside an IDMEF message. For conciseness, the top-level "Alert" class is omitted from the path. This representation can be used in contexts where the path to an IDMEF attribute is expected. An example of such usage can be seen in the definition of the "AggrCondition" attribute inside the Alert class (Section 5.2). The syntax for these IDMEF paths is expressed in the following ABNF grammar: Lehmann Expires 28 October 2026 [Page 13] Internet-Draft IDMEFv2 April 2026 class-name = "Analyzer" / "Sensor" / "Source" / "Target" / "Attachment" attribute-name = 1*ALPHA class-reference = class-name "." num = *1"-" 1*DIGIT list-index = "(" num ")" path = *1class-reference attribute-name *1list-index Valid attribute names are limited to those defined for the specified class-reference (or in the top-level "Alert" class if class-reference is omitted). For example, the following path refers to the "CeaseTime" attribute of the top-level "Alert" class: "CeaseTime". Likewise, the following path refers to the "Name" attribute of the "Analyzer" class: "Analyzer.Name". For attributes defined as lists (see Section 3.4), the path may include the (0-based) index for an entry inside the list. The index defaults to 0 if omitted. This means that several (valid) representations may be used to reference the same IDMEF attribute when list attributes are involved. For example, both of the following paths refer to the IP address of the first source associated with an IDMEF message: Source.IP Source(0).IP Compatible implementations MUST reject paths that reference an unknown class, an unknown attribute, or use a list-index for an IDMEF field which is not defined as a list. A compatible implementation MUST also normalize paths before comparing them (e.g. by stripping the text "(0)" from paths referring to list attributes). 3.3.13. Hashes Hashes are sometimes used inside the data model to protect the integrity (and optionally, authenticity) of attachments. The syntax for these values is "function:hash_result", where "function" refers to one of the hashing function names listed in and "hash_result" contains the hexadecimal notation for the hash result obtained by calling the specified hash function on the input value. Lehmann Expires 28 October 2026 [Page 14] Internet-Draft IDMEFv2 April 2026 In the context of IDMEF, either a keyless or keyed hash function may be used to process the raw input value. E.g. "sha256:a02735ed8b10ad432d557bd4849c0dac3b23d64706e0618716d6df2def338374" Hashes are case-insensitive when used in comparisons. Such values are indicated with the "HASH" type annotation in the model. 3.4. Lists Some attributes of the IDMEF data model accept ordered lists of values. Such ordered lists are indicated with the "X[]" type annotation in the model. where "X" refers to one of the data types defined in Section 3. For example, "ENUM[]" refers to an ordered list of enumeration values. 4. The IDMEF extension In order to support the dynamic nature of security operations and to adapt to specific needs, the IDMEFv2 data model will need to continue to evolve. This section discusses how new data elements can be incorporated into the IDMEFv2. There is support to add additional enumerated values and new attributes. These extension mechanisms are designed so that adding new data elements is possible without requiring modifications to this document. Extensions can be implemented publicly or privately. With proven value, well-documented extensions can be incorporated into future versions of the specification. 4.1. Extending the Enumerated Values of Attributes Additional enumerated values can be added to select attributes either through the use of specially marked attributes with the "ext-" prefix or through a set of corresponding IANA registries. The former approach allows for the extension to remain private. The latter approach is public. Lehmann Expires 28 October 2026 [Page 15] Internet-Draft IDMEFv2 April 2026 4.1.1. Private Extension of Enumerated Values The data model supports adding new enumerated values to an attribute without public registration. For each attribute that supports this extension technique, there is a corresponding attribute in the same element whose name is identical but with a prefix of "ext-". This special attribute is referred to as the extension attribute. The attribute being extended is referred to as an extensible attribute. For example, an extensible attribute named "foo" will have a corresponding extension attribute named "ext-foo". An element may have many extensible attributes. In addition to a corresponding extension attribute, each extensible attribute has "ext-value" as one its possible enumerated values. Selection of this particular value in an extensible attribute signals that the extension attribute contains data. Otherwise, this "ext- value" value has no meaning. In order to add a new enumerated value to an extensible attribute, the value of this attribute MUST be set to "ext-value", and the new desired value MUST be set in the corresponding extension attribute. For example, extending the Category attribute of the Analyzer class would look as follows: Analyzer: { ... "Category":["ext-value"], "ext-Category": "my-new-analyzer-category", .... } A given extension attribute MUST NOT be set unless the corresponding extensible attribute has been set to "ext-value". 4.1.2. Public Extension of Enumerated Values The data model also supports publicly extending select enumerated attributes. A new entry can be added by registering a new entry in the appropriate IANA registry. Section (Table 5) provides a mapping between the extensible attributes and their corresponding registry. Lehmann Expires 28 October 2026 [Page 16] Internet-Draft IDMEFv2 April 2026 4.2. Private Extension of Attributes Use of new attributes is possible through the use of the attachment class. New attributes and their corresponding values should be stored in the Content attribute of an Attachment and the ContentEncoding must be set to JSON. For example creating a new attribute to store the email of the operator (in charge of solving the incident) will look as follows: "Attachment" : [ { "Name": "Operator", "ContentEncoding": "JSON", "Content": "{\"OperatorMail\":\"John.Does@acme.com\"}", } [ 5. The IDMEF Data Model In this section, the individual components of the IDMEF data model will be discussed in detail. For each class, the semantics will be described. 5.1. Overview +--------+ +-----+ |Analyzer|---> |Alert| +--------+ +-----+ || +------+ |Sensor| +------+ /\ / \ / \ +------+ +------+ |Source| >------> |Target| +------+ +------+ Figure 2: IDMEFv2 Overview Classes An IDMEF message is composed of an instance of the Alert class (Section 5.2) representing the overall properties of the message. It also contains exactly one instance of the Analyzer class (Section 5.3) and zero or more instances of the Sensor class (Section 5.4). The message may also describe various aspects of an event using the Source (Section 5.5) and Target (Section 5.6) classes. Lehmann Expires 28 October 2026 [Page 17] Internet-Draft IDMEFv2 April 2026 Last but not least, it may also include zero or more instances of the Attachment class (Section 5.7), e.g. captured files or network packets related to the event for example. The relationship between the main Alert class and other classes of the data model is shown in Figure 3 (attributes are omitted for clarity). +-------+ +------------- | Alert |<>----------| Analyzer | +-------+ +------------+ | | 0..* +------------+ | |<>----------| Sensor | | | +------------+ | | 0..* +------------+ | |<>----------| Source | | | +------------+ | | 0..* +------------+ | |<>----------| Target | | | +------------+ | | 0..* +------------+ | |<>----------| Attachment | +-------+ +------------+ Figure 3: IDMEFv2 Classes It is important to note that the data model does not specify how an incident should be categorized or identified. For example, an attacker scanning a network for machines listening on a specific port may be identified by one analyzer as a single attack against multiple targets, while another analyzer may identify it as multiple attacks from a single source. However, once an analyzer has determined the type of alert it plans on sending, the data model dictates how that alert should be formatted. 5.2. The Alert Class The Alert class contains high level information about the event that triggered the alert. Lehmann Expires 28 October 2026 [Page 18] Internet-Draft IDMEFv2 April 2026 +------------------------------+ | Alert | +------------------------------+ | STRING Version | | UUID ID | | STRING OrganisationName | | STRING OrganisationId | | STRING EntityName | | STRING EntityId | | ENUM[] EntitySector | | ENUM[] Type | | ENUM[] Category | | STRING[] ext-Category | | ENUM Cause | | STRING Description | | ENUM[] Status | | ENUM Priority | | FLOAT Confidence | | STRING Note | | TIMESTAMP CreateTime | | TIMESTAMP StartTime | | TIMESTAMP EndTime | | TIMESTAMP ReportTime | | STRING[] AltNames | | STRING[] AltCategory | | URI[] Ref | | UUID[] CorrelID | | CONDITION[] AggrCondition | | UUID[] PredID | | UUID[] RelID | +------------------------------+ Figure 4: The Alert class The aggregate classes that make up Alert are: Analyzer Exactly one. An instance of the Analyzer class (Section 5.3) that describes the tool/device responsible for the analysis that resulted in the alert being created and sent. Sensor Zero or more. Instances of the Sensor class (Section 5.4) used to describe the sensor(s) that captured the information used during the analysis. Lehmann Expires 28 October 2026 [Page 19] Internet-Draft IDMEFv2 April 2026 Depending on the tools/devices used to detect incidents, an Analyzer may rely on the output from a single sensor or from multiple sensors to generate alerts. In addition, the Analyzer and Sensor may actually be part of the same physical device and may share some of their attributes (e.g. IP, Hostname, Model, etc.). Source Zero or more. Instances of the Source class (Section 5.5) used to describe the source(s) of the incident (e.g. attackers, faulty device, etc.). Target Zero or more. Instances of the Target class (Section 5.6) used to describe the target(s) of the incident, i.e. the impacted devices/users/services/locations. Attachment Zero or more. Instances of the Attachment class (Section 5.7) used to describe the electronic artifacts captured in relation with the event. The intent of the Attachment class is to keep track of the electronic files left as a trail during the event. This may include things like on-disk files (e.g. malware samples), network packet captures, videos or still images from a camera feed, voice recording, etc. The Alert class has the following attributes: Version Mandatory. The version of the IDMEF format in use by this alert. During the drafts tuning period the version is equal to the draft version. Therefore it is "2.D.V0X" for Draft V0X. ID Mandatory. Unique identifier for the alert. OrganisationName Optional. Corporate/Main Office Organisation Name Useful if alerts are sent to a multi-organisation central incident detection manager. Example: ACME Corporation OrganisationId Lehmann Expires 28 October 2026 [Page 20] Internet-Draft IDMEFv2 April 2026 Optional. Corporate/Main Office Organisation ID. Where possible official organisation ID manage by national authority. Useful if alerts are sent to a multi-organisation central incident detection manager. This ID has to be chosen depending on the overall detection perimeter and the nature of the monitored organisation (Private/ Public, Commercial, International, etc.) Examples: OrganisationId in France could be SIREN, in England could be CR, Germany could be Handelsregisternummer, Spain could be CIF, Italia could be Partita IVA, USA could be EIN, etc. Commercial OrganisationId in Europe could be V.A.T ID EntityName Optional. Entity Name, monitored by the organisation, where the incident occurred. Could be a town, region or country name or an internal name. Could also be the name of a client for a MSSP centralizing it's client incidents in a single system. Do not repeat the organisation name in the EntityName Example: - ACME HeadQuaters is located in Paris France and has a local office in India - If the incident occurred in the local office: "OrganisationName": "ACME" , "EntityName": "India" - If the incident occurred in the headquaters: "OrganisationName": "ACME", "EntityName": "Headquaters" (or "Paris") EntityId Optional. Entity ID, monitored by the organisation, where the incident occurred. Useful if organisation and entity are not directly linked, like a client and a MSSP. EntitySector Optional. The economic sector(s) and sub-sector(s) in which the entity operates. Values follow the dot notation sector.subsector based on the critical infrastructure taxonomy defined in the NIS2 Directive and CER (Critical Entities Resilience) Directive. Lehmann Expires 28 October 2026 [Page 21] Internet-Draft IDMEFv2 April 2026 This attribute enables sector-based correlation, regulatory compliance reporting, and risk context for incident detection. Enumeration available here Table 6 Type Optional. Incident type. +======+==============+=======================+ | Rank | Keyword | Description | +======+==============+=======================+ | 0 | Cyber | Cyber incident | +------+--------------+-----------------------+ | 1 | Physical | Physical incident | +------+--------------+-----------------------+ | 2 | Availability | Availability incident | +------+--------------+-----------------------+ | 3 | Combined | Combined incident | +------+--------------+-----------------------+ Table 1: Incident types Category Optional. Incident category. Enumeration available here Table 7 ext-Category Optional. A means by which to extend the Category attribute. (see Section 4.1.1) Cause Optional. Incident cause. The cause can be modified by any analyzer on the way of the alert and later by the operator and/or the analyst if new investigation reveals and confirms a different cause of the event. Lehmann Expires 28 October 2026 [Page 22] Internet-Draft IDMEFv2 April 2026 +======+=============+=========================================+ | Rank | Keyword | Description | +======+=============+=========================================+ | 0 | Normal | The event is related to an expected | | | | phenomenon or to a phenomenon that does | | | | not qualify as out of the ordinary. | +------+-------------+-----------------------------------------+ | 1 | Error | The event is related to a human error. | +------+-------------+-----------------------------------------+ | 2 | Malicious | The event is related to malicious code | | | | or malicious actions. | +------+-------------+-----------------------------------------+ | 3 | Malfunction | The event is related to a device or | | | | service malfunction. | +------+-------------+-----------------------------------------+ | 4 | Hazard | The event is related to a hazard | | | | phenomenon. | +------+-------------+-----------------------------------------+ | 5 | Unknown | The cause of the event is unknown. | +------+-------------+-----------------------------------------+ Table 2: Incident causes Description Optional. Short free text human-readable description of the event. The description can add detail to the event category for easiest/faster comprehension by the operator. Example : * Cryptoware WannaCry blocked on pegasus server * Unknown person entering through east doorway Status Optional. Event state in the overall event lifecycle. Lehmann Expires 28 October 2026 [Page 23] Internet-Draft IDMEFv2 April 2026 +======+===============+===============================+ | Rank | Keyword | Description | +======+===============+===============================+ | 0 | Event | The event is still considered | | | | as an harmless event and | | | | should not be treated. | +------+---------------+-------------------------------+ | 1 | Incident | The event is considered as an | | | | incident and should be taken | | | | care of. | +------+---------------+-------------------------------+ | 2 | Open | The incident is confirmed and | | | | actively being investigated. | +------+---------------+-------------------------------+ | 3 | Closed | Investigation is finished and | | | | the issue is handled. | +------+---------------+-------------------------------+ | 4 | FalsePositive | Investigation is finished, | | | | incident was a false | | | | positive. | +------+---------------+-------------------------------+ | 5 | Reported | Incident has been reported. | +------+---------------+-------------------------------+ Table 3: Incident statuses Priority Optional. Priority of the alert. Priority is defined by combining impact and urgency. It indicates how fast the incident should be taken care of. +======+=========+=========================================+ | Rank | Keyword | Description | +======+=========+=========================================+ | 0 | Unknown | Priority unknown | +------+---------+-----------------------------------------+ | 1 | Info | No priority, the alert is informational | +------+---------+-----------------------------------------+ | 2 | Low | Low priority | +------+---------+-----------------------------------------+ | 3 | Medium | Medium priority | +------+---------+-----------------------------------------+ | 4 | High | High priority | +------+---------+-----------------------------------------+ Table 4: Incident priorities Confidence Lehmann Expires 28 October 2026 [Page 24] Internet-Draft IDMEFv2 April 2026 Optional. A floating-point value between 0 and 1 indicating the analyzer's confidence in its own reliability of this particular detection, where 0 means that the detection is surely incorrect while 1 means there is no doubt about the detection made. Note Optional. Free text human-readable additional note, possibly a longer description of the incident if is not already obvious. The Note attribute can be used to store any additional information. It can be additional information about the event and/or about the incident resolution, although the incident resolution information should in principle be stored elsewhere (with a link with the external tool in AltNames) CreateTime Mandatory. Timestamp indicating when the alert was created. StartTime Optional. Timestamp indicating the deduced start of the event. StartTime can be later than CreateTime in case or Alerts created from forecast information (e.g. Snow Storm expected in two days staring at 10h00) EndTime Optional. Timestamp indicating the deduced end of the event. ReportTime Optional. Timestamp indicating the reporting time of the event, usually to an external CSIRT or a central SIEM. AltNames Optional. Alternative identifiers; strings which help pair the event to internal systems' information (for example ticket IDs inside a request tracking systems). AltCategory Optional. Alternate categories from a reference other than IDMEFv2 categories (e.g. MISP, MITRE ATT@CK or another proprietary/internal reference). Ref Optional. References to sources of information related to the incident and/or vulnerability, and specific to this incident. Lehmann Expires 28 October 2026 [Page 25] Internet-Draft IDMEFv2 April 2026 This MAY be a URL to additional info, or a URN in a registered or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:cve:CVE-2013-2266". CorrelID Optional. Identifiers for the messages which were used as information sources to create this message, in case the message has been created based on correlation/analysis/deduction from other messages. AggrCondition Optional. A list of IDMEF fields used to aggregate events. The values for these fields will be the same in all aggregated events. This attribute should mostly be set by intermediary nodes, which detect duplicates, or aggregate events, spanning multiple detection windows, into a longer one. The "StartTime" and "EndTime" attributes are used in conjunction with this attribute to describe the aggregation window. PredID Optional. A list containing the identifiers of previous messages which are obsoleted by this message. The obsoleted alerts SHOULD NOT be used anymore. This field can be used to "update" an alert. RelID Optional. A list containing the identifiers of other messages related to this message. 5.3. The Analyzer Class The Analyzer class describes the module that has analyzed the data captured by the sensors, identified an event of interest and decided to create an alert. Lehmann Expires 28 October 2026 [Page 26] Internet-Draft IDMEFv2 April 2026 +-----------------------+ | Analyzer | +-----------------------+ | UUID ID | | IP IP | | STRING Name | | STRING Hostname | | STRING Model | | ENUM[] Category | | STRING[] ext-Category | | ENUM[] Data | | STRING[] ext-Data | | ENUM[] Method | | STRING[] ext-Method | | GEOLOC GeoLocation | | UNLOCODE UnLocation | | STRING Location | +-----------------------+ Figure 5: The Analyzer class The Analyzer class has the following attributes: ID Optional. Unique identifier for the analyzer. IP Optional. Analyzer IP address. Name Mandatory. Name of the analyzer, which must be reasonably unique, however still bear some meaningful sense. This attribute usually denotes the hierarchy of organizational units the detector belongs to and its own name. It MAY also be used to distinguish multiple analyzers running with the same IP address. Hostname Optional. Hostname of this analyzer. SHOULD be a fully-qualified domain name. Model Optional. Analyzer model description (usually its generic name, brand and version). Category Lehmann Expires 28 October 2026 [Page 27] Internet-Draft IDMEFv2 April 2026 Optional. Analyzer categories. Enumeration available here Table 8 ext-Category Optional. A means by which to extend the Category attribute. (see Section 4.1.1) Data Optional. Type of data analyzed during the detection. Enumeration available here Table 9 ext-Data Optional. A means by which to extend the Data attribute. (see Section 4.1.1) Method Optional. Detection method. Enumeration available here Table 10 ext-Method Optional. A means by which to extend the Method attribute. (see Section 4.1.1) GeoLocation Optional. GPS coordinates for the analyzer. UnLocation Optional. Standard UN/Locode for the analyzer. Location Optional. Internal name for the location of the analyzer. 5.4. The Sensor Class The Sensor class describes the module that captured the data before sending it to an analyzer. The Sensor may be a subpart of the Analyzer. Lehmann Expires 28 October 2026 [Page 28] Internet-Draft IDMEFv2 April 2026 +----------------------+ | Sensor | +----------------------+ | UUID ID | | IP IP | | STRING Name | | STRING Hostname | | STRING Model | | GEOLOC GeoLocation | | UNLOCODE UnLocation | | STRING Location | | STRING CaptureZone | +----------------------+ Figure 6: The Sensor class The Sensor class has the following attributes: ID Optional. Unique identifier for the sensor. IP Optional. The sensor's IP address. Name Mandatory. Name of the sensor, which must be reasonably unique, however still bear some meaningful sense. This attribute usually denotes the hierarchy of organizational units the sensor belongs to and its own name. It MAY also be used to distinguish multiple sensors running with the same IP address. Hostname Optional. The sensor's hostname. This SHOULD be a fully qualified domain name, but may not conform exactly because values extracted from logs, messages, DNS, etc. may themselves be malformed. An empty string MAY be used to explicitly state that this value was inquired but not found (missing DNS entry). Model Optional. The sensor model's description (usually its generic name, brand and version). GeoLocation Optional. GPS coordinates for the analyzer. Lehmann Expires 28 October 2026 [Page 29] Internet-Draft IDMEFv2 April 2026 UnLocation Optional. Standard UN/Locode for the sensor. Location Optional. Internal name for the location of the sensor. CaptureZone Optional. A string that describes the "capture zone" of the sensor, as a JSON-serialized string. Depending on the type of sensor, the capture zone may for instance refer to: * A JSON object describing a camera's settings (elevation, horizontal and vertical field of view, azimuth, etc.) * A description of the IP network where packet capture is taking place. 5.5. The Source Class The Source class describes the origin(s) of the event(s) leading up to the creation of this alert. +------------------------+ | Source | +------------------------+ | UUID ID | | IP IP | | STRING Hostname | | ENUM[] Category | | STRING Note | | STRING[] TI | | STRING User | | EMAIL Email | | PROTOCOL[] Protocol | | INT[] Port | | GEOLOC GeoLocation | | UNLOCODE UnLocation | | STRING Location | | ID[] Attachment | +------------------------+ Figure 7: The Source class The Source class has the following attributes: ID Lehmann Expires 28 October 2026 [Page 30] Internet-Draft IDMEFv2 April 2026 Mandatory. Unique identifier for the source. IP Optional. Source IP address. Hostname Optional. Hostname of this source. This SHOULD be a fully qualified domain name, but may not conform exactly because values extracted from logs, messages, DNS, etc. may themselves be malformed. An empty string MAY be used to explicitly state that this value was inquired but not found (missing DNS entry). Category Optional. Source category Enumeration available here Table 11 Note Optional. Free text human-readable additional note for this source. TI Optional. Threat Intelligence data about the source. Values in this list MUST use the format "attribute:origin", where "attribute" refers to the attribute inside this source found inside a Threat Intelligence database, and "origin" contains a short identifier for the Threat Intelligence database. E.g. "IP:Dshield". Please note that the same attribute may appear multiple times inside the list (because a match was found in multiple Threat Intelligence databases). User Optional. User ID or login responsible for the incident. Email Optional. Email address responsible for the incident. E.g. the value of the "Reply-To" or "From" header inside a phishing e-mail. Protocol Optional. Protocols related to connections from/to this source. Lehmann Expires 28 October 2026 [Page 31] Internet-Draft IDMEFv2 April 2026 If several protocols are stacked, they MUST be ordered from the lowest (the closest to the medium) to the highest (the closest to the application) according to the ISO/OSI model. Port Optional. Source ports involved in the incident. Values in this list MUST be integers and MUST be in the range 1-65535. GeoLocation Optional. GPS coordinates for the source. UnLocation Optional. Standard UN/Locode for the source. Location Optional. Internal name for the location of the source. Attachment Optional. Identifiers for attachments related to this source. Each identifier listed here MUST match the "Name" attribute for one of the attachments described using the Attachment class (Section 5.7). 5.6. The Target Class The Target class describes the target(s) impacted by the event(s) leading up to the creation of this alert. +------------------------+ | Target | +------------------------+ | UUID ID | | IP IP | | STRING Hostname | | ENUM[] Category | | STRING Note | | STRING Service | | STRING User | | EMAIL Email | | INT[] Port | | GEOLOC GeoLocation | | UNLOCODE UnLocation | | STRING Location | | ID[] Attachment | +------------------------+ Lehmann Expires 28 October 2026 [Page 32] Internet-Draft IDMEFv2 April 2026 Figure 8: The Target class The Target class has the following attributes: ID Mandatory. Unique identifier for the target. IP Optional. Target IP address. Hostname Optional. Hostname of this target. This SHOULD be a fully qualified domain name, but may not conform exactly because values extracted from logs, messages, DNS, etc. may themselves be malformed. An empty string MAY be used to explicitly state that this value was inquired but not found (missing DNS entry). Category Optional. Target category Enumeration available here Table 12 Note Optional. Free text human-readable additional note for this target. Service Optional. High Level Service (messaging, internet, ...) or process impacted by the incident. User Optional. User ID or login impacted by the incident. Email Optional. Email address impacted by the incident. E.g. the value of the "To" header inside a phishing e-mail. Port Optional. Target ports involved in the incident. Values in this list MUST be integers and MUST be in the range 1-65535. GeoLocation Lehmann Expires 28 October 2026 [Page 33] Internet-Draft IDMEFv2 April 2026 Optional. GPS coordinates for the target. UnLocation Optional. Standard UN/Locode for the target. Location Optional. Internal name for the location of the target. Attachment Optional. Identifiers for attachments related to this target. Each identifier listed here MUST match the "Name" attribute for one of the attachments described using the Attachment class (Section 5.7). 5.7. The Attachment Class The Attachment class contains additional data which was captured in relation with the event. +----------------------------+ | Attachment | +----------------------------+ | ID Name | | STRING FileName | | HASH[] Hash | | INT Size | | URI[] Ref | | URI[] ExternalURI | | STRING Note | | MEDIATYPE ContentType | | STRING ContentEncoding | | STRING Content | +----------------------------+ Figure 9: The Attachment class The Attachment class has the following attributes: Name Mandatory. A unique identifier among attachments that can be used to reference this attachment from other classes using the "Attachment" attribute. FileName Optional. Attachment filename. Lehmann Expires 28 October 2026 [Page 34] Internet-Draft IDMEFv2 April 2026 This will usually be the original name of the captured file or the name of the file containing the captured content (e.g. a packet capture file). Hash Optional. A list of hash results for the attachment's Content. The values in this list are computed by taking the raw value of the attachment's "Content" attribute. The hash result is computed before any other transformation (e.g. Base64 encoding) is applied to the content, so that a receiving IDMEF system may reverse the transformation, apply the same hashing function and obtain the same hash result. See also the definition for the "ContentEncoding" attribute below. It is RECOMMENDED that compatible implementations use one of the hashing functions from the SHA-2 [RFC6234] or SHA-3 [NIST.FIPS.202] families to compute the hash results in this list. Size Optional. Length of the content (in bytes). This value MUST be a non-negative integer. Ref Optional. References to sources of information related to the incident and/or vulnerability, and specific to this attachment. ExternalURI Optional. If the attachment's content is available and/or recognizable from an external resource, this is the URI (usually a URL) to that resource. This MAY also be a URN in a registered or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:mhr:55eaf7effadc07f866d1eaed9c64e7ee49fe081a" or "magnet:?xt=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C". Note Optional. Free text human-readable additional note for this attachment. ContentType Optional. Internet Media Type of the attachment. For compatibility reasons, implementations SHOULD prefer one of the well-known media types registered in IANA . Lehmann Expires 28 October 2026 [Page 35] Internet-Draft IDMEFv2 April 2026 ContentEncoding Optional. Content encoding. The following encodings are defined in this version of the specification: * "json": The content refers to a JSON object which has been serialized to a string using the serialization procedure defined in [RFC8259]. * "base64": The content has been serialized using the Base64 encoding defined in [RFC4648]. The "base64" encoding SHOULD be used when the content contains binary data. If omitted, the "json" encoding MUST be assumed. Content Optional. The attachment's content, in case it is directly embedded inside the message. For large attachments, it is RECOMMENDED that implementations make use of the "ExternalURI" attribute to refererence a copy of the content saved in an external storage mechanism. 5.8. The JavaScript Object Notation Serialization Method This serialization method aims to convert IDMEFv2 messages to a format that is easy to parse and process, both by software/hardware processors, as well as humans. It relies on the the JavaScript Object Notation (JSON) Data Interchange Format defined in [RFC8259]. Conforming implementations MUST implement all the requirements specified in [RFC8259]. In addition, the following rules MUST be observed when serializing an IDMEFv2 message: * The top-level Alert class (Section 5.2) is represented as a JSON object ([RFC8259]). This JSON object is returned to the calling process at the end of the serialization process. * Aggregate classes are represented as JSON objects and stored as members of the top-level JSON object, using the same name as in the IDMEF data model. E.g. the appears under the name "Analyzer" inside the top-level JSON object. Lehmann Expires 28 October 2026 [Page 36] Internet-Draft IDMEFv2 April 2026 * Attributes are stored as members of the JSON object representing the class they belong to, using the same name as in the IDMEF data model. E.g. the "Version" attribute from the is stored under the name "Version" inside the top-level JSON object. * Lists from the IDMEF data model are represented as JSON arrays ([RFC8259]). This also applies to aggregate classes where a list is expected. E.g. the "Sensor" member inside the top-level JSON object contains a list of objects, where each object represents an instance of the . * The various string-based data types listed in Section 3 are represented as JSON strings ([RFC8259]). Please note that the issues outlined in [RFC8259] regarding strings processing also apply here. * IDMEF attributes with the "NUMBER" data type are represented as JSON numbers ([RFC8259]). 6. Security Considerations This document describes a data representation for exchanging security-related information between incident detection system implementations. Although there are no security concerns directly applicable to the format of this data, the data itself may contain security-sensitive information whose confidentiality, integrity, and/ or availability may need to be protected. This suggests that the systems used to collect, transmit, process, and store this data should be protected against unauthorized use and that the data itself should be protected against unauthorized access. The underlying messaging format and protocol used to exchange instances of the IDMEF MUST provide appropriate guarantees of confidentiality, integrity, and authenticity. The use of a standardized security protocol is encouraged. The draft-lehmann-idmefv2-https-transport-01.txt document defines the transportation of IDMEF over HTTPs that provides such security. 7. IANA Considerations This document creates 10 identically structured registries to be managed by IANA: * Name of the registry group: "Incident Detection Message Exchange Format v2 (IDMEF)" Lehmann Expires 28 October 2026 [Page 37] Internet-Draft IDMEFv2 April 2026 * URL of the registry: http://www.iana.org/assignments/idmefv2 * Namespace format: A registry entry consists of: - Rank. A uniq integer for this namespace. Range starts at 0 and ends at the length of this list. The maximum length of this list is 255. - Keyword. A keyword for a given IDMEF attribute. It MUST conform to the formatting specified by the IDMEF "ENUM" data type (Section 3.3.1). - Description. A short description of the enumerated keyword. - Reference. An optional list of URIs to further describe the value. * Allocation policy: Expert Review per [RFC8126]. This reviewer will ensure that the requested registry entry conforms to the prescribed formatting. The reviewer will also ensure that the entry is an appropriate value for the attribute per the information model (Section 5). The registries to be created are named in the "Registry Name" column of Table 5. Each registry is initially populated with ranks, keywords and descriptions that come from an attribute specified in the IDMEF model (Section 5). The initial Ranks, Keywords and Description fields of a given registry are listed in "Initial Values". The "Initial Values" column points to a table in this document that lists and describes each enumerated keyword. Each enumerated keyword in the table gets a corresponding entry in a given registry. The initial value of the Reference field of every registry entry described below should be this document. Lehmann Expires 28 October 2026 [Page 38] Internet-Draft IDMEFv2 April 2026 +===================+=====================================+ | Registry Name | Initial Values | +===================+=====================================+ | Alert-Type | Table 1 (Alert class (Section 5.2)) | +-------------------+-------------------------------------+ | Alert-Category | (Alert class (Section 5.2)) | +-------------------+-------------------------------------+ | Alert-Cause | Table 2 (Alert class (Section 5.2)) | +-------------------+-------------------------------------+ | Alert-Priority | Table 4 (Alert class (Section 5.2)) | +-------------------+-------------------------------------+ | Alert-Status | Table 3 (Alert class (Section 5.2)) | +-------------------+-------------------------------------+ | Analyzer-Category | (Alert class (Section 5.2)) | +-------------------+-------------------------------------+ | Analyzer-Data | (Analyzer class (Section 5.3)) | +-------------------+-------------------------------------+ | Analyzer-Method | (Analyzer class (Section 5.3)) | +-------------------+-------------------------------------+ Table 5: IANA Enumerated Value Registries 8. Acknowledgement The following groups and individuals contributed to the creation of this document and should be recognized for their efforts. * The former Prelude SIEM team : Thomas Andrejak & François Poirotte (Co-authors of the first version of this document), Antoine Luong, Song Tran, Selim Menouar and Camille Gardet * The core members of the SECEF (SECurity Exchange Format) consortium : Herve Debar (Author of RFC 4765 - IDMEFv1), Guillaume Hiet and François Dechelle * The H2020 7SHIELD project (Safety and Security Standards of Space Systems, ground Segments and Satellite data assets , via prevention, detection, response and mitigation of physical and cyber threats) who implemented in real scale first versions of IDMEFv2 on five pilots around Europe helping greatly to improve it. * The CESNET team for their work on the [IDEA0] format (based on IDMEFv1) which inspired multiples concepts to IDMEFv2. * The [ENISA-RIST] Reference Security Incident Taxonomy Working Group Lehmann Expires 28 October 2026 [Page 39] Internet-Draft IDMEFv2 April 2026 * The ReelIT company who actively contributed to the finalization of this draft 9. References 9.1. Normative References [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, DOI 10.17487/RFC5321, October 2008, . [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, DOI 10.17487/RFC2046, November 1996, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, DOI 10.17487/RFC5322, October 2008, . [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, . [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, . [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2006, . [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, . Lehmann Expires 28 October 2026 [Page 40] Internet-Draft IDMEFv2 April 2026 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, January 2008, . [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 Address Text Representation", RFC 5952, DOI 10.17487/RFC5952, August 2010, . [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, . [UNICODE] Unicode Consortium, "Unicode Standard", version 14.0.0, 14 September 2021, . [ENISA-RIST] ENISA, "Reference Incident Classification Taxonomy", 26 January 2018, . [IANA_media_types] IANA, "Media Types", . [IANA_hash_function_text_names] IANA, "Hash Function Textual Names", . [UN-LOCODE] UNECE, "UN/LOCODE Code List by Country and Territory", 6 July 2021, . 9.2. Informative References [RFC4765] Debar, H., Curry, D., and B. Feinstein, "The Intrusion Detection Message Exchange Format (IDMEF)", RFC 4765, DOI 10.17487/RFC4765, March 2007, . Lehmann Expires 28 October 2026 [Page 41] Internet-Draft IDMEFv2 April 2026 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, . [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011, . [NIST.FIPS.202] Dworkin, Morris J., "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions", NIST NIST FIPS 202, DOI 10.6028/NIST.FIPS.202, July 2015, . [WGS84] National Imagery and Mapping Agency, "Department of Defense World Geodetic System 1984: Its Definition and Relationships with Local Geodetic Systems", Third Edition, 1984, . [IDEA0] CESNET, "Intrusion Detection Extensible Alert version 0", 25 September 2015, . Appendix A. Enumerations A.1. Entity Sector +======+==================================+========================+ | Rank | Keyword | Definition | +======+==================================+========================+ | 0 | Undefined | Sector undefined | +------+----------------------------------+------------------------+ | 1 | Banking.Banking | Banking institutions | | | | and credit activities | +------+----------------------------------+------------------------+ | 2 | Banking.Other | Other banking and | | | | financial entities | | | | critical for the | | | | stability of the | | | | financial system | +------+----------------------------------+------------------------+ | 3 | Cemeteries.Crematoria | Crematoria operations | +------+----------------------------------+------------------------+ | 4 | Cemeteries.Public | Public cemetery and | | | | crematorium facilities | +------+----------------------------------+------------------------+ Lehmann Expires 28 October 2026 [Page 42] Internet-Draft IDMEFv2 April 2026 | 5 | Cemeteries.Other | Other cemetery and | | | | funeral service | | | | entities critical for | | | | public health and | | | | social continuity | +------+----------------------------------+------------------------+ | 6 | Chemical.Production | Production of | | | | hazardous and high- | | | | consequence chemicals | +------+----------------------------------+------------------------+ | 7 | Chemical.Storage | Chemical storage and | | | | distribution | | | | facilities | +------+----------------------------------+------------------------+ | 8 | Chemical.Other | Other chemical sector | | | | entities critical for | | | | safety and security | +------+----------------------------------+------------------------+ | 9 | Civil.ElectionMonitoring | Election observation | | | | and monitoring | | | | entities | +------+----------------------------------+------------------------+ | 10 | Civil.HumanitarianAid | Humanitarian aid | | | | organizations | +------+----------------------------------+------------------------+ | 11 | Civil.NGOs | Non-governmental | | | | organizations with | | | | critical functions | +------+----------------------------------+------------------------+ | 12 | Civil.Other | Other civil society | | | | entities critical for | | | | democratic processes | | | | and social stability | +------+----------------------------------+------------------------+ | 13 | Cultural.Archives | National and regional | | | | archives | +------+----------------------------------+------------------------+ | 14 | Cultural.HistoricalSites | Historical monuments | | | | and archaeological | | | | sites | +------+----------------------------------+------------------------+ | 15 | Cultural.Libraries | National and public | | | | libraries | +------+----------------------------------+------------------------+ | 16 | Cultural.Museums | Museums and exhibition | | | | spaces | +------+----------------------------------+------------------------+ | 17 | Cultural.Other | Other cultural | Lehmann Expires 28 October 2026 [Page 43] Internet-Draft IDMEFv2 April 2026 | | | heritage entities | | | | critical for national | | | | identity and | | | | continuity | +------+----------------------------------+------------------------+ | 18 | Defense.CommandControl | Military C4ISR systems | | | | (command, control, | | | | communications, | | | | computers, | | | | intelligence, | | | | surveillance, | | | | reconnaissance) | +------+----------------------------------+------------------------+ | 19 | Defense.Cyber | Military cyber defense | | | | and security | | | | operations centers | +------+----------------------------------+------------------------+ | 20 | Defense.IndustrialBase | Defense manufacturing, | | | | weapons systems, | | | | munitions production | +------+----------------------------------+------------------------+ | 21 | Defense.Logistics | Military supply | | | | chains, fuel depots, | | | | ammunition storage | +------+----------------------------------+------------------------+ | 22 | Defense.Installations | Military bases, | | | | headquarters, and | | | | operational facilities | +------+----------------------------------+------------------------+ | 23 | Defense.Research | Defense laboratories | | | | and R&D facilities | +------+----------------------------------+------------------------+ | 24 | Defense.Other | Other defense and | | | | military entities | | | | critical for national | | | | security | +------+----------------------------------+------------------------+ | 25 | Digital.CloudServices | Cloud computing and | | | | critical digital | | | | services | +------+----------------------------------+------------------------+ | 26 | Digital.DataCenters | Data center hosting | | | | and infrastructure | | | | services | +------+----------------------------------+------------------------+ | 27 | Digital.DigitalProviders | Online marketplaces, | | | | search engines and | | | | social media platforms | Lehmann Expires 28 October 2026 [Page 44] Internet-Draft IDMEFv2 April 2026 +------+----------------------------------+------------------------+ | 28 | Digital.DomainNameSystems | DNS service providers | | | | and TLD registries | +------+----------------------------------+------------------------+ | 29 | Digital.ICTServiceManagement | ICT service management | | | | B2B services | +------+----------------------------------+------------------------+ | 30 | Digital.SatelliteCommunications | Satellite | | | | communication networks | | | | and ground stations | +------+----------------------------------+------------------------+ | 31 | Digital.TelecomNetworks | Fixed and mobile | | | | telecommunications | | | | networks | +------+----------------------------------+------------------------+ | 32 | Digital.UnderseaCables | Submarine | | | | communications cable | | | | infrastructure | +------+----------------------------------+------------------------+ | 33 | Digital.Other | Other digital and | | | | telecommunications | | | | entities critical for | | | | the continuity of | | | | digital services | +------+----------------------------------+------------------------+ | 34 | Education.PrimarySecondary | Primary and secondary | | | | schools | +------+----------------------------------+------------------------+ | 35 | Education.ResearchSchools | Research-focused | | | | educational | | | | institutions | +------+----------------------------------+------------------------+ | 36 | Education.Universities | Universities and | | | | higher education | | | | institutions | +------+----------------------------------+------------------------+ | 37 | Education.Other | Other educational | | | | entities critical for | | | | societal continuity | +------+----------------------------------+------------------------+ | 38 | Emergency.CivilProtection | Civil protection and | | | | disaster management | | | | agencies | +------+----------------------------------+------------------------+ | 39 | Emergency.Medical | Ambulance services and | | | | emergency medical | | | | response | +------+----------------------------------+------------------------+ Lehmann Expires 28 October 2026 [Page 45] Internet-Draft IDMEFv2 April 2026 | 40 | Emergency.FireAndRescue | Firefighting and | | | | rescue services | +------+----------------------------------+------------------------+ | 41 | Emergency.Police | Law enforcement | | | | agencies and | | | | operations | +------+----------------------------------+------------------------+ | 42 | Emergency.Other | Other emergency | | | | response entities | | | | critical for public | | | | safety | +------+----------------------------------+------------------------+ | 43 | Energy.DistrictHeating | Operation of district | | | | heating networks | +------+----------------------------------+------------------------+ | 44 | Energy.Electricity | Generation, | | | | transmission and | | | | distribution of | | | | electrical power | +------+----------------------------------+------------------------+ | 45 | Energy.Gas | Transport, storage and | | | | distribution of | | | | natural gas | +------+----------------------------------+------------------------+ | 46 | Energy.Hydrogen | Production, transport | | | | and storage of | | | | hydrogen | +------+----------------------------------+------------------------+ | 47 | Energy.Nuclear | Nuclear power | | | | generation and fuel | | | | cycle facilities | +------+----------------------------------+------------------------+ | 48 | Energy.Oil | Refining, transport | | | | and storage of | | | | petroleum products | +------+----------------------------------+------------------------+ | 49 | Energy.Other | Other energy entities | | | | critical for the | | | | continuity of energy | | | | supply | +------+----------------------------------+------------------------+ | 50 | Finance.MarketInfrastructures | Stock exchanges and | | | | clearing houses | +------+----------------------------------+------------------------+ | 51 | Finance.Insurance | Systemically important | | | | insurance entities | +------+----------------------------------+------------------------+ | 52 | Finance.PaymentSystems | Card schemes, | Lehmann Expires 28 October 2026 [Page 46] Internet-Draft IDMEFv2 April 2026 | | | transfers and instant | | | | payment systems | +------+----------------------------------+------------------------+ | 53 | Finance.Other | Other financial | | | | entities critical for | | | | the stability of the | | | | financial system | +------+----------------------------------+------------------------+ | 54 | Food.AgriculturalProduction | Strategic agricultural | | | | and livestock | | | | production | +------+----------------------------------+------------------------+ | 55 | Food.FoodDistribution | Retail and logistics | | | | for food supply chains | +------+----------------------------------+------------------------+ | 56 | Food.FoodProcessing | Industrial food | | | | processing and | | | | manufacturing | +------+----------------------------------+------------------------+ | 57 | Food.FoodSafety | Food safety inspection | | | | and control | | | | authorities | +------+----------------------------------+------------------------+ | 58 | Food.Other | Other food sector | | | | entities critical for | | | | the continuity of the | | | | food supply chain | +------+----------------------------------+------------------------+ | 59 | Health.BloodAndTissue | Blood banks, tissue | | | | banks, and | | | | transplantation | | | | services | +------+----------------------------------+------------------------+ | 60 | Health.HealthcareProviders | Hospitals and clinics | | | | providing essential | | | | care | +------+----------------------------------+------------------------+ | 61 | Health.Laboratories | Medical analysis and | | | | diagnostic | | | | laboratories | +------+----------------------------------+------------------------+ | 62 | Health.MedicalDevices | Manufacture and | | | | maintenance of | | | | critical medical | | | | devices | +------+----------------------------------+------------------------+ | 63 | Health.PharmaceuticalSupplyChain | Manufacturing, | | | | wholesale and | Lehmann Expires 28 October 2026 [Page 47] Internet-Draft IDMEFv2 April 2026 | | | distribution of | | | | pharmaceuticals | +------+----------------------------------+------------------------+ | 64 | Health.PublicHealth | Public health agencies | | | | and epidemiological | | | | surveillance | +------+----------------------------------+------------------------+ | 65 | Health.Other | Other health entities | | | | critical for the | | | | continuity of | | | | healthcare services | +------+----------------------------------+------------------------+ | 66 | Logistics.FreightForwarding | Freight forwarding and | | | | cargo management | +------+----------------------------------+------------------------+ | 67 | Logistics.LastMileDelivery | Last-mile delivery | | | | services | +------+----------------------------------+------------------------+ | 68 | Logistics.ThirdPartyLogistics | Third-party logistics | | | | providers | +------+----------------------------------+------------------------+ | 69 | Logistics.Warehousing | Strategic warehousing | | | | and storage facilities | +------+----------------------------------+------------------------+ | 70 | Logistics.Other | Other logistics | | | | entities critical for | | | | supply chain | | | | continuity | +------+----------------------------------+------------------------+ | 71 | Manufacturing.Aerospace | Aerospace and aviation | | | | manufacturing | +------+----------------------------------+------------------------+ | 72 | Manufacturing.Batteries | Battery manufacturing | | | | and energy storage | | | | production | +------+----------------------------------+------------------------+ | 73 | Manufacturing.Chemical | Chemical manufacturing | | | | and industrial | | | | processes | +------+----------------------------------+------------------------+ | 74 | Manufacturing.Electronic | Manufacture of | | | | computer, electronic | | | | and optical products | +------+----------------------------------+------------------------+ | 75 | Manufacturing.Defense | Defense manufacturing | | | | and strategic military | | | | supply chains | +------+----------------------------------+------------------------+ Lehmann Expires 28 October 2026 [Page 48] Internet-Draft IDMEFv2 April 2026 | 76 | Manufacturing.MedicalDevices | Manufacture of medical | | | | devices and equipment | +------+----------------------------------+------------------------+ | 77 | Manufacturing.MotorVehicles | Manufacture of motor | | | | vehicles and transport | | | | equipment | +------+----------------------------------+------------------------+ | 78 | Manufacturing.Pharmaceutical | Pharmaceutical | | | | manufacturing and | | | | active pharmaceutical | | | | ingredients | +------+----------------------------------+------------------------+ | 79 | Manufacturing.Semiconductors | Semiconductor | | | | fabrication and | | | | microelectronics | | | | manufacturing | +------+----------------------------------+------------------------+ | 80 | Manufacturing.Strategic | Critical manufacturing | | | | such as metallurgy and | | | | components | +------+----------------------------------+------------------------+ | 81 | Manufacturing.Other | Other manufacturing | | | | entities critical for | | | | industrial resilience | | | | and strategic supply | | | | chains | +------+----------------------------------+------------------------+ | 82 | Media.Infrastructure | Transmitters, towers, | | | | and broadcast | | | | distribution | | | | infrastructure | +------+----------------------------------+------------------------+ | 83 | Media.OnlineMedia | Digital news platforms | | | | and content providers | +------+----------------------------------+------------------------+ | 84 | Media.Press | Newspapers, publishing | | | | houses, and press | | | | agencies | +------+----------------------------------+------------------------+ | 85 | Media.Radio | Radio broadcasting | | | | networks and studios | +------+----------------------------------+------------------------+ | 86 | Media.Television | Television | | | | broadcasting networks | | | | and studios | +------+----------------------------------+------------------------+ | 87 | Media.Other | Other media entities | | | | critical for | Lehmann Expires 28 October 2026 [Page 49] Internet-Draft IDMEFv2 April 2026 | | | information integrity | | | | and public | | | | communication | +------+----------------------------------+------------------------+ | 88 | Mining.CriticalRawMaterials | Extraction and | | | | processing of critical | | | | raw materials | +------+----------------------------------+------------------------+ | 89 | Mining.EnergyMinerals | Coal, uranium, and | | | | other energy mineral | | | | mining | +------+----------------------------------+------------------------+ | 90 | Mining.Other | Other mining entities | | | | critical for resource | | | | security | +------+----------------------------------+------------------------+ | 91 | Nuclear.FuelCycle | Nuclear fuel | | | | production, | | | | enrichment, | | | | reprocessing, and | | | | waste management | +------+----------------------------------+------------------------+ | 92 | Nuclear.Medical | Nuclear medical | | | | facilities and | | | | radioisotope | | | | production | +------+----------------------------------+------------------------+ | 93 | Nuclear.PowerGeneration | Civil nuclear power | | | | plants and associated | | | | facilities | +------+----------------------------------+------------------------+ | 94 | Nuclear.Research | Nuclear research | | | | reactors and | | | | laboratories | +------+----------------------------------+------------------------+ | 95 | Nuclear.Other | Other nuclear entities | | | | critical for safety | | | | and security | +------+----------------------------------+------------------------+ | 96 | Postal.CourierServices | Postal and courier | | | | services | +------+----------------------------------+------------------------+ | 97 | Postal.Other | Other postal and | | | | courier entities | | | | critical for the | | | | continuity of mail and | | | | parcel services | +------+----------------------------------+------------------------+ Lehmann Expires 28 October 2026 [Page 50] Internet-Draft IDMEFv2 April 2026 | 98 | Administration.CentralGovernment | Central government | | | | ministries and | | | | agencies | +------+----------------------------------+------------------------+ | 99 | Administration.Diplomatic | Embassies, consulates, | | | | and diplomatic | | | | missions | +------+----------------------------------+------------------------+ | 100 | Administration.EmergencyServices | Police, fire, rescue, | | | | and emergency medical | | | | services | +------+----------------------------------+------------------------+ | 101 | Administration.Judiciary | Courts, judicial | | | | systems, and | | | | correctional | | | | facilities | +------+----------------------------------+------------------------+ | 102 | Administration.Local | Regional and municipal | | | | public services | +------+----------------------------------+------------------------+ | 103 | Administration.Other | Other public | | | | administration | | | | entities critical for | | | | the continuity of | | | | public services | +------+----------------------------------+------------------------+ | 104 | Religious.PilgrimageSites | Major pilgrimage | | | | destinations | +------+----------------------------------+------------------------+ | 105 | Religious.PlacesOfWorship | Churches, mosques, | | | | synagogues, temples, | | | | and other religious | | | | buildings | +------+----------------------------------+------------------------+ | 106 | Religious.Other | Other religious sites | | | | critical for community | | | | continuity | +------+----------------------------------+------------------------+ | 107 | Research.BiologicalSafety | BSL-3 and BSL-4 high- | | | | containment | | | | laboratories | +------+----------------------------------+------------------------+ | 108 | Research.ChemicalSafety | High-containment | | | | chemical research | | | | facilities | +------+----------------------------------+------------------------+ | 109 | Research.Research | Key research | | | | laboratories with | Lehmann Expires 28 October 2026 [Page 51] Internet-Draft IDMEFv2 April 2026 | | | strategic importance | +------+----------------------------------+------------------------+ | 110 | Research.Other | Other research | | | | entities critical for | | | | strategic research | | | | continuity and | | | | innovation | +------+----------------------------------+------------------------+ | 111 | Space.GroundStations | Satellite ground | | | | control and telemetry | | | | stations | +------+----------------------------------+------------------------+ | 112 | Space.LaunchFacilities | Space launch sites and | | | | associated | | | | infrastructure | +------+----------------------------------+------------------------+ | 113 | Space.SpaceActivities | Space industry and | | | | satellite operations | +------+----------------------------------+------------------------+ | 114 | Space.Other | Other space entities | | | | critical for the | | | | continuity of space- | | | | based services and | | | | infrastructure | +------+----------------------------------+------------------------+ | 115 | Transport.Aviation | Airports, air traffic | | | | control and airline | | | | operations | +------+----------------------------------+------------------------+ | 116 | Transport.Maritime | Ports, terminals and | | | | maritime traffic | | | | management | +------+----------------------------------+------------------------+ | 117 | Transport.Pipeline | Oil, gas, and hydrogen | | | | pipeline | | | | infrastructure | +------+----------------------------------+------------------------+ | 118 | Transport.PublicTransport | Urban and regional | | | | public transportation | | | | systems | +------+----------------------------------+------------------------+ | 119 | Transport.Rail | Railway infrastructure | | | | and train operations | +------+----------------------------------+------------------------+ | 120 | Transport.Road | Traffic management and | | | | strategic road | | | | logistics | +------+----------------------------------+------------------------+ Lehmann Expires 28 October 2026 [Page 52] Internet-Draft IDMEFv2 April 2026 | 121 | Transport.Other | Other transport | | | | entities critical for | | | | the continuity of | | | | passenger and freight | | | | mobility | +------+----------------------------------+------------------------+ | 122 | Waste.Hazardous | Collection, treatment | | | | and disposal of | | | | hazardous waste | +------+----------------------------------+------------------------+ | 123 | Waste.NonHazardous | Management of non- | | | | hazardous solid waste | +------+----------------------------------+------------------------+ | 124 | Waste.Nuclear | Nuclear waste | | | | management and storage | | | | facilities | +------+----------------------------------+------------------------+ | 125 | Waste.Recycling | Waste processing and | | | | recycling operations | +------+----------------------------------+------------------------+ | 126 | Waste.Other | Other waste management | | | | entities critical for | | | | the continuity of | | | | waste services | +------+----------------------------------+------------------------+ | 127 | Water.DamsAndReservoirs | Dam and reservoir | | | | infrastructure for | | | | water management | +------+----------------------------------+------------------------+ | 128 | Water.DrinkingWater | Capture, treatment and | | | | distribution of | | | | potable water | +------+----------------------------------+------------------------+ | 129 | Water.Irrigation | Large-scale | | | | agricultural | | | | irrigation systems | +------+----------------------------------+------------------------+ | 130 | Water.Wastewater | Collection and | | | | treatment of sewage | | | | and wastewater | +------+----------------------------------+------------------------+ | 131 | Water.Other | Other water entities | | | | critical for the | | | | continuity of water | | | | supply and sanitation | +------+----------------------------------+------------------------+ Table 6: Entity Sectors Lehmann Expires 28 October 2026 [Page 53] Internet-Draft IDMEFv2 April 2026 A.2. Alert Category +====+===============================+==============================+ |Rank| Keyword | Description | +====+===============================+==============================+ |0 | Abuse.Coercion | The practice of compelling | | | | an individual to act against | | | | their will by using force, | | | | threats, intimidation, or | | | | extreme dependency, often | | | | for personal or financial | | | | gain. | +----+-------------------------------+------------------------------+ |1 | Abuse.Extermism | The process of socializing | | | | an individual, often through | | | | psychological manipulation, | | | | to adopt the beliefs and | | | | goals of a violent extremist | | | | group and become willing to | | | | engage in activities that | | | | support the group. | +----+-------------------------------+------------------------------+ |2 | Abuse.Grooming | The process of deliberately | | | | building an emotional | | | | connection with a person to | | | | lower their inhibitions for | | | | the purpose of sexual abuse, | | | | exploitation, or | | | | trafficking. | +----+-------------------------------+------------------------------+ |3 | Abuse.Harassment | A pattern of unwanted, | | | | intrusive behavior | | | | (physical, verbal, or | | | | online) directed at a | | | | specific person that causes | | | | fear, distress, or emotional | | | | harm. | +----+-------------------------------+------------------------------+ |4 | Abuse.Trafficking | The act of recruiting, | | | | transporting, transferring, | | | | harboring, or receiving a | | | | person through force, fraud, | | | | or coercion for the purpose | | | | of exploitation, such as | | | | forced labor or sexual | | | | servitude. | +----+-------------------------------+------------------------------+ |5 | Abuse.Other | Any other incident involving | Lehmann Expires 28 October 2026 [Page 54] Internet-Draft IDMEFv2 April 2026 | | | manipulation or coercion of | | | | people for harmful purposes | | | | that does not fit into the | | | | specific abuse | | | | subcategories. | +----+-------------------------------+------------------------------+ |6 | Access.Authorized | An incident involving | | | | legitimate, approved access | | | | to resources that may be | | | | relevant for auditing, | | | | monitoring, or establishing | | | | a baseline of normal | | | | activity. | +----+-------------------------------+------------------------------+ |7 | Access.Backdoor | The installation or | | | | discovery of a concealed | | | | method of bypassing normal | | | | authentication or encryption | | | | in a computer system, | | | | product, or embedded device. | +----+-------------------------------+------------------------------+ |8 | Access.Clonned | The act of creating an | | | | unauthorized copy of a | | | | physical or digital security | | | | credential, such as an | | | | access card, to gain illicit | | | | entry to a facility or | | | | system. | +----+-------------------------------+------------------------------+ |9 | Access.Compromise | An incident where a | | | | legitimate user's | | | | credentials (e.g., username/ | | | | password) are stolen or | | | | guessed and used by an | | | | unauthorized individual to | | | | gain access to systems or | | | | data. | +----+-------------------------------+------------------------------+ |10 | Access.Escalation | An incident where a user or | | | | process gains access rights, | | | | permissions, or capabilities | | | | that exceed those normally | | | | assigned, often to bypass | | | | security restrictions. | +----+-------------------------------+------------------------------+ |11 | Access.Forced | An incident involving the | | | | use of physical force to | | | | breach a barrier (e.g., | Lehmann Expires 28 October 2026 [Page 55] Internet-Draft IDMEFv2 April 2026 | | | lock, door, window) or the | | | | repeated systematic guessing | | | | of passwords to gain | | | | unauthorized access. | +----+-------------------------------+------------------------------+ |12 | Access.Lost | An incident where physical | | | | or digital access | | | | credentials (e.g., keys, ID | | | | badges, login details) are | | | | misplaced, stolen, or used | | | | by an unauthorized person. | +----+-------------------------------+------------------------------+ |13 | Access.Tailgating | A physical security breach | | | | where an unauthorized person | | | | follows an authorized | | | | individual through a secured | | | | entry point, circumventing | | | | access control mechanisms. | +----+-------------------------------+------------------------------+ |14 | Access.Unauthorized | An incident involving | | | | physical entry into a | | | | restricted building, room, | | | | or area without proper | | | | authorization. | +----+-------------------------------+------------------------------+ |15 | Access.Other | Any other incident related | | | | to physical or digital | | | | access that does not fit | | | | into the specific access | | | | subcategories. | +----+-------------------------------+------------------------------+ |16 | Availability.DDoS | An incident where multiple | | | | compromised systems (a | | | | botnet) are used to target a | | | | single system with a flood | | | | of traffic, causing a denial | | | | of service. | +----+-------------------------------+------------------------------+ |17 | Availability.DoS | An incident where a single | | | | machine or network attempts | | | | to make a system, service, | | | | or network resource | | | | unavailable by overwhelming | | | | it with malicious requests | | | | or traffic. | +----+-------------------------------+------------------------------+ |18 | Availability.Failure | An incident caused by the | | | | unintentional malfunction of | Lehmann Expires 28 October 2026 [Page 56] Internet-Draft IDMEFv2 April 2026 | | | hardware or software due to | | | | errors, bugs, wear and tear, | | | | or other faults, leading to | | | | service degradation or | | | | unavailability. | +----+-------------------------------+------------------------------+ |19 | Availability.HeartBeat | A periodic signal generated | | | | by hardware or software to | | | | indicate normal operation, | | | | often used for monitoring | | | | system health, connectivity, | | | | or location tracking. | +----+-------------------------------+------------------------------+ |20 | Availability.Misconfiguration | An incident where incorrect | | | | configuration of systems, | | | | software, or networks leads | | | | to service disruptions, | | | | outages, or security | | | | vulnerabilities. | +----+-------------------------------+------------------------------+ |21 | Availability.Outage | An incident where essential | | | | utilities or services (such | | | | as electricity, water, or | | | | network connectivity) become | | | | unavailable, disrupting | | | | normal operations. | +----+-------------------------------+------------------------------+ |22 | Availability.Overload | An incident where a system | | | | or component is subjected to | | | | a load beyond its designed | | | | capacity, leading to | | | | performance degradation or | | | | failure, even if the load is | | | | not malicious. | +----+-------------------------------+------------------------------+ |23 | Availability.Other | Any other incident that | | | | impacts the availability of | | | | resources or services, not | | | | covered by the specific | | | | subcategories. | +----+-------------------------------+------------------------------+ |24 | Biological.Animal | An incident where animals | | | | pose a direct threat to | | | | human safety, public health | | | | (e.g., zoonotic diseases), | | | | or economic stability (e.g., | | | | livestock diseases). | +----+-------------------------------+------------------------------+ Lehmann Expires 28 October 2026 [Page 57] Internet-Draft IDMEFv2 April 2026 |25 | Biological.Epidemic | The rapid and widespread | | | | occurrence of an infectious | | | | disease in a specific | | | | population or region, | | | | exceeding what is normally | | | | expected. | +----+-------------------------------+------------------------------+ |26 | Biological.Insect | An incident involving a | | | | harmful outbreak or | | | | infestation of insects that | | | | threatens public health, | | | | agriculture, livestock, or | | | | property. | +----+-------------------------------+------------------------------+ |27 | Biological.Zombies | A fictional or hypothetical | | | | scenario involving a | | | | pathogen that causes a | | | | pandemic of aggressive, | | | | infectious behavior, often | | | | used as a metaphor for | | | | worst-case outbreak | | | | scenarios in planning. | +----+-------------------------------+------------------------------+ |28 | Biological.Other | Any other incident caused | | | | bybiological not covered by | | | | specific subcategories. | +----+-------------------------------+------------------------------+ |29 | Climat.Drought | A prolonged period of below- | | | | average precipitation | | | | leading to a water shortage, | | | | which can impact | | | | agriculture, ecosystems, and | | | | water supplies. | +----+-------------------------------+------------------------------+ |30 | Climat.LakeOutburst | An incident where a glacial | | | | lake dam (often moraine or | | | | ice) fails, rapidly | | | | releasing a large volume of | | | | water and causing | | | | devastating floods | | | | downstream. | +----+-------------------------------+------------------------------+ |31 | Climat.Wildfire | An unplanned and | | | | uncontrolled fire burning in | | | | natural or rural areas, | | | | often exacerbated by | | | | climatic conditions like | | | | drought, wind, and heat. | Lehmann Expires 28 October 2026 [Page 58] Internet-Draft IDMEFv2 April 2026 +----+-------------------------------+------------------------------+ |32 | Climat.Other | Any other incident caused by | | | | long-lived atmospheric | | | | processes (climatological) | | | | not covered by specific | | | | subcategories. | +----+-------------------------------+------------------------------+ |33 | Extraterrestrial.Aliens | A hypothetical incident | | | | involving the discovery of | | | | or interaction with | | | | extraterrestrial intelligent | | | | life, a theoretical scenario | | | | in scientific and security | | | | planning. | +----+-------------------------------+------------------------------+ |34 | Extraterrestrial.Impact | An incident involving a | | | | celestial object (asteroid, | | | | meteoroid, comet) colliding | | | | with Earth, potentially | | | | causing localized or global | | | | damage. | +----+-------------------------------+------------------------------+ |35 | Extraterrestrial.SpaceWeather | An event caused by solar or | | | | cosmic activity, such as | | | | solar flares or geomagnetic | | | | storms, that can disrupt | | | | Earth's technological | | | | infrastructure. | +----+-------------------------------+------------------------------+ |36 | Extraterrestrial.Other | Any other incident caused | | | | extraterrestrial process not | | | | covered by specific | | | | subcategories. | +----+-------------------------------+------------------------------+ |37 | Fraud.Copyright | The act of reproducing, | | | | distributing, or installing | | | | software, media, or other | | | | materials in violation of | | | | their copyright, often for | | | | personal gain or | | | | distribution (piracy). | +----+-------------------------------+------------------------------+ |38 | Fraud.Corruption | A fraudulent scheme that is | | | | made possible by the abuse | | | | of power or position by a | | | | trusted individual (e.g., | | | | employee, official) who acts | | | | for personal gain. | Lehmann Expires 28 October 2026 [Page 59] Internet-Draft IDMEFv2 April 2026 +----+-------------------------------+------------------------------+ |39 | Fraud.Espionnage | The use of illegal or | | | | unethical means, such as | | | | hacking, bribery, or theft, | | | | to acquire a competitor's | | | | trade secrets, intellectual | | | | property, or other | | | | confidential business | | | | information. | +----+-------------------------------+------------------------------+ |40 | Fraud.Masquerade | A type of attack where an | | | | attacker illegitimately | | | | assumes the identity of | | | | another user, process, or | | | | system to gain unauthorized | | | | access, privileges, or | | | | benefits. | +----+-------------------------------+------------------------------+ |41 | Fraud.Phishing | A cyber attack where an | | | | attacker disguises | | | | themselves as a trustworthy | | | | entity (e.g., via email or | | | | fake website) to trick a | | | | victim into revealing | | | | sensitive information like | | | | usernames, passwords, or | | | | credit card details. | +----+-------------------------------+------------------------------+ |42 | Fraud.Usage | The use of an organization's | | | | assets (e.g., computing | | | | power, network, email) for | | | | non-work-related, often | | | | illegal, activities without | | | | authorization. | +----+-------------------------------+------------------------------+ |43 | Fraud.Other | Any other incident involving | | | | deception for financial or | | | | reputational gain that does | | | | not fit into the specific | | | | fraud subcategories. | +----+-------------------------------+------------------------------+ |44 | Geophysical.Earthquake | An incident caused by a | | | | sudden, rapid shaking of the | | | | earth resulting from the | | | | movement of tectonic plates, | | | | which can cause ground | | | | shaking, surface rupture, | | | | and tsunamis. | Lehmann Expires 28 October 2026 [Page 60] Internet-Draft IDMEFv2 April 2026 +----+-------------------------------+------------------------------+ |45 | Geophysical.MassMovement | An incident involving the | | | | downslope movement of rock, | | | | soil, or snow under the | | | | force of gravity, such as | | | | landslides, avalanches, or | | | | rockfalls. | +----+-------------------------------+------------------------------+ |46 | Geophysical.Other | Any other incident caused by | | | | solid-earth processes not | | | | covered by specific | | | | geophysical subcategories. | +----+-------------------------------+------------------------------+ |47 | Geophysical.Volcanic | An incident caused by the | | | | eruption of magma and | | | | volcanic gases from a | | | | volcano, which can produce | | | | lava flows, pyroclastic | | | | flows, ashfall, and lahars. | +----+-------------------------------+------------------------------+ |48 | Hydro.Flood | An incident where water | | | | submerges land that is | | | | normally dry, often caused | | | | by heavy rain, storm surge, | | | | or dam failure, leading to | | | | property damage and risk to | | | | life. | +----+-------------------------------+------------------------------+ |49 | Hydro.Landslide | An incident involving the | | | | downward movement of slope | | | | materials (soil, rock) | | | | triggered by water | | | | saturation from heavy rain | | | | or snowmelt. | +----+-------------------------------+------------------------------+ |50 | Hydro.Wave | An incident involving | | | | destructive waves, such as | | | | tsunamis or storm surges, | | | | that can cause coastal | | | | flooding, erosion, and | | | | damage. | +----+-------------------------------+------------------------------+ |51 | Hydro.Other | Any other incident caused by | | | | the movement, distribution, | | | | and quality of water, not | | | | covered by specific | | | | hydrological subcategories. | +----+-------------------------------+------------------------------+ Lehmann Expires 28 October 2026 [Page 61] Internet-Draft IDMEFv2 April 2026 |52 | Insider.Malicious | A security incident caused | | | | by a current or former | | | | employee, contractor, or | | | | other trusted insider who | | | | intentionally acts to harm | | | | the organization, its data, | | | | or its people. | +----+-------------------------------+------------------------------+ |53 | Insider.Negligent | A security incident caused | | | | unintentionally by an | | | | insider, such as through | | | | carelessness, lack of | | | | awareness, or simple human | | | | error, leading to data | | | | exposure or system | | | | compromise. | +----+-------------------------------+------------------------------+ |54 | Insider.Other | Any other security incident | | | | involving an insider | | | | (trusted individual) that | | | | does not fit into the | | | | specific insider threat | | | | subcategories. | +----+-------------------------------+------------------------------+ |55 | Malware.Adware | A type of software that | | | | automatically displays or | | | | downloads unwanted | | | | advertisements, often in a | | | | disruptive manner, and may | | | | track user behavior. | +----+-------------------------------+------------------------------+ |56 | Malware.Backdoor | A type of malware that | | | | bypasses normal | | | | authentication to give an | | | | attacker persistent remote | | | | access to a compromised | | | | system, often enabling data | | | | theft or installation of | | | | additional malware. | +----+-------------------------------+------------------------------+ |57 | Malware.Cryptominer | A type of malware that | | | | secretly uses a victim's | | | | computing resources to mine | | | | cryptocurrency, causing | | | | degraded performance and | | | | increased power consumption | | | | without consent. | +----+-------------------------------+------------------------------+ Lehmann Expires 28 October 2026 [Page 62] Internet-Draft IDMEFv2 April 2026 |58 | Malware.Downloader | A type of malware designed | | | | to download and install | | | | other malicious software | | | | from a remote server, | | | | typically acting as the | | | | first stage in a multi-step | | | | attack. | +----+-------------------------------+------------------------------+ |59 | Malware.Ransomware | A type of malware that | | | | encrypts a victim's files or | | | | systems, rendering them | | | | inaccessible, and demands a | | | | ransom payment, often in | | | | cryptocurrency, for the | | | | decryption key. | +----+-------------------------------+------------------------------+ |60 | Malware.Rootkit | A type of malware designed | | | | to hide its presence and | | | | grant an attacker | | | | persistent, privileged | | | | access to a compromised | | | | system while evading | | | | detection. | +----+-------------------------------+------------------------------+ |61 | Malware.Spyware | A type of software that | | | | secretly monitors and | | | | collects information about a | | | | user's activities, such as | | | | keystrokes, browsing habits, | | | | and personal data, without | | | | their consent. | +----+-------------------------------+------------------------------+ |62 | Malware.Trojan | A type of malware that | | | | disguises itself as | | | | legitimate or desirable | | | | software to trick users into | | | | installing it, after which | | | | it can perform malicious | | | | actions. | +----+-------------------------------+------------------------------+ |63 | Malware.Virus | A type of malicious software | | | | that attaches itself to a | | | | legitimate program or file | | | | and replicates itself to | | | | spread to other programs, | | | | often requiring human action | | | | to propagate. | +----+-------------------------------+------------------------------+ Lehmann Expires 28 October 2026 [Page 63] Internet-Draft IDMEFv2 April 2026 |64 | Malware.Worm | A type of standalone | | | | malicious software that | | | | replicates itself to spread | | | | across networks, often | | | | exploiting vulnerabilities | | | | without requiring human | | | | interaction. | +----+-------------------------------+------------------------------+ |65 | Malware.Other | Any other incident involving | | | | malicious software that does | | | | not fit into the specific | | | | malware subcategories. | +----+-------------------------------+------------------------------+ |66 | Meteo.Cold | A meteorological incident | | | | involving a rapid fall in | | | | temperature over a short | | | | period, or a prolonged | | | | period of extreme cold, | | | | posing risks to health and | | | | infrastructure. | +----+-------------------------------+------------------------------+ |67 | Meteo.Fog | A meteorological incident | | | | where dense fog reduces | | | | visibility, potentially | | | | disrupting transportation | | | | and causing accidents. | +----+-------------------------------+------------------------------+ |68 | Meteo.Heat | A meteorological incident | | | | involving a prolonged period | | | | of excessively hot weather, | | | | which can cause health | | | | impacts, infrastructure | | | | stress, and environmental | | | | damage. | +----+-------------------------------+------------------------------+ |69 | Meteo.Rain | A meteorological incident | | | | involving excessive or | | | | prolonged rainfall that can | | | | lead to flooding, | | | | landslides, and | | | | transportation disruptions. | +----+-------------------------------+------------------------------+ |70 | Meteo.Snow | A meteorological incident | | | | involving heavy snowfall and | | | | blizzard conditions, which | | | | can disrupt transportation, | | | | damage infrastructure, and | | | | pose risks to safety. | Lehmann Expires 28 October 2026 [Page 64] Internet-Draft IDMEFv2 April 2026 +----+-------------------------------+------------------------------+ |71 | Meteo.Wind | A meteorological incident | | | | involving damaging or | | | | dangerous winds, such as | | | | from storms, tornadoes, or | | | | hurricanes, that can cause | | | | structural damage and power | | | | outages. | +----+-------------------------------+------------------------------+ |72 | Meteo.Other | Any other incident caused by | | | | atmospheric processes not | | | | covered by specific | | | | meteorological | | | | subcategories. | +----+-------------------------------+------------------------------+ |73 | National.Conflict | A state of armed conflict | | | | between two or more nations, | | | | involving organized military | | | | forces and impacting | | | | national security. | +----+-------------------------------+------------------------------+ |74 | National.Crime | Large-scale illegal | | | | activities, such as | | | | trafficking in drugs, | | | | weapons, or people, | | | | conducted by sophisticated | | | | criminal networks that pose | | | | a threat to national and | | | | international security. | +----+-------------------------------+------------------------------+ |75 | National.Cyber | Large-scale cyber | | | | operations, including | | | | attacks, espionage, and | | | | disinformation campaigns, | | | | conducted by state-sponsored | | | | or state-affiliated groups | | | | against national interests. | +----+-------------------------------+------------------------------+ |76 | National.Economical | An incident involving | | | | significant disruption to a | | | | nation's economy, such as | | | | market crashes, | | | | hyperinflation, or trade | | | | wars, affecting national | | | | stability. | +----+-------------------------------+------------------------------+ |77 | National.Environemental | Incidents related to large- | | | | scale environmental shifts, | Lehmann Expires 28 October 2026 [Page 65] Internet-Draft IDMEFv2 April 2026 | | | such as climate change, | | | | resource scarcity, or global | | | | pandemics, that have | | | | significant national | | | | security implications. | +----+-------------------------------+------------------------------+ |78 | National.Societal | An incident involving large- | | | | scale public disorder, such | | | | as strikes, riots, or civil | | | | unrest, that challenges | | | | social order and may require | | | | national-level response. | +----+-------------------------------+------------------------------+ |79 | National.Terrorism | An incident involving the | | | | use of violence, | | | | intimidation, or threats by | | | | non-state actors against | | | | civilians or property to | | | | achieve political, | | | | religious, or ideological | | | | objectives. | +----+-------------------------------+------------------------------+ |80 | National.Other | Any other incident that has | | | | a significant impact at the | | | | national scale, not covered | | | | by specific national | | | | security subcategories. | +----+-------------------------------+------------------------------+ |81 | Operational.Misuse | The use of an organization's | | | | assets (e.g., computers, | | | | network, time) for purposes | | | | that are not officially | | | | authorized, which may | | | | violate policy but not be | | | | malicious. | +----+-------------------------------+------------------------------+ |82 | Operational.Policy Violation | An incident where an | | | | individual fails to comply | | | | with established | | | | organizational policies, | | | | procedures, or security | | | | rules, whether intentionally | | | | or accidentally. | +----+-------------------------------+------------------------------+ |83 | Operational.Process Failure | An incident where a designed | | | | process, procedure, or | | | | workflow fails to achieve | | | | its intended outcome, | Lehmann Expires 28 October 2026 [Page 66] Internet-Draft IDMEFv2 April 2026 | | | leading to operational or | | | | security gaps. | +----+-------------------------------+------------------------------+ |84 | Operational.Other | Any other operational issue | | | | that does not fit into the | | | | specific operational | | | | incident subcategories. | +----+-------------------------------+------------------------------+ |85 | Recon.Aerial | The act of using aerial | | | | platforms, such as drones or | | | | satellites, to conduct | | | | surveillance or gather | | | | intelligence about a target | | | | area. | +----+-------------------------------+------------------------------+ |86 | Recon.Landscape | The act of physically | | | | observing a location to | | | | gather information about | | | | security measures, layouts, | | | | or potential | | | | vulnerabilities. | +----+-------------------------------+------------------------------+ |87 | Recon.Network | The practice of probing a | | | | network to discover active | | | | hosts, open ports, and | | | | services, often as a | | | | precursor to an attack or | | | | unauthorized monitoring. | +----+-------------------------------+------------------------------+ |88 | Recon.OSINT | The practice of collecting | | | | and analyzing information | | | | from publicly available | | | | sources (e.g., social media, | | | | public records) for | | | | intelligence purposes. | +----+-------------------------------+------------------------------+ |89 | Recon.Other | Any other incident involving | | | | scanning, spying, or | | | | monitoring to identify | | | | resources that does not fit | | | | into specific recon | | | | subcategories. | +----+-------------------------------+------------------------------+ |90 | Sabotage.Data | The intentional act of | | | | deleting, altering, or | | | | corrupting digital or | | | | physical data to cause harm, | | | | disrupt operations, or cover | Lehmann Expires 28 October 2026 [Page 67] Internet-Draft IDMEFv2 April 2026 | | | tracks. | +----+-------------------------------+------------------------------+ |91 | Sabotage.Destruction | The intentional and | | | | malicious act of destroying | | | | or severely damaging | | | | physical assets, such as | | | | windows, equipment, or | | | | buildings. | +----+-------------------------------+------------------------------+ |92 | Sabotage.Disruption | The intentional disruption | | | | of essential services or | | | | utilities, such as | | | | electricity, water, or | | | | network connectivity, to | | | | cause operational downtime. | +----+-------------------------------+------------------------------+ |93 | Sabotage.Equipment | The intentional act of | | | | causing damage to | | | | operational equipment, | | | | machinery, or vehicles, | | | | often to disrupt production | | | | or operations. | +----+-------------------------------+------------------------------+ |94 | Sabotage.Graffiti | The act of willfully | | | | defacing, damaging, or | | | | marking public or private | | | | property with inscriptions, | | | | drawings, or tags without | | | | permission. | +----+-------------------------------+------------------------------+ |95 | Sabotage.Tampering | The act of deliberately | | | | meddling with or disabling | | | | security controls (e.g., | | | | locks, alarms, cameras) to | | | | compromise their | | | | effectiveness. | +----+-------------------------------+------------------------------+ |96 | Sabotage.Vandalism | The deliberate and malicious | | | | act of damaging, destroying, | | | | or obstructing an | | | | organization's physical | | | | assets, operations, or | | | | systems. | +----+-------------------------------+------------------------------+ |97 | Sabotage.Other | Any other incident involving | | | | the intentional damage to | | | | property or assets not | | | | covered by the specific | Lehmann Expires 28 October 2026 [Page 68] Internet-Draft IDMEFv2 April 2026 | | | sabotage subcategories. | +----+-------------------------------+------------------------------+ |98 | Safety.Accident | An unplanned, unforeseen | | | | event (e.g., vehicle crash, | | | | industrial mishap, chemical | | | | spill) that results in | | | | injury, loss of life, or | | | | damage to health. | +----+-------------------------------+------------------------------+ |99 | Safety.Agression | An incident where an | | | | individual uses physical | | | | force against another | | | | person, causing bodily harm, | | | | pain, or the fear of | | | | immediate harm. | +----+-------------------------------+------------------------------+ |100 | Safety.Explosion | A sudden, violent release of | | | | energy (e.g., from gas, | | | | chemicals, or explosives) | | | | that causes a blast, fire, | | | | and potential structural | | | | damage, injury, or loss of | | | | life. | +----+-------------------------------+------------------------------+ |101 | Safety.Fire | An incident involving | | | | uncontrolled burning (e.g., | | | | structural, wildland, or | | | | chemical fire) that | | | | threatens human safety, | | | | property, or the | | | | environment. | +----+-------------------------------+------------------------------+ |102 | Safety.Hostage | An incident where a person | | | | or group is held against | | | | their will by a captor, | | | | often to compel a third | | | | party to meet certain | | | | demands. | +----+-------------------------------+------------------------------+ |103 | Safety.Sexual | An incident involving any | | | | unwanted sexual act, | | | | contact, or behavior | | | | directed against an | | | | individual without their | | | | consent. | +----+-------------------------------+------------------------------+ |104 | Safety.Other | Any other incident that | | | | causes or has the potential | Lehmann Expires 28 October 2026 [Page 69] Internet-Draft IDMEFv2 April 2026 | | | to cause injury, loss of | | | | life, or endanger citizens, | | | | not covered by specific | | | | safety subcategories. | +----+-------------------------------+------------------------------+ |105 | SocialEng.Baiting | A social engineering attack | | | | that lures victims by | | | | offering something desirable | | | | (e.g., free music, a prize) | | | | in exchange for information | | | | or by tricking them into | | | | downloading malware. | +----+-------------------------------+------------------------------+ |106 | SocialEng.Phishing | A type of social engineering | | | | where attackers send | | | | fraudulent emails, appearing | | | | to be from a legitimate | | | | source, to trick recipients | | | | into revealing sensitive | | | | information or installing | | | | malware. | +----+-------------------------------+------------------------------+ |107 | SocialEng.Pretexting | A social engineering tactic | | | | where the attacker creates a | | | | fabricated scenario or | | | | pretends to be someone they | | | | are not to engage a victim | | | | and extract information or | | | | access. | +----+-------------------------------+------------------------------+ |108 | SocialEng.QuidProQuo | A social engineering tactic | | | | where the attacker offers a | | | | service or benefit (e.g., | | | | technical support) in | | | | exchange for information or | | | | access, often expecting | | | | something in return later. | +----+-------------------------------+------------------------------+ |109 | SocialEng.Smishing | A social engineering attack | | | | conducted via SMS (text | | | | message), where the attacker | | | | sends a fraudulent message | | | | to trick the recipient into | | | | clicking a malicious link or | | | | providing information. | +----+-------------------------------+------------------------------+ |110 | SocialEng.Spear Phishing | A highly targeted phishing | | | | attack directed at a | Lehmann Expires 28 October 2026 [Page 70] Internet-Draft IDMEFv2 April 2026 | | | specific individual, | | | | organization, or role, often | | | | using personalized | | | | information to increase | | | | credibility. | +----+-------------------------------+------------------------------+ |111 | SocialEng.Vishing | A social engineering attack | | | | conducted over the phone, | | | | where the attacker | | | | impersonates a legitimate | | | | entity to trick the victim | | | | into revealing sensitive | | | | information or performing | | | | actions. | +----+-------------------------------+------------------------------+ |112 | SupplyChain.Compromise | A security incident where an | | | | attacker exploits a | | | | vulnerability in a third- | | | | party vendor's system to | | | | gain access to or compromise | | | | the primary target's network | | | | or data. | +----+-------------------------------+------------------------------+ |113 | SupplyChain.Disruption | An event that disrupts the | | | | normal flow of products, | | | | services, or information | | | | within a supply chain, often | | | | impacting operations and | | | | delivery. | +----+-------------------------------+------------------------------+ |114 | SupplyChain.Other | Any other incident affecting | | | | the supply chain that does | | | | not fit into the specific | | | | supply chain subcategories. | +----+-------------------------------+------------------------------+ |115 | SocialEng.Other | Any other incident involving | | | | psychological manipulation | | | | of people to divulge | | | | information or perform | | | | actions, not covered by | | | | specific social engineering | | | | subcategories. | +----+-------------------------------+------------------------------+ |116 | Theft.Breaches | A security incident | | | | involving the unauthorized | | | | access, acquisition, or | | | | disclosure of sensitive, | | | | protected, or confidential | Lehmann Expires 28 October 2026 [Page 71] Internet-Draft IDMEFv2 April 2026 | | | data. | +----+-------------------------------+------------------------------+ |117 | Theft.Data | The unauthorized taking or | | | | copying of sensitive or | | | | confidential documents, | | | | whether in physical or | | | | digital form. | +----+-------------------------------+------------------------------+ |118 | Theft.Equiment | The unlawful taking of | | | | physical hardware, such as | | | | computers, mobile phones, or | | | | servers, resulting in loss | | | | of assets and potentially | | | | the data they contain. | +----+-------------------------------+------------------------------+ |119 | Theft.FinInfo | The theft of financial | | | | information, such as credit | | | | card numbers or bank account | | | | details, often for the | | | | purpose of fraudulent | | | | transactions. | +----+-------------------------------+------------------------------+ |120 | Theft.IP | The unlawful acquisition of | | | | a company's intellectual | | | | property, including trade | | | | secrets, patents, formulas, | | | | or proprietary processes. | +----+-------------------------------+------------------------------+ |121 | Theft.Machinery | The unlawful taking of heavy | | | | equipment, vehicles, or | | | | specialized machinery, often | | | | resulting in significant | | | | operational and financial | | | | loss. | +----+-------------------------------+------------------------------+ |122 | Theft.PII | The unauthorized acquisition | | | | of Personally Identifiable | | | | Information (PII) that can | | | | be used to identify, | | | | contact, or impersonate an | | | | individual. | +----+-------------------------------+------------------------------+ |123 | Theft.Other | Any other incident involving | | | | the intentional stealing of | | | | physical property or digital | | | | data not covered by specific | | | | theft subcategories. | +----+-------------------------------+------------------------------+ Lehmann Expires 28 October 2026 [Page 72] Internet-Draft IDMEFv2 April 2026 |124 | Other.Uncategorised | Any incident that does not | | | | fit into one of the | | | | predefined categories in | | | | this taxonomy. | +----+-------------------------------+------------------------------+ |125 | Other.Undetermined | An incident whose category | | | | is currently unknown, under | | | | investigation, or cannot be | | | | determined. | +----+-------------------------------+------------------------------+ |126 | Other.Test | An incident generated solely | | | | for the purpose of testing | | | | systems, processes, or | | | | training personnel. | +----+-------------------------------+------------------------------+ |127 | Other.ext-value | A value used to indicate | | | | that this attribute is | | | | extended and the actual | | | | value is provided using the | | | | corresponding ext-* | | | | attribute. (see | | | | :ref:private_extension_enum) | +----+-------------------------------+------------------------------+ Table 7: enum_alert_category A.3. Analyzer Category +======+===================+================================+ | Rank | Keyword | Description | +======+===================+================================+ | 0 | Undetermined | Analyser category is | | | | undetermined | +------+-------------------+--------------------------------+ | 1 | APP.BAST | Bastion Host - Secure remote | | | | access gateway | +------+-------------------+--------------------------------+ | 2 | APP.DAST | Dynamic Application Security | | | | Testing - Runtime application | | | | testing | +------+-------------------+--------------------------------+ | 3 | APP.IAST | Interactive Application | | | | Security Testing - Hybrid | | | | application testing | +------+-------------------+--------------------------------+ | 4 | APP.RASP | Runtime Application Self- | | | | Protection - Self-protecting | | | | applications | Lehmann Expires 28 October 2026 [Page 73] Internet-Draft IDMEFv2 April 2026 +------+-------------------+--------------------------------+ | 5 | APP.SAST | Static Application Security | | | | Testing - Source code analysis | +------+-------------------+--------------------------------+ | 6 | CLD.CASB | Cloud Access Security Broker - | | | | Cloud service security | | | | mediation | +------+-------------------+--------------------------------+ | 7 | CLD.CIEM | Cloud Infrastructure | | | | Entitlement Management - Cloud | | | | permission management | +------+-------------------+--------------------------------+ | 8 | CLD.CSPM | Cloud Security Posture | | | | Management - Cloud | | | | configuration monitoring | +------+-------------------+--------------------------------+ | 9 | CLD.CWPP | Cloud Workload Protection | | | | Platform - Cloud workload | | | | security | +------+-------------------+--------------------------------+ | 10 | DDoS.ANTI-DDOS | Distributed Denial of Service | | | | Protection - DDoS mitigation | | | | system | +------+-------------------+--------------------------------+ | 11 | DDoS.SCRUB | Scrubber/Scrubbing Center - | | | | Traffic cleaning for DDoS | +------+-------------------+--------------------------------+ | 12 | DDoS.WAF-DDOS | Web Application Firewall with | | | | DDoS - Integrated DDoS | | | | protection | +------+-------------------+--------------------------------+ | 13 | EMAIL.ANTI-PHISH | Anti-Phishing - Phishing | | | | attempt detection | +------+-------------------+--------------------------------+ | 14 | EMAIL.DMARC | Domain-based Message | | | | Authentication - Email | | | | authentication monitoring | +------+-------------------+--------------------------------+ | 15 | EMAIL.SEG | Secure Email Gateway - | | | | Comprehensive email security | +------+-------------------+--------------------------------+ | 16 | EMAIL.SPAM-FILTER | Spam Filter - Unsolicited | | | | email detection | +------+-------------------+--------------------------------+ | 17 | END.AM | Application Allowlisting - | | | | Application execution control | +------+-------------------+--------------------------------+ | 18 | END.AV | Antivirus - Signature-based | Lehmann Expires 28 October 2026 [Page 74] Internet-Draft IDMEFv2 April 2026 | | | malware detection | +------+-------------------+--------------------------------+ | 19 | END.DLP-EP | Endpoint Data Loss Prevention | | | | - Endpoint data leakage | | | | prevention | +------+-------------------+--------------------------------+ | 20 | END.EDR | Endpoint Detection and | | | | Response - Advanced endpoint | | | | threat hunting | +------+-------------------+--------------------------------+ | 21 | END.EPP | Endpoint Protection Platform - | | | | Comprehensive endpoint | | | | security | +------+-------------------+--------------------------------+ | 22 | END.HIDS | Host Intrusion Detection | | | | System - Host-based threat | | | | monitoring | +------+-------------------+--------------------------------+ | 23 | END.HIPS | Host Intrusion Prevention | | | | System - Host-based threat | | | | prevention | +------+-------------------+--------------------------------+ | 24 | END.HPT | Honeypot - Deception-based | | | | threat detection | +------+-------------------+--------------------------------+ | 25 | END.RASP | Runtime Application Self- | | | | Protection - In-app runtime | | | | protection | +------+-------------------+--------------------------------+ | 26 | ID.DCAP | Data-Centric Audit and | | | | Protection - Data-centric | | | | security monitoring | +------+-------------------+--------------------------------+ | 27 | ID.DLP | Data Loss Prevention - Data | | | | leakage prevention across | | | | channels | +------+-------------------+--------------------------------+ | 28 | ID.IAM | Identity and Access Management | | | | - Identity governance and | | | | access control | +------+-------------------+--------------------------------+ | 29 | ID.IRM | Identity Risk Management - | | | | Identity-based risk analysis | +------+-------------------+--------------------------------+ | 30 | ID.PAM | Privileged Access Management - | | | | Privileged access management | +------+-------------------+--------------------------------+ | 31 | ID.PIM | Privileged Identity Management | Lehmann Expires 28 October 2026 [Page 75] Internet-Draft IDMEFv2 April 2026 | | | - Privileged account security | +------+-------------------+--------------------------------+ | 32 | ID.UEBA | User and Entity Behavior | | | | Analytics - Behavioral threat | | | | detection | +------+-------------------+--------------------------------+ | 33 | NET.DNS-FW | DNS Firewall - Malicious | | | | domain filtering | +------+-------------------+--------------------------------+ | 34 | NET.DPI | Deep Packet Inspection - | | | | Advanced packet analysis | +------+-------------------+--------------------------------+ | 35 | NET.FW | Firewall - Network traffic | | | | filtering and policy | | | | enforcement | +------+-------------------+--------------------------------+ | 36 | NET.NAC | Network Access Control - | | | | Endpoint compliance and access | | | | enforcement | +------+-------------------+--------------------------------+ | 37 | NET.NBAD | Network Behavior Anomaly | | | | Detection - Anomaly detection | | | | in network behavior | +------+-------------------+--------------------------------+ | 38 | NET.NDR | Network Detection and Response | | | | - Advanced network threat | | | | hunting | +------+-------------------+--------------------------------+ | 39 | NET.NGFW | Next-Generation Firewall - | | | | Advanced firewall with app | | | | awareness | +------+-------------------+--------------------------------+ | 40 | NET.NIDS | Network Intrusion Detection | | | | System - Network traffic | | | | analysis for threats | +------+-------------------+--------------------------------+ | 41 | NET.NIPS | Network Intrusion Prevention | | | | System - Inline threat | | | | prevention | +------+-------------------+--------------------------------+ | 42 | NET.PROXY | Proxy Server - ACL and TLS | | | | session monitoring | +------+-------------------+--------------------------------+ | 43 | NET.WAF | Web Application Firewall - | | | | HTTP/HTTPS traffic filtering | +------+-------------------+--------------------------------+ | 44 | NET.WIDS | Wireless Intrusion Detection | | | | System - WiFi threat detection | Lehmann Expires 28 October 2026 [Page 76] Internet-Draft IDMEFv2 April 2026 +------+-------------------+--------------------------------+ | 45 | NET.WIPS | Wireless Intrusion Prevention | | | | System - WiFi threat | | | | prevention | +------+-------------------+--------------------------------+ | 46 | OT.IoT-IDS | IoT Intrusion Detection System | | | | - IoT device threat detection | +------+-------------------+--------------------------------+ | 47 | OT.OT-IDS | Operational Technology IDS - | | | | Industrial control system | | | | monitoring | +------+-------------------+--------------------------------+ | 48 | OT.PLC-SCAN | PLC Scanner - PLC/SCADA | | | | vulnerability detection | +------+-------------------+--------------------------------+ | 49 | PHY.1D-LAS | 1D Laser Sensor - Basic laser | | | | presence/distance detection | +------+-------------------+--------------------------------+ | 50 | PHY.1D-LiDAR | 1D Light Detection and Ranging | | | | Sensor - Single-beam laser for | | | | distance measurement | +------+-------------------+--------------------------------+ | 51 | PHY.2D-LAS | 2D Laser Sensor - Planar laser | | | | scanning | +------+-------------------+--------------------------------+ | 52 | PHY.2D-LiDAR | 2D Light Detection and Ranging | | | | Sensor - Planar laser scanning | | | | for 2D mapping | +------+-------------------+--------------------------------+ | 53 | PHY.3D-LAS | 3D Laser Sensor - 3D laser | | | | scanning | +------+-------------------+--------------------------------+ | 54 | PHY.3D-LiDAR | 3D Light Detection and Ranging | | | | Sensor - 3D environmental | | | | scanning and mapping | +------+-------------------+--------------------------------+ | 55 | PHY.ACCESS-CTRL | Access Control System - | | | | Physical entry/exit control | | | | monitoring | +------+-------------------+--------------------------------+ | 56 | PHY.ADS | Anti-Drone System - Drone | | | | detection and countermeasure | | | | system | +------+-------------------+--------------------------------+ | 57 | PHY.FR-CAM | Face Recognition Camera - | | | | Biometric facial recognition | | | | system | +------+-------------------+--------------------------------+ Lehmann Expires 28 October 2026 [Page 77] Internet-Draft IDMEFv2 April 2026 | 58 | PHY.GLASS-BRK | Glass Break Detector - | | | | Acoustic glass breakage | | | | detection | +------+-------------------+--------------------------------+ | 59 | PHY.HAR | Human Activity Recognition - | | | | AI-based human behavior and | | | | motion analysis | +------+-------------------+--------------------------------+ | 60 | PHY.LWIR | Long-Wave Infrared - Long-wave | | | | thermal imaging | +------+-------------------+--------------------------------+ | 61 | PHY.MOT-SEN | Motion Sensor - PIR/microwave | | | | motion detection | +------+-------------------+--------------------------------+ | 62 | PHY.MWIR | Mid-Wave Infrared - Mid-wave | | | | thermal imaging | +------+-------------------+--------------------------------+ | 63 | PHY.OBJ-DET | Object Detection Camera - | | | | General object detection and | | | | classification | +------+-------------------+--------------------------------+ | 64 | PHY.SWIR | Short-Wave Infrared - Short- | | | | wave infrared imaging | +------+-------------------+--------------------------------+ | 65 | PHY.VAD | Voice Activity Detection - | | | | Audio analysis for voice/ | | | | speech detection | +------+-------------------+--------------------------------+ | 66 | PHY.VNIR | Visible and Near-Infrared - | | | | Multi-spectral imaging sensor | +------+-------------------+--------------------------------+ | 67 | SIEM.ETL | Extract, Transform, Load - | | | | Data pipeline tools (Logstash, | | | | Fluentd, Vector) | +------+-------------------+--------------------------------+ | 68 | SIEM.LOG | Log Analyzer - Log aggregation | | | | and analysis (e.g., ELK Stack, | | | | Splunk) | +------+-------------------+--------------------------------+ | 69 | SIEM.NMS | Network Management System - | | | | Network monitoring and | | | | management | +------+-------------------+--------------------------------+ | 70 | SIEM.SIEM | Security Information and Event | | | | Management - Centralized | | | | security logging and alerting | +------+-------------------+--------------------------------+ | 71 | SIEM.SOAR | Security Orchestration and | Lehmann Expires 28 October 2026 [Page 78] Internet-Draft IDMEFv2 April 2026 | | | Response - Automated incident | | | | response | +------+-------------------+--------------------------------+ | 72 | TI.CTI | Cyber Threat Intelligence - | | | | Strategic threat intelligence | +------+-------------------+--------------------------------+ | 73 | TI.TI-FEED | Threat Intelligence Feed - | | | | External threat data streams | +------+-------------------+--------------------------------+ | 74 | TI.TIP | Threat Intelligence Platform - | | | | Threat data aggregation and | | | | analysis | +------+-------------------+--------------------------------+ | 75 | VM.ASM | Attack Surface Management - | | | | External attack surface | | | | monitoring | +------+-------------------+--------------------------------+ | 76 | VM.PENTEST | Penetration Testing Tools - | | | | Manual/automated security | | | | testing | +------+-------------------+--------------------------------+ | 77 | VM.VULN-SCANNER | Vulnerability Scanner - | | | | Automated vulnerability | | | | assessment | +------+-------------------+--------------------------------+ | 78 | ext-value | A value used to indicate that | | | | this attribute is extended and | | | | the actual value is provided | | | | using the corresponding ext-* | | | | attribute. (see Section 4.1.1) | +------+-------------------+--------------------------------+ Table 8: Analyzer Categories A.4. Analyzer Data +======+================+===========================================+ | Rank | Item | Description | +======+================+===========================================+ | 0 | Undetermined | Analyser data is undetermed. | +------+----------------+-------------------------------------------+ | 1 | Light | ambient light levels, flicker | | | | detection | +------+----------------+-------------------------------------------+ | 2 | Acoustics | sound pressure, specific | | | | frequencies | +------+----------------+-------------------------------------------+ | 3 | Contact | physical interaction, switch | Lehmann Expires 28 October 2026 [Page 79] Internet-Draft IDMEFv2 April 2026 | | | state | +------+----------------+-------------------------------------------+ | 4 | Vibration | mechanical oscillation, | | | | structural health | +------+----------------+-------------------------------------------+ | 5 | Temperature | ambient, device, or surface | +------+----------------+-------------------------------------------+ | 6 | Humidity | relative humidity, moisture in | | | | air | +------+----------------+-------------------------------------------+ | 7 | Rain | precipitation detection | +------+----------------+-------------------------------------------+ | 8 | Water | leak detection, immersion, | | | | water flow | +------+----------------+-------------------------------------------+ | 9 | Fog | visibility reduction, optical | | | | density | +------+----------------+-------------------------------------------+ | 10 | Particles | dust, smoke, airborne | | | | contaminants | +------+----------------+-------------------------------------------+ | 11 | Seismic | ground motion, earthquakes, | | | | vibrations | +------+----------------+-------------------------------------------+ | 12 | Magnetic | magnetic anomaly detection, | | | | proximity | +------+----------------+-------------------------------------------+ | 13 | Images | visible spectrum cameras | +------+----------------+-------------------------------------------+ | 14 | Thermal | infrared imaging, heat | | | | signatures | +------+----------------+-------------------------------------------+ | 15 | Lidar | laser-based distance | | | | measurement, 3D mapping | +------+----------------+-------------------------------------------+ | 16 | Network | traffic, bandwidth, | | | | connectivity | +------+----------------+-------------------------------------------+ | 17 | Flow | netflow, packet flow analysis | +------+----------------+-------------------------------------------+ | 18 | Protocol | protocol anomalies, compliance | +------+----------------+-------------------------------------------+ | 19 | Datagram | packet-level inspection | +------+----------------+-------------------------------------------+ | 20 | Host | server or device health, | | | | uptime | +------+----------------+-------------------------------------------+ | 21 | Connection | session establishment, drops | Lehmann Expires 28 October 2026 [Page 80] Internet-Draft IDMEFv2 April 2026 +------+----------------+-------------------------------------------+ | 22 | Port | open/closed, scanning activity | +------+----------------+-------------------------------------------+ | 23 | SNMP | simple network management | | | | protocol data | +------+----------------+-------------------------------------------+ | 24 | Authentication | login attempts, failures, | | | | anomalies | +------+----------------+-------------------------------------------+ | 25 | Log | system, application, security | | | | logs | +------+----------------+-------------------------------------------+ | 26 | File | file integrity, access, | | | | changes | +------+----------------+-------------------------------------------+ | 27 | Content | payload inspection, data | | | | content | +------+----------------+-------------------------------------------+ | 28 | Data | generic data streams, sensor | | | | data | +------+----------------+-------------------------------------------+ | 29 | Reporting | summary reports, alerts from | | | | other systems | +------+----------------+-------------------------------------------+ | 30 | Alert | triggered notifications | +------+----------------+-------------------------------------------+ | 31 | Relay | alert forwarding, escalation | +------+----------------+-------------------------------------------+ | 32 | External | third-party alerts, threat | | | | intelligence feeds | +------+----------------+-------------------------------------------+ | 33 | ext-value | A value used to indicate that | | | | this attribute is extended and | | | | the actual value is provided | | | | using the corresponding ext-* | | | | attribute. (see Section 4.1.1) | +------+----------------+-------------------------------------------+ Table 9: Analyzer Datas A.5. Analyzer Method +======+================+===========================================+ | Rank | Keyword | Description | +======+================+===========================================+ | 0 | Undetermined | Analyser method is undetermed | +------+----------------+-------------------------------------------+ | 1 | AI | An analyzer that uses machine | Lehmann Expires 28 October 2026 [Page 81] Internet-Draft IDMEFv2 April 2026 | | | learning, deep learning, or other | | | | artificial intelligence techniques to | | | | learn normal behavior and detect | | | | sophisticated or novel threats. | +------+----------------+-------------------------------------------+ | 2 | Anomaly | An analyzer that identifies | | | | deviations from established norms or | | | | baselines without relying on | | | | predefined signatures, often flagging | | | | unusual patterns in traffic, | | | | behavior, or system activity. | +------+----------------+-------------------------------------------+ | 3 | Behavioral | An analyzer that monitors and | | | | analyzes the actions of users, | | | | entities, or processes over time to | | | | detect malicious or suspicious | | | | activities that deviate from expected | | | | behavior patterns. | +------+----------------+-------------------------------------------+ | 4 | Biometric | An analyzer that uses electronic | | | | devices to capture and measure unique | | | | physical or behavioral | | | | characteristics (e.g., fingerprint, | | | | iris, voice) for identification or | | | | authentication purposes. | +------+----------------+-------------------------------------------+ | 5 | Blackhole | A method that analyses traffic | | | | destined for a non-existent or | | | | sinkhole route to identify malicious | | | | activity, such as connections to | | | | known command-and-control servers or | | | | scanning from infected hosts. | +------+----------------+-------------------------------------------+ | 6 | Contextual | An analyzer that enriches raw events | | | | with additional context (e.g., asset | | | | value, user role, time of day, | | | | business criticality) to prioritize | | | | alerts and assess true impact. | +------+----------------+-------------------------------------------+ | 7 | Correlation | An analyzer that aggregates and | | | | examines multiple, disparate data | | | | streams or events to identify complex | | | | relationships, patterns, sequences, | | | | or dependencies that indicate a | | | | security incident. | +------+----------------+-------------------------------------------+ | 8 | Ensemble | An analyzer that combines multiple | | | | detection methods (e.g., signature, | Lehmann Expires 28 October 2026 [Page 82] Internet-Draft IDMEFv2 April 2026 | | | anomaly, behavioral) to improve | | | | accuracy, reduce false positives, and | | | | detect threats that single methods | | | | might miss. | +------+----------------+-------------------------------------------+ | 9 | Fingerprinting | An analyzer that creates unique | | | | identifiers or "fingerprints" for | | | | devices, applications, or network | | | | stacks to detect spoofing, | | | | unauthorized devices, or | | | | configuration changes. | +------+----------------+-------------------------------------------+ | 10 | Frequency | An analyzer that detects incidents | | | | based on the rate or regularity of | | | | events (e.g., repeated failed logins, | | | | rapid-fire requests) exceeding or | | | | falling below expected frequencies. | +------+----------------+-------------------------------------------+ | 11 | Fusion | An analyzer that combines data from | | | | multiple heterogeneous sensors and | | | | sources to create a comprehensive, | | | | high-confidence view of an incident, | | | | reducing ambiguity and false alerts. | +------+----------------+-------------------------------------------+ | 12 | Geolocation | An analyzer that determines the | | | | physical location of an asset or | | | | event (e.g., login attempt, IP | | | | address, device) and flags activities | | | | occurring from unexpected or high- | | | | risk locations. | +------+----------------+-------------------------------------------+ | 13 | Graph-based | An analyzer that models relationships | | | | between entities (users, devices, | | | | processes) as graphs and detects | | | | anomalies or attack paths by | | | | analyzing connections, dependencies, | | | | and traversals. | +------+----------------+-------------------------------------------+ | 14 | Heat | An analyzer (sensor or device) that | | | | detects, measures, and monitors | | | | thermal energy (infrared radiation) | | | | to identify anomalies like fires, | | | | overheating equipment, or human | | | | presence. | +------+----------------+-------------------------------------------+ | 15 | Heuristic | An analyzer that detects potentially | | | | unknown threats by using algorithmic | | | | logic, rules of thumb, or suspicious | Lehmann Expires 28 October 2026 [Page 83] Internet-Draft IDMEFv2 April 2026 | | | characteristics rather than relying | | | | on specific signature matches. | +------+----------------+-------------------------------------------+ | 16 | Honeypot | A decoy system or resource designed | | | | to lure, detect, and analyze | | | | malicious activity by mimicking a | | | | legitimate target, diverting | | | | attackers away from real assets. | +------+----------------+-------------------------------------------+ | 17 | Hygiene | An analyzer that continuously checks | | | | systems and configurations against | | | | security best practices, compliance | | | | standards, or hardening guidelines to | | | | identify weaknesses or drift. | +------+----------------+-------------------------------------------+ | 18 | Integrity | An analyzer that monitors critical | | | | system components (files, | | | | configurations, registry keys) for | | | | unauthorized changes, verifying their | | | | integrity against a known good | | | | baseline. | +------+----------------+-------------------------------------------+ | 19 | Metadata | An analyzer that examines the data | | | | about data (e.g., file creation | | | | timestamps, email headers, connection | | | | logs) to uncover hidden relationships | | | | or suspicious attributes. | +------+----------------+-------------------------------------------+ | 20 | Monitor | An analyzer that continuously | | | | observes a system, network, or | | | | environment to track its state, | | | | health, or activity, often providing | | | | real-time alerts on specific | | | | conditions. | +------+----------------+-------------------------------------------+ | 21 | Movement | An analyzer (sensor or system) that | | | | detects, tracks, and quantifies | | | | physical motion using technologies | | | | like radar, lidar, or video | | | | analytics. | +------+----------------+-------------------------------------------+ | 22 | Orchestration | An analyzer that coordinates and | | | | triggers automated response actions | | | | based on detected incidents, often | | | | integrated with SOAR (Security | | | | Orchestration, Automation, and | | | | Response) platforms. | +------+----------------+-------------------------------------------+ Lehmann Expires 28 October 2026 [Page 84] Internet-Draft IDMEFv2 April 2026 | 23 | Pattern | An analyzer that identifies specific | | | | sequences, combinations, or recurring | | | | arrangements of events or data that | | | | indicate malicious activity, even if | | | | individual elements appear benign. | +------+----------------+-------------------------------------------+ | 24 | Policy | An analyzer that evaluates events, | | | | configurations, or behaviors against | | | | a set of predefined rules, | | | | configurations, or compliance | | | | requirements to detect violations or | | | | misconfigurations. | +------+----------------+-------------------------------------------+ | 25 | Predictive | An analyzer that uses historical data | | | | and modeling to forecast potential | | | | future incidents, vulnerabilities, or | | | | attack vectors before they occur. | +------+----------------+-------------------------------------------+ | 26 | Protocol | An analyzer that validates network | | | | traffic or communications against | | | | expected protocol specifications, RFC | | | | compliance, or standard behavior to | | | | detect anomalies or malicious | | | | variations. | +------+----------------+-------------------------------------------+ | 27 | Recon | An analyzer that actively or | | | | passively probes or monitors an | | | | environment to discover assets, | | | | services, or vulnerabilities, often | | | | as part of a defensive assessment or | | | | adversary simulation. | +------+----------------+-------------------------------------------+ | 28 | Reputation | An analyzer that evaluates the | | | | trustworthiness of an entity (e.g., | | | | IP address, domain, file hash) by | | | | checking it against known threat | | | | intelligence lists, blocklists, or | | | | reputation scores. | +------+----------------+-------------------------------------------+ | 29 | Rule-based | An analyzer that applies conditional | | | | logic (if-then-else statements) | | | | defined by experts to correlate | | | | events and generate alerts based on | | | | specific combinations of conditions. | +------+----------------+-------------------------------------------+ | 30 | Sequence | An analyzer that detects threats by | | | | examining the order and timing of | | | | events, identifying attack chains or | Lehmann Expires 28 October 2026 [Page 85] Internet-Draft IDMEFv2 April 2026 | | | kill chain progressions (e.g., scan → | | | | exploit → installation → C2). | +------+----------------+-------------------------------------------+ | 31 | Signature | An analyzer that detects known | | | | threats by matching events or | | | | patterns against a database of | | | | specific signatures, hashes, or | | | | Indicators of Compromise (IoCs). | +------+----------------+-------------------------------------------+ | 32 | Statistical | An analyzer that detects anomalies by | | | | establishing a baseline of normal | | | | behavior and identifying events that | | | | deviate significantly from expected | | | | statistical parameters. | +------+----------------+-------------------------------------------+ | 33 | Tarpit | A mechanism that intentionally slows | | | | down or delays suspicious connections | | | | (e.g., network connections or login | | | | attempts) to hinder automated attacks | | | | and scanning. | +------+----------------+-------------------------------------------+ | 34 | Threat | An analyzer that ingests and matches | | | Intelligence | internal events against external | | | | threat feeds, IoC lists, and | | | | adversary TTPs (Tactics, Techniques, | | | | and Procedures) to identify known | | | | threats. | +------+----------------+-------------------------------------------+ | 35 | Threshold | An analyzer that detects incidents by | | | | comparing a metric or count (e.g., | | | | number of failed logins, traffic | | | | volume) against a predefined limit or | | | | threshold. | +------+----------------+-------------------------------------------+ | 36 | Trend | An analyzer that monitors data over | | | | extended periods to identify gradual | | | | changes, emerging patterns, or long- | | | | term shifts that may indicate | | | | evolving threats or security | | | | degradation. | +------+----------------+-------------------------------------------+ | 37 | ext-value | A value used to indicate that this | | | | attribute is extended and the actual | | | | value is provided using the | | | | corresponding ext-* attribute. (see | | | | Section 4.1.1) | +------+----------------+-------------------------------------------+ Lehmann Expires 28 October 2026 [Page 86] Internet-Draft IDMEFv2 April 2026 Table 10: Analyzer Methods A.6. Source Category +====+=========================================+===================+ |Rank| Keyword |Description | +====+=========================================+===================+ |0 | Undetermined |Source Category is | | | |undetermined. | +----+-----------------------------------------+-------------------+ |1 | Acoustic.Sound.GlassBreak |Specific | | | |frequencies (glass | | | |breaking, gunshots)| +----+-----------------------------------------+-------------------+ |2 | Acoustic.Sound.Infrasound |Infrasound (nuclear| | | |explosions, | | | |volcanic activity) | +----+-----------------------------------------+-------------------+ |3 | Acoustic.Sound.PressurizedLeak |Leaks in | | | |pressurized pipes | | | |(high-frequency | | | |hiss) | +----+-----------------------------------------+-------------------+ |4 | Acoustic.Sound.SonarEcho |Sonar echoes | | | |(submarines, fish, | | | |seafloor mapping) | +----+-----------------------------------------+-------------------+ |5 | Acoustic.Sound.UltrasonicNoise |Ultrasonic noise | | | |(for pest detection| | | |or leak detection) | +----+-----------------------------------------+-------------------+ |6 | Acoustic.Vibration.Footstep |Footsteps | | | |(geophones or | | | |seismic sensors) | +----+-----------------------------------------+-------------------+ |7 | Acoustic.Vibration.Seismic |Seismic activity | | | |(earthquakes, | | | |tremors) | +----+-----------------------------------------+-------------------+ |8 | Acoustic.Vibration.StructuralCrack |Structural | | | |integrity (cracks | | | |via acoustic | | | |emission) | +----+-----------------------------------------+-------------------+ |9 | Acoustic.Vibration.VehicleVibe |Vehicle movement | | | |(magnetic or | | | |seismic) | +----+-----------------------------------------+-------------------+ Lehmann Expires 28 October 2026 [Page 87] Internet-Draft IDMEFv2 April 2026 |10 | Acoustic.Vibration.VibAnalysis |Machinery imbalance| | | |(vibration | | | |analysis) | +----+-----------------------------------------+-------------------+ |11 | ChemBio.Gases.CO |Carbon Monoxide | | | |(CO) | +----+-----------------------------------------+-------------------+ |12 | ChemBio.Gases.CWA |CWA (Chemical | | | |Warfare Agents - | | | |Nerve gas, Blister | | | |agents) | +----+-----------------------------------------+-------------------+ |13 | ChemBio.Gases.Freon |Refrigerant leaks | | | |(Freon) | +----+-----------------------------------------+-------------------+ |14 | ChemBio.Gases.Hydrogen |Hydrogen | +----+-----------------------------------------+-------------------+ |15 | ChemBio.Gases.Methane |Natural Gas / | | | |Methane | +----+-----------------------------------------+-------------------+ |16 | ChemBio.Gases.O2Level |Oxygen levels | | | |(deficiency or | | | |enrichment) | +----+-----------------------------------------+-------------------+ |17 | ChemBio.Gases.Propane |Propane / LPG | +----+-----------------------------------------+-------------------+ |18 | ChemBio.Gases.Radon |Radon | +----+-----------------------------------------+-------------------+ |19 | ChemBio.Gases.VOC |Volatile Organic | | | |Compounds (VOCs) - | | | |paint fumes, off- | | | |gassing | +----+-----------------------------------------+-------------------+ |20 | ChemBio.Properties.ORP |Oxidation-Reduction| | | |Potential (ORP) | +----+-----------------------------------------+-------------------+ |21 | ChemBio.Properties.pHLevel |pH levels (acidity/| | | |alkalinity) | +----+-----------------------------------------+-------------------+ |22 | ChemBio.Properties.Salinity |Salinity | +----+-----------------------------------------+-------------------+ |23 | ChemBio.Threats.Anthrax |Anthrax spores | +----+-----------------------------------------+-------------------+ |24 | ChemBio.Threats.Botulinum |Botulinum toxin | +----+-----------------------------------------+-------------------+ |25 | ChemBio.Threats.Pathogen |Pathogens in water | | | |(E. coli, Cholera) | +----+-----------------------------------------+-------------------+ Lehmann Expires 28 October 2026 [Page 88] Internet-Draft IDMEFv2 April 2026 |26 | ChemBio.Threats.Ricin |Ricin | +----+-----------------------------------------+-------------------+ |27 | Cyber.Application.SQLQuery |Malicious code | | | |injected into a | | | |database query (SQL| | | |Injection). | +----+-----------------------------------------+-------------------+ |28 | Cyber.Application.XSSPayload |The script injected| | | |into a webpage to | | | |steal data or | | | |redirect users. | +----+-----------------------------------------+-------------------+ |29 | Cyber.Cloud.APIToken |A compromised key | | | |used to access | | | |cloud resources | | | |(AWS, Azure) or | | | |SaaS platforms. | +----+-----------------------------------------+-------------------+ |30 | Cyber.Cloud.BucketName |The specific cloud | | | |storage location | | | |where data was | | | |stored or | | | |exfiltrated from. | +----+-----------------------------------------+-------------------+ |31 | Cyber.Cloud.CloudResourceID |The unique ID of | | | |the compromised | | | |virtual machine or | | | |database. | +----+-----------------------------------------+-------------------+ |32 | Cyber.Cloud.OAuthApp |A malicious third- | | | |party app granted | | | |permissions to a | | | |user's data. | +----+-----------------------------------------+-------------------+ |33 | Cyber.Email.EmailAuthResult |The authentication | | | |result showing if | | | |the email passed | | | |security checks. | +----+-----------------------------------------+-------------------+ |34 | Cyber.Email.MessageID |A unique identifier| | | |for the email used | | | |to track it across | | | |mail servers. | +----+-----------------------------------------+-------------------+ |35 | Cyber.Email.RecipientEmail |The target email | | | |address of the | | | |attack. | +----+-----------------------------------------+-------------------+ Lehmann Expires 28 October 2026 [Page 89] Internet-Draft IDMEFv2 April 2026 |36 | Cyber.Email.ReplyToEmail |The address where | | | |replies go; often | | | |different from the | | | |sender for | | | |tracking. | +----+-----------------------------------------+-------------------+ |37 | Cyber.Email.ReturnPath |The address where | | | |non-delivery | | | |receipts go; used | | | |in spoofing | | | |analysis. | +----+-----------------------------------------+-------------------+ |38 | Cyber.Email.SenderEmail |The "From" address | | | |used in a phishing | | | |campaign. | +----+-----------------------------------------+-------------------+ |39 | Cyber.Email.XOrigIP |The original IP | | | |address of the | | | |sender (if recorded| | | |by the mail | | | |server). | +----+-----------------------------------------+-------------------+ |40 | Cyber.Endpoint.CmdLine |The exact command | | | |line used to | | | |execute the | | | |malware; often | | | |reveals attacker | | | |intent. | +----+-----------------------------------------+-------------------+ |41 | Cyber.Endpoint.DLL |The name of a | | | |malicious library | | | |loaded into a | | | |legitimate process | | | |(DLL Sideloading). | +----+-----------------------------------------+-------------------+ |42 | Cyber.Endpoint.FileHash |The cryptographic | | | |fingerprint of the | | | |malicious file | | | |(SHA256, MD5). | +----+-----------------------------------------+-------------------+ |43 | Cyber.Endpoint.FilePath |The location on the| | | |file system where | | | |the malware | | | |resides. | +----+-----------------------------------------+-------------------+ |44 | Cyber.Endpoint.MemoryArtifact |Code or processes | | | |that exist only in | | | |RAM (volatile | Lehmann Expires 28 October 2026 [Page 90] Internet-Draft IDMEFv2 April 2026 | | |memory) and not on | | | |disk. | +----+-----------------------------------------+-------------------+ |45 | Cyber.Endpoint.PID |The unique | | | |identifier of the | | | |malicious process | | | |at the time of | | | |analysis. | +----+-----------------------------------------+-------------------+ |46 | Cyber.Endpoint.ProcessName |The name of the | | | |malicious | | | |executable file | | | |running on the | | | |endpoint. | +----+-----------------------------------------+-------------------+ |47 | Cyber.Endpoint.RegistryKey |The Windows | | | |Registry path used | | | |for persistence or | | | |configuration | | | |changes. | +----+-----------------------------------------+-------------------+ |48 | Cyber.Endpoint.ScheduledTask |The name of a task | | | |created by the | | | |attacker for | | | |persistence or | | | |execution. | +----+-----------------------------------------+-------------------+ |49 | Cyber.Endpoint.ServiceName |The name of a | | | |malicious service | | | |installed to run | | | |the malware. | +----+-----------------------------------------+-------------------+ |50 | Cyber.Forensics.NetFlow |Metadata about the | | | |connection (who | | | |talked to whom, | | | |when, and data | | | |volume). | +----+-----------------------------------------+-------------------+ |51 | Cyber.Forensics.PacketPayload |The raw data being | | | |transmitted | | | |containing | | | |passwords or | | | |exfiltrated data. | +----+-----------------------------------------+-------------------+ |52 | Cyber.Hardware.DeviceSerial |The unique | | | |identifier of a | | | |specific | | | |compromised laptop | Lehmann Expires 28 October 2026 [Page 91] Internet-Draft IDMEFv2 April 2026 | | |or mobile device. | +----+-----------------------------------------+-------------------+ |53 | Cyber.Hardware.USBDeviceID |The specific | | | |make/model/serial | | | |of a USB drive used| | | |to introduce | | | |malware. | +----+-----------------------------------------+-------------------+ |54 | Cyber.Identity.LoginTimestamp |The specific time | | | |of an unusual login| | | |(e.g., 3:00 AM from| | | |a foreign | | | |location). | +----+-----------------------------------------+-------------------+ |55 | Cyber.Identity.Username |The specific user | | | |account that was | | | |compromised or used| | | |for lateral | | | |movement. | +----+-----------------------------------------+-------------------+ |56 | Cyber.Network.IPv4 |The source IP of an| | | |attacker, a Command| | | |& Control (C2) | | | |server, or a | | | |malicious scan. | +----+-----------------------------------------+-------------------+ |57 | Cyber.Network.IPv6 |The source IP in | | | |IPv6 format; | | | |increasingly used | | | |to bypass | | | |IPv4-based | | | |allowlists. | +----+-----------------------------------------+-------------------+ |58 | Cyber.Network.MAC |The physical device| | | |identifier on a | | | |local network; | | | |useful if the | | | |attacker is on- | | | |site. | +----+-----------------------------------------+-------------------+ |59 | Cyber.Network.Port |The specific source| | | |or destination port| | | |used (e.g., 445 for| | | |ransomware | | | |spreading). | +----+-----------------------------------------+-------------------+ |60 | Cyber.Network.Protocol |The network | | | |protocol used; | Lehmann Expires 28 October 2026 [Page 92] Internet-Draft IDMEFv2 April 2026 | | |anomalous use may | | | |indicate tunneling | | | |(e.g., DNS | | | |tunneling). | +----+-----------------------------------------+-------------------+ |61 | Cyber.Web.Domain |The domain hosting | | | |malware or Command | | | |& Control | | | |infrastructure | | | |(e.g., evil.com). | +----+-----------------------------------------+-------------------+ |62 | Cyber.Web.HTTPMethod |Unusual HTTP | | | |methods like PUT or| | | |DELETE used to | | | |manipulate data. | +----+-----------------------------------------+-------------------+ |63 | Cyber.Web.ReferrerHeader |The page the user | | | |was on before | | | |clicking the | | | |malicious link. | +----+-----------------------------------------+-------------------+ |64 | Cyber.Web.SessionID |A hijacked session | | | |token used to | | | |impersonate a user | | | |without a password.| +----+-----------------------------------------+-------------------+ |65 | Cyber.Web.URIPath |The specific | | | |directory or file | | | |requested on the | | | |web server. | +----+-----------------------------------------+-------------------+ |66 | Cyber.Web.URL |The full malicious | | | |link pointing to a | | | |payload or phishing| | | |page. | +----+-----------------------------------------+-------------------+ |67 | Cyber.Web.UserAgent |The browser or | | | |application | | | |signature used by | | | |the attacker when | | | |connecting. | +----+-----------------------------------------+-------------------+ |68 | ElectroMag.Infrared.GasLeakIR |Gas leaks (specific| | | |gases absorb | | | |specific IR | | | |wavelengths) | +----+-----------------------------------------+-------------------+ |69 | ElectroMag.Infrared.HeatTemp |Heat (temperature | Lehmann Expires 28 October 2026 [Page 93] Internet-Draft IDMEFv2 April 2026 | | |of objects) | +----+-----------------------------------------+-------------------+ |70 | ElectroMag.Infrared.MoistureContent |Moisture content | | | |(in materials) | +----+-----------------------------------------+-------------------+ |71 | ElectroMag.Infrared.ThermalGradient |Thermal gradients | | | |(heat loss in | | | |buildings) | +----+-----------------------------------------+-------------------+ |72 | ElectroMag.Infrared.WarmBody |Warm bodies | | | |(humans, animals) | | | |via Passive | | | |Infrared (PIR) | +----+-----------------------------------------+-------------------+ |73 | ElectroMag.Ultraviolet.BioContamUV |Biological | | | |contamination | +----+-----------------------------------------+-------------------+ |74 | ElectroMag.Ultraviolet.CoronaArc |Corona discharge | | | |(electrical arcing)| +----+-----------------------------------------+-------------------+ |75 | ElectroMag.Ultraviolet.FlameUV |Flames (fire | | | |detection) | +----+-----------------------------------------+-------------------+ |76 | ElectroMag.Ultraviolet.ForgeryUV |Forgery (detecting | | | |UV security | | | |features on | | | |documents) | +----+-----------------------------------------+-------------------+ |77 | ElectroMag.Light.BiometricEye |Biological | | | |signatures | | | |(retinas, irises) -| | | |Failed recognition | | | |indicates intrusion| | | |attempt | +----+-----------------------------------------+-------------------+ |78 | ElectroMag.Light.EdgesShapes |Edges and shapes | | | |(for machine | | | |vision) | +----+-----------------------------------------+-------------------+ |79 | ElectroMag.Light.Flicker |Flicker (from | | | |faulty lighting or | | | |machinery) | +----+-----------------------------------------+-------------------+ |80 | ElectroMag.Light.LightColor |Color and | | | |wavelength | | | |(spectral content) | +----+-----------------------------------------+-------------------+ |81 | ElectroMag.Light.LightPresence |Presence of light | Lehmann Expires 28 October 2026 [Page 94] Internet-Draft IDMEFv2 April 2026 | | |(ambient | | | |brightness) | +----+-----------------------------------------+-------------------+ |82 | ElectroMag.Light.MotionOptical |Motion (optical | | | |flow, changes in | | | |pixel arrays) | +----+-----------------------------------------+-------------------+ |83 | ElectroMag.Light.ObjectsGeneric |Specific objects | | | |(via computer | | | |vision: faces, | | | |vehicles, text, | | | |barcodes) | +----+-----------------------------------------+-------------------+ |84 | Force.Atmospheric.Altitude |Altitude (in | | | |aircraft) | +----+-----------------------------------------+-------------------+ |85 | Force.Atmospheric.BaroPress |Barometric pressure| | | |(weather changes) | +----+-----------------------------------------+-------------------+ |86 | Force.Atmospheric.VacuumLevel |Vacuum levels (in | | | |manufacturing) | +----+-----------------------------------------+-------------------+ |87 | Force.Fluid.Airflow |Airflow | | | |(differential | | | |pressure) | +----+-----------------------------------------+-------------------+ |88 | Force.Fluid.WaterPressure |Water pressure (for| | | |leak detection via | | | |pressure drop) | +----+-----------------------------------------+-------------------+ |89 | Force.Touch.GripStrength |Grip strength | +----+-----------------------------------------+-------------------+ |90 | Force.Touch.PhysicalContact |Physical contact | | | |(bumpers on robots,| | | |touch screens) | +----+-----------------------------------------+-------------------+ |91 | Force.Touch.TirePressure |Tire pressure | +----+-----------------------------------------+-------------------+ |92 | Force.Touch.Weight |Weight (scales, | | | |load cells) | +----+-----------------------------------------+-------------------+ |93 | Radiation.General.Alpha |Alpha particles | +----+-----------------------------------------+-------------------+ |94 | Radiation.General.Beta |Beta particles | +----+-----------------------------------------+-------------------+ |95 | Radiation.General.Cosmic |Cosmic rays | +----+-----------------------------------------+-------------------+ |96 | Radiation.General.Gamma |Gamma rays | Lehmann Expires 28 October 2026 [Page 95] Internet-Draft IDMEFv2 April 2026 +----+-----------------------------------------+-------------------+ |97 | Radiation.General.Neutron |Neutron radiation | +----+-----------------------------------------+-------------------+ |98 | Radiation.General.RadonDecay |Radon gas (decay | | | |products) | +----+-----------------------------------------+-------------------+ |99 | Radiation.General.Xray |X-rays | +----+-----------------------------------------+-------------------+ |100 | Magnetic.General.CurrentFlow |Current flow (Hall | | | |effect sensors, | | | |clamp meters) | +----+-----------------------------------------+-------------------+ |101 | Magnetic.General.ESD |Electrostatic | | | |discharge | +----+-----------------------------------------+-------------------+ |102 | Magnetic.General.Ferrous |Ferrous metals (via| | | |magnetic | | | |disturbance) | +----+-----------------------------------------+-------------------+ |103 | Magnetic.General.MagneticAnomaly |Magnetic anomalies | | | |(submarines, buried| | | |structures) | +----+-----------------------------------------+-------------------+ |104 | Magnetic.General.Orientation |Orientation | | | |(Compass / | | | |Magnetometer - | | | |detecting Earth's | | | |magnetic field) | +----+-----------------------------------------+-------------------+ |105 | Magnetic.General.Powerline |Power lines (AC | | | |magnetic fields) | +----+-----------------------------------------+-------------------+ |106 | Magnetic.General.Voltage |Voltage (non- | | | |contact voltage | | | |testers) | +----+-----------------------------------------+-------------------+ |107 | Object.Indoor.Container |Bottles / Cups / | | | |Cutlery | +----+-----------------------------------------+-------------------+ |108 | Object.Indoor.Document |Books / Papers / | | | |Documents | +----+-----------------------------------------+-------------------+ |109 | Object.Indoor.Electronics |Electronics | | | |(laptops / phones /| | | |TVs) | +----+-----------------------------------------+-------------------+ |110 | Object.Indoor.Furniture |Furniture (chairs /| | | |tables / sofas) | Lehmann Expires 28 October 2026 [Page 96] Internet-Draft IDMEFv2 April 2026 +----+-----------------------------------------+-------------------+ |111 | Object.Indoor.Weapon |Weapons (guns / | | | |knives) | +----+-----------------------------------------+-------------------+ |112 | Object.LivingBeings.Animal |Animals (general | | | |wildlife/livestock/| | | |pets) | +----+-----------------------------------------+-------------------+ |113 | Object.LivingBeings.BodyPose |Pose (skeleton | | | |keypoints / body | | | |position) | +----+-----------------------------------------+-------------------+ |114 | Object.LivingBeings.EyeGaze |Eyes (gaze tracking| | | |/ eye blink) | +----+-----------------------------------------+-------------------+ |115 | Object.LivingBeings.Face |Faces (facial | | | |recognition) | +----+-----------------------------------------+-------------------+ |116 | Object.LivingBeings.HandGesture |Hands (hand | | | |gestures / raising | | | |hand) | +----+-----------------------------------------+-------------------+ |117 | Object.LivingBeings.Human |Humans (person/ | | | |people detection) | +----+-----------------------------------------+-------------------+ |118 | Object.Outdoor.Building |Buildings / Houses | +----+-----------------------------------------+-------------------+ |119 | Object.Outdoor.Pothole |Potholes / Road | | | |cracks | +----+-----------------------------------------+-------------------+ |120 | Object.Outdoor.RoadSign |Road signs / | | | |Traffic lights | +----+-----------------------------------------+-------------------+ |121 | Object.Outdoor.Vegetation |Trees / Plants / | | | |Vegetation | +----+-----------------------------------------+-------------------+ |122 | Object.SpecificScenes.FireVisual |Fire / Flames | | | |(visual spectrum) | +----+-----------------------------------------+-------------------+ |123 | Object.SpecificScenes.Flood |Flooding / Water | | | |accumulation | +----+-----------------------------------------+-------------------+ |124 | Object.SpecificScenes.SmokeVisual |Smoke plume (visual| | | |spectrum) | +----+-----------------------------------------+-------------------+ |125 | Object.SpecificScenes.Snow |Snow coverage | +----+-----------------------------------------+-------------------+ |126 | Object.Vehicles.Aircraft |Aircraft (drones / | Lehmann Expires 28 October 2026 [Page 97] Internet-Draft IDMEFv2 April 2026 | | |planes / | | | |helicopters) | +----+-----------------------------------------+-------------------+ |127 | Object.Vehicles.Boat |Boats / Ships | +----+-----------------------------------------+-------------------+ |128 | Object.Vehicles.Bus |Buses | +----+-----------------------------------------+-------------------+ |129 | Object.Vehicles.Car |Cars / Automobiles | +----+-----------------------------------------+-------------------+ |130 | Object.Vehicles.LicensePlate |License plates | | | |(Automatic Number | | | |Plate Recognition -| | | |ANPR) | +----+-----------------------------------------+-------------------+ |131 | Object.Vehicles.Moto |Motorcycles / | | | |Bicycles | +----+-----------------------------------------+-------------------+ |132 | Object.Vehicles.Truck |Trucks | +----+-----------------------------------------+-------------------+ |133 | Particulate.Aerosols.Bioaerosol |Viral or bacterial | | | |particles (bio- | | | |aerosol detectors) | +----+-----------------------------------------+-------------------+ |134 | Particulate.Aerosols.Dust |Airborne dust | | | |(particulate | | | |counters) | +----+-----------------------------------------+-------------------+ |135 | Particulate.Aerosols.Pollen |Pollen and | | | |allergens | +----+-----------------------------------------+-------------------+ |136 | Particulate.Aerosols.SmokeIonization |Combustion | | | |particles | | | |(Ionization smoke | | | |detectors) | +----+-----------------------------------------+-------------------+ |137 | Particulate.Aerosols.SmokePhotoelectric |Visible smoke | | | |obscuration | | | |(Photoelectric | | | |smoke detectors) | +----+-----------------------------------------+-------------------+ |138 | Particulate.Liquids.ChemicalSpill |Chemical spills | | | |(specific | | | |conductivity or pH | | | |changes) | +----+-----------------------------------------+-------------------+ |139 | Particulate.Liquids.FuelSheen |Fuel/Oil sheen on | | | |water | +----+-----------------------------------------+-------------------+ Lehmann Expires 28 October 2026 [Page 98] Internet-Draft IDMEFv2 April 2026 |140 | Particulate.Liquids.LiquidLevel |Level of liquid in | | | |a tank (ultrasonic,| | | |capacitive, float) | +----+-----------------------------------------+-------------------+ |141 | Particulate.Liquids.WaterLeak |Water leakage | | | |(conductivity or | | | |float switches) | +----+-----------------------------------------+-------------------+ |142 | Particulate.Solids.DensityChange |Density changes (in| | | |manufacturing) | +----+-----------------------------------------+-------------------+ |143 | Particulate.Solids.ForeignObject |Foreign objects in | | | |food (X-ray | | | |machines) | +----+-----------------------------------------+-------------------+ |144 | Particulate.Solids.GrainFlow |Grain flow (in | | | |agriculture) | +----+-----------------------------------------+-------------------+ |145 | Particulate.Solids.Landmine |Landmines/UXO | | | |(Ground Penetrating| | | |Radar) | +----+-----------------------------------------+-------------------+ |146 | Particulate.Solids.Metal |Metal (Metal | | | |detectors via eddy | | | |currents) | +----+-----------------------------------------+-------------------+ |147 | Software.Detected.Crowd |Crowd formation | +----+-----------------------------------------+-------------------+ |148 | Software.Detected.CyberAttack |Cyber-attack | | | |(Anomalous network | | | |traffic patterns) | +----+-----------------------------------------+-------------------+ |149 | Software.Detected.Drowsiness |Drowsiness (Eye | | | |closure detection | | | |via camera) | +----+-----------------------------------------+-------------------+ |150 | Software.Detected.Explosion |Explosion (Sudden | | | |light flash + | | | |pressure wave + | | | |sound) | +----+-----------------------------------------+-------------------+ |151 | Software.Detected.FailedBiometric |Failed retina/iris | | | |scan (multiple | | | |failures may | | | |indicate intrusion)| +----+-----------------------------------------+-------------------+ |152 | Software.Detected.FireFusion |Fire (Combination | | | |of smoke, heat, and| Lehmann Expires 28 October 2026 [Page 99] Internet-Draft IDMEFv2 April 2026 | | |flicker) | +----+-----------------------------------------+-------------------+ |153 | Software.Detected.Intrusion |Intrusion (Crossing| | | |a virtual line) | +----+-----------------------------------------+-------------------+ |154 | Software.Detected.Loitering |Loitering (Person | | | |staying too long) | +----+-----------------------------------------+-------------------+ |155 | Software.Detected.Tailgating |Tailgating | | | |(Following someone | | | |through a door) | +----+-----------------------------------------+-------------------+ |156 | ext-value |A value used to | | | |indicate that this | | | |attribute is | | | |extended and the | | | |actual value is | | | |provided using the | | | |corresponding ext-*| | | |attribute. (see | | | |Section 4.1.1) | +----+-----------------------------------------+-------------------+ Table 11: Source Categories A.7. Target Category +======+==============================+==========================+ | Rank | Keyword | Description | +======+==============================+==========================+ | 0 | Undetermined | Target Category is | | | | undetermined | +------+------------------------------+--------------------------+ | 1 | Commercial.ClientBase | Client portfolio, active | | | | contracts | +------+------------------------------+--------------------------+ | 2 | Commercial.Partnerships | Strategic alliances, | | | | partner networks | +------+------------------------------+--------------------------+ | 3 | Commercial.Reputation | Brand image, online | | | | reputation, goodwill | +------+------------------------------+--------------------------+ | 4 | Financial.Cash | Liquidities, bank | | | | accounts | +------+------------------------------+--------------------------+ | 5 | Financial.Investments | Shares, bonds, holdings | | | | in subsidiaries | +------+------------------------------+--------------------------+ Lehmann Expires 28 October 2026 [Page 100] Internet-Draft IDMEFv2 April 2026 | 6 | Financial.Receivables | Customer receivables, | | | | promissory notes | +------+------------------------------+--------------------------+ | 7 | Furniture.Fittings | Lighting, partitions, | | | | flooring | +------+------------------------------+--------------------------+ | 8 | Furniture.HVAC | Air conditioning, | | | | heating systems (non- | | | | industrial) | +------+------------------------------+--------------------------+ | 9 | Furniture.OfficeFurniture | Desks, chairs, filing | | | | cabinets | +------+------------------------------+--------------------------+ | 10 | Human.EmployerBrand | Employment contracts, | | | | recruitment appeal | +------+------------------------------+--------------------------+ | 11 | Human.Organization | Work processes, internal | | | | know-how | +------+------------------------------+--------------------------+ | 12 | Human.Skills | Employee expertise, team | | | | competencies | +------+------------------------------+--------------------------+ | 13 | Infrastructure.CivilWorks | Bridges, loading docks, | | | | quays | +------+------------------------------+--------------------------+ | 14 | Infrastructure.Foundations | Special foundations, | | | | internal roads, | | | | pavements | +------+------------------------------+--------------------------+ | 15 | Infrastructure.Networks | Buried water, gas, | | | | electricity, fiber | | | | networks | +------+------------------------------+--------------------------+ | 16 | IP.Copyrights | Software code, manuals, | | | | artistic works | +------+------------------------------+--------------------------+ | 17 | IP.Patents | Registered patents, | | | | inventions | +------+------------------------------+--------------------------+ | 18 | IP.Trademarks | Brand names, logos, | | | | registered designs | +------+------------------------------+--------------------------+ | 19 | IT.Endpoints | Computers, printers, | | | | scanners | +------+------------------------------+--------------------------+ | 20 | IT.Hardware | Servers, storage arrays, | | | | cabling | +------+------------------------------+--------------------------+ Lehmann Expires 28 October 2026 [Page 101] Internet-Draft IDMEFv2 April 2026 | 21 | IT.Telecom | WiFi access points, | | | | phones, smartphones | +------+------------------------------+--------------------------+ | 22 | Logistics.Containers | Containers, trailers, | | | | wagons | +------+------------------------------+--------------------------+ | 23 | Logistics.SpecialVehicles | Mobile cranes, aerial | | | | work platforms | +------+------------------------------+--------------------------+ | 24 | Logistics.Vehicles | Cars, trucks, forklifts | +------+------------------------------+--------------------------+ | 25 | Marketing.Content | Market studies, ad | | | | campaigns, social media | +------+------------------------------+--------------------------+ | 26 | Marketing.Domains | Website URLs, domain | | | | names | +------+------------------------------+--------------------------+ | 27 | Marketing.Identity | Visual identity, logo, | | | | brand guidelines | +------+------------------------------+--------------------------+ | 28 | Production.HeavyEquipment | Presses, furnaces, | | | | compressors, generators | +------+------------------------------+--------------------------+ | 29 | Production.Machinery | Assembly lines, | | | | industrial robots, | | | | conveyors | +------+------------------------------+--------------------------+ | 30 | Production.MachineTools | Lathes, milling | | | | machines, industrial 3D | | | | printers | +------+------------------------------+--------------------------+ | 31 | RealEstate.Buildings | Factories, warehouses, | | | | offices, commercial | | | | premises | +------+------------------------------+--------------------------+ | 32 | RealEstate.Land | Unbuilt land, forests, | | | | or agricultural grounds | +------+------------------------------+--------------------------+ | 33 | RealEstate.SpecialStructures | Hangars, silos, parking | | | | lots | +------+------------------------------+--------------------------+ | 34 | Software.Applications | ERP, CRM, SaaS platforms | +------+------------------------------+--------------------------+ | 35 | Software.Data | Customer databases, | | | | supplier lists, | | | | prospects | +------+------------------------------+--------------------------+ | 36 | Software.Licenses | Software usage rights, | Lehmann Expires 28 October 2026 [Page 102] Internet-Draft IDMEFv2 April 2026 | | | subscriptions | +------+------------------------------+--------------------------+ | 37 | ext-value | A value used to indicate | | | | that this attribute is | | | | extended and the actual | | | | value is provided using | | | | the corresponding ext-* | | | | attribute. (see | | | | Section 4.1.1) | +------+------------------------------+--------------------------+ Table 12: Target Categories Appendix B. Examples This section contains several examples of events/incidents which may be described using the IDMEF Data Model defined in. For each example, the serialization method listed in Section 5 was used on the original IDMEF message to produce a JSON representation. B.1. Physical intrusion Listing 1 describes an incident where an unidentified man was detected on company premises near the building where server room A is located. { "Version": "2.D.V07", "ID": "819df7bc-35ef-40d8-bbee-1901117370b1", "Description": "Potential intruder detected", "Type": "Physical", "Priority": "Low", "Status": "Incident", "Cause": "Malicious", "CreateTime": "2021-05-10T16:52:13.075994+00:00", "StartTime": "2021-05-10T16:52:13+00:00", "Category": [ "Access.Forced" ], "Analyzer": { "Name": "BigBrother", "Hostname": "bb.acme.com", "Model": "Big Brother v42", "Category": [ "PHY.HAR", "FRC.FR-CAM" ], Lehmann Expires 28 October 2026 [Page 103] Internet-Draft IDMEFv2 April 2026 "Data": [ "Images" ], "Method": [ "Movement", "Biometric", "AI" ], "IP": "192.0.2.1" }, "Sensor": [ { "IP": "192.0.2.2", "Name": "Camera #23", "Model": "SuperDuper Camera v1", "Location": "Hallway to server room A1" } ], "Source": [ { "Note": "Black Organization, aka. APT 4869" } ], "Attachment": [ { "Name": "wanted", "FileName": "fbi-wanted-poster.jpg", "Size": 1234567, "Ref": ["https://www.fbi.gov/wanted/topten"], "ContentType": "image/jpg", "ContentEncoding": "base64", "Content": "..." }, { "Name": "pic01", "Note": "Hi-res picture showing John Doe near server room A1", "ExternalURI": ["ftps://192.0.2.1/cam23/20210510165211.jpg"], "ContentType": "image/jpg" } ] } B.2. Cyberattack Listing 2 describes an incident related to a potential bruteforce attack against the "root" user account of the server at 192.0.2.2 and 2001:db8::/32. Lehmann Expires 28 October 2026 [Page 104] Internet-Draft IDMEFv2 April 2026 { "Version": "2.D.V07", "ID": "819df7bc-35ef-40d8-bbee-1901117370b2", "Description": "Potential bruteforce attack on root user account", "Type": "Cyber", "Priority": "Medium", "CreateTime": "2021-05-10T16:55:29.196408+00:00", "StartTime": "2021-05-10T16:55:29+00:00", "Category": [ "Access.Forced" ], "Analyzer": { "Name": "SIEM", "Hostname": "siem.acme.com", "Model": "Concerto SIEM 5.2", "Category": [ "SIEM.SIEM", "SIEM.LOG" ], "Data": [ "Log" ], "Method": [ "Monitor", "Signature" ], "IP": "192.0.2.1" }, "Sensor": [ { "IP": "192.0.2.5", "Name": "syslog", "Hostname": "www.acme.com", "Model": "rsyslog 8.2110", "Location": "Server room A1, rack 10" } ], "Target": [ { "IP": "192.0.2.2", "Hostname": "www.acme.com", "Location": "Server room A1, rack 10", "User": "root" }, { "IP": "2001:db8::/32", "Hostname": "www.acme.com", "Location": "Server room A1, rack 10", Lehmann Expires 28 October 2026 [Page 105] Internet-Draft IDMEFv2 April 2026 "User": "root" } ] } B.3. Server outage Listing 3 describes an incident where the webserver at "www.example.com" encountered some kind of failure condition resulting in an outage. { "Version": "2.D.V07", "ID": "819df7bc-35ef-40d8-bbee-1901117370b3", "Description": "A server did not reply to an ICMP ping request", "Type": "Availability", "Priority": "Medium", "Status": "Incident", "Cause": "Unknown", "CreateTime": "2021-05-10T16:59:11.875209+00:00", "StartTime": "2021-05-10T16:59:11.875209+00:00", "Category": [ "Availability.Outage" ], "Analyzer": { "Name": "NMS", "Hostname": "nms.example.com", "Model": "Concerto NMS 5.2", "Category": [ "SIEM.NMS" ], "Data": [ "Network" ], "Method": [ "Monitor" ], "IP": "192.0.2.1" }, "Target": [ { "IP": "192.168.1.2", "Hostname": "www.acme.com", "Service": "website", "Location": "Server room A1, rack 10" } ] } Lehmann Expires 28 October 2026 [Page 106] Internet-Draft IDMEFv2 April 2026 B.4. Combined incident Listing 4 describes a combined incident resulting from the correlation of the previous physical, cyber and availability incidents. { "Version": "2.D.V07", "ID": "819df7bc-35ef-40d8-bbee-1901117370b4", "Description": "Intrusion and Sabotage detected", "Type": "Combined", "Priority": "High", "Status": "Incident", "Cause": "Malicious", "CreateTime": "2021-05-10T16:59:15.075994+00:00", "StartTime": "2021-05-10T16:52:11+00:00", "Category": [ "Access.Unauthorized", "Sabotage.Data", , "CorrelID": [ "819df7bc-35ef-40d8-bbee-1901117370b1", "819df7bc-35ef-40d8-bbee-1901117370b2", "819df7bc-35ef-40d8-bbee-1901117370b3" ], "Analyzer": { "Name": "Correlator", "Hostname": "correlator.acme.com", "Model": "Concerto Hybrid Correlator v5.2", "Category": [ ], "Data": [ "Alert" ], "Method": [ "Correlation" ], "IP": "192.0.2.1" }, "Source": [ { "Note": "Black Organization, aka. APT 4869" } ], "Target": [ { "Location": "Server room A1" }, Lehmann Expires 28 October 2026 [Page 107] Internet-Draft IDMEFv2 April 2026 { "IP": "192.0.2.2", "Hostname": "www.acme.com", "User": "root" }, { "IP": "192.0.2.2", "Hostname": "www.acme.com", "Service": "website" } ] } B.5. Hazard incident Listing 5 describes a heavy snow storm announced in 48h on Paris and Versailles. Lehmann Expires 28 October 2026 [Page 108] Internet-Draft IDMEFv2 April 2026 { "Version": "2.D.V07", "ID": "819df7bc-35ef-40d8-bbee-1901117370b1", "Description": "Snow storm forecast", "Priority": "Low", "Status": "Incident", "Cause": "Hazard", "Confidence": 0.8, "CreateTime": "2021-05-10T16:52:13.075994+00:00", "StartTime": "2021-05-12T10:00:00+00:00", "EndTime": "2021-05-12T10:00:00+00:00", "Type": ["Physical"], "Category": [ "Meteo.Snow", "Meteo.Wind", "Meteo.Cold" ], "Analyzer": { "Name": "Weather Monitor", "Hostname": "weather.acme.com", "IP": "192.0.2.1" }, "Source": [ { "Note": "Heavy snow storm coming from North" } ], "Target": [ { "GeoLocation": "48.8584,2.2945", "UnLocation": "FR PAR", "Location": "Acme Paris Site" }, { "GeoLocation": "48.8019,2.1301", "UnLocation": "FR VER", "Location": "Acme Versailles Site" } ] } Appendix C. JSON Validation Schema (Non-normative) Listing 5 contains a JSON Schema that can be used to validate incoming IDMEF messages prior to processing. Please note that extraneous linebreaks have been included due to formatting constraints. Lehmann Expires 28 October 2026 [Page 109] Internet-Draft IDMEFv2 April 2026 { "description": "JSON schema for the Intrusion Detection Message Exchange Format (IDMEF) version 2 (revision 2.D.V08)", "properties": { "Version": { "description": "The version of the IDMEF format in use by this alert. During the drafts tuning period the version is equal to the draft version. Therefore it is \"2.D.V0X\" for Draft V0X.", "enum": [ "2.D.V08" ] }, "ID": { "description": "Unique identifier for the alert.", "$ref": "#/definitions/uuidType" }, "OrganisationName": { "description": "Corporate/Main Office Organisation Name Useful if alerts are sent to a multi-organisation central incident detection manager. Example: ACME Corporation", "type": "string" }, "OrganisationId": { "description": "Corporate/Main Office Organisation ID. Where possible official organisation ID manage by national authority. Useful if alerts are sent to a multi-organisation central incident detection manager. This ID has to be chosen depending on the overall detection perimeter and the nature of the monitored organisation (Private/Public, Commercial, International, etc.) Examples: OrganisationId in France could be SIREN, in England could be CR, Germany could be Handelsregisternummer, Spain could be CIF, Italia could be Partita IVA, USA could be EIN, etc. Commercial OrganisationId in Europe could be V.A.T ID", "type": "string" }, "EntityName": { "description": "Entity Name, monitored by the organisation, where the incident occurred. Could be a town, region or country name or an internal name. Could also be the name of a client for a MSSP centralizing it's client incidents in a single system. Do not repeat the organisation name in the EntityName Example: - ACME HeadQuaters is located in Paris France and has a local office in India - If the incident occurred in the local office: \"OrganisationName\": \"ACME\" , \"EntityName\": \"India\" - If the incident occurred in the headquaters: \"OrganisationName\": \"ACME\", \"EntityName\": \"Headquaters\" (or \"Paris\")", "type": "string" }, "EntityId": { "description": "Entity ID, monitored by the organisation, where the incident occurred. Useful if organisation and entity are not directly linked, like a client and a MSSP.", "type": "string" }, "EntitySector": { "description": "The economic sector(s) and sub-sector(s) in which the entity operates. Values follow the dot notation sector.subsector based on the critical infrastructure taxonomy defined in the NIS2 Directive and CER (Critical Entities Resilience) Directive. This attribute enables sector-based correlation, regulatory compliance reporting, and risk context for incident detection.", "type": "array", "items": { "$ref": "#/definitions/entitysectorEnum" } }, "Type": { "description": "Incident type.", "type": "array", "items": { "$ref": "#/definitions/typeEnum" } }, "Category": { "description": "Incident category.", "type": "array", "items": { "$ref": "#/definitions/categoryEnum" Lehmann Expires 28 October 2026 [Page 110] Internet-Draft IDMEFv2 April 2026 } }, "ext-Category": { "description": "A means by which to extend the Category attribute. (see )", "type": "array", "items": { "type": "string" } }, "Cause": { "description": "Incident cause. The cause can be modified by any analyzer on the way of the alert and later by the operator and/or the analyst if new investigation reveals and confirms a different cause of the event.", "$ref": "#/definitions/causeEnum" }, "Description": { "description": "Short free text human-readable description of the event. The description can add detail to the event category for easiest/faster comprehension by the operator. Example : * Cryptoware WannaCry blocked on pegasus server * Unknown person entering through east doorway", "type": "string" }, "Status": { "description": "Event state in the overall event lifecycle.", "type": "array", "items": { "$ref": "#/definitions/statusEnum" } }, "Priority": { "description": "Priority of the alert. Priority is defined by combining impact and urgency. It indicates how fast the incident should be taken care of.", "$ref": "#/definitions/priorityEnum" }, "Confidence": { "description": "A floating-point value between 0 and 1 indicating the analyzer's confidence in its own reliability of this particular detection, where 0 means that the detection is surely incorrect while 1 means there is no doubt about the detection made.", "type": "number", "minimum": 0, "maximum": 1 }, "Note": { "description": "Free text human-readable additional note, possibly a longer description of the incident if is not already obvious. The Note attribute can be used to store any additional information. It can be additional information about the event and/or about the incident resolution, although the incident resolution information should in principle be stored elsewhere (with a link with the external tool in AltNames)", "type": "string" }, "CreateTime": { "description": "Timestamp indicating when the alert was created.", "$ref": "#/definitions/timestampType" }, "StartTime": { "description": "Timestamp indicating the deduced start of the event. StartTime can be later than CreateTime in case or Alerts created from forecast information (e.g. Snow Storm expected in two days staring at 10h00)", "$ref": "#/definitions/timestampType" }, "EndTime": { "description": "Timestamp indicating the deduced end of the event.", Lehmann Expires 28 October 2026 [Page 111] Internet-Draft IDMEFv2 April 2026 "$ref": "#/definitions/timestampType" }, "ReportTime": { "description": "Timestamp indicating the reporting time of the event, usually to an external CSIRT or a central SIEM.", "$ref": "#/definitions/timestampType" }, "AltNames": { "description": "Alternative identifiers; strings which help pair the event to internal systems' information (for example ticket IDs inside a request tracking systems).", "type": "array", "items": { "type": "string" } }, "AltCategory": { "description": "Alternate categories from a reference other than IDMEFv2 categories (e.g. MISP, MITRE ATT@CK or another proprietary/internal reference).", "type": "array", "items": { "type": "string" } }, "Ref": { "description": "References to sources of information related to the incident and/or vulnerability, and specific to this incident. This MAY be a URL to additional info, or a URN in a registered or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as \"urn:cve:CVE-2013-2266\".", "type": "array", "items": { "type": "string", "format": "uri" } }, "CorrelID": { "description": "Identifiers for the messages which were used as information sources to create this message, in case the message has been created based on correlation/analysis/deduction from other messages.", "type": "array", "items": { "$ref": "#/definitions/uuidType" } }, "AggrCondition": { "description": "A list of IDMEF fields used to aggregate events. The values for these fields will be the same in all aggregated events. This attribute should mostly be set by intermediary nodes, which detect duplicates, or aggregate events, spanning multiple detection windows, into a longer one. The \"StartTime\" and \"EndTime\" attributes are used in conjunction with this attribute to describe the aggregation window.", "type": "array", "items": { "type": "string" } }, "PredID": { "description": "A list containing the identifiers of previous messages which are obsoleted by this message. The obsoleted alerts SHOULD NOT be used anymore. This field can be used to \"update\" an alert.", "type": "array", "items": { "$ref": "#/definitions/uuidType" } Lehmann Expires 28 October 2026 [Page 112] Internet-Draft IDMEFv2 April 2026 }, "RelID": { "description": "A list containing the identifiers of other messages related to this message.", "type": "array", "items": { "$ref": "#/definitions/uuidType" } }, "Analyzer": { "type": "object", "description": "The Analyzer class describes the module that has analyzed the data captured by the sensors, identified an event of interest and decided to create an alert.", "properties": { "ID": { "description": "Unique identifier for the analyzer.", "$ref": "#/definitions/uuidType" }, "IP": { "description": "Analyzer IP address.", "$ref": "#/definitions/ipType" }, "Name": { "description": "Name of the analyzer, which must be reasonably unique, however still bear some meaningful sense. This attribute usually denotes the hierarchy of organizational units the detector belongs to and its own name. It MAY also be used to distinguish multiple analyzers running with the same IP address.", "type": "string" }, "Hostname": { "description": "Hostname of this analyzer. SHOULD be a fully-qualified domain name.", "type": "string" }, "Model": { "description": "Analyzer model description (usually its generic name, brand and version).", "type": "string" }, "Category": { "description": "Analyzer categories.", "type": "array", "items": { "$ref": "#/definitions/analyzerCategoryEnum" } }, "ext-Category": { "description": "A means by which to extend the Category attribute. (see )", "type": "array", "items": { "type": "string" } }, "Data": { "description": "Type of data analyzed during the detection.", Lehmann Expires 28 October 2026 [Page 113] Internet-Draft IDMEFv2 April 2026 "type": "array", "items": { "$ref": "#/definitions/analyzerDataEnum" } }, "ext-Data": { "description": "A means by which to extend the Data attribute. (see )", "type": "array", "items": { "type": "string" } }, "Method": { "description": "Detection method.", "type": "array", "items": { "$ref": "#/definitions/analyzerMethodEnum" } }, "ext-Method": { "description": "A means by which to extend the Method attribute. (see )", "type": "array", "items": { "type": "string" } }, "GeoLocation": { "description": "GPS coordinates for the analyzer.", "$ref": "#/definitions/geolocType" }, "UnLocation": { "description": "Standard UN/Locode for the analyzer.", "$ref": "#/definitions/unlocodeType" }, "Location": { "description": "Internal name for the location of the analyzer.", "type": "string" } }, "additionalProperties": false, "required": [ "Name" ] }, "Sensor": { "type": "array", "items": { "description": "The Sensor class describes the module that captured the data before sending it to an analyzer. The Sensor may be a subpart of the Analyzer.", Lehmann Expires 28 October 2026 [Page 114] Internet-Draft IDMEFv2 April 2026 "properties": { "ID": { "description": "Unique identifier for the sensor.", "$ref": "#/definitions/uuidType" }, "IP": { "description": "The sensor's IP address.", "$ref": "#/definitions/ipType" }, "Name": { "description": "Name of the sensor, which must be reasonably unique, however still bear some meaningful sense. This attribute usually denotes the hierarchy of organizational units the sensor belongs to and its own name. It MAY also be used to distinguish multiple sensors running with the same IP address.", "type": "string" }, "Hostname": { "description": "The sensor's hostname. This SHOULD be a fully qualified domain name, but may not conform exactly because values extracted from logs, messages, DNS, etc. may themselves be malformed. An empty string MAY be used to explicitly state that this value was inquired but not found (missing DNS entry).", "type": "string" }, "Model": { "description": "The sensor model's description (usually its generic name, brand and version).", "type": "string" }, "GeoLocation": { "description": "GPS coordinates for the analyzer.", "$ref": "#/definitions/geolocType" }, "UnLocation": { "description": "Standard UN/Locode for the sensor.", "$ref": "#/definitions/unlocodeType" }, "Location": { "description": "Internal name for the location of the sensor.", "type": "string" }, "CaptureZone": { "description": "A string that describes the \"capture zone\" of the sensor, as a JSON-serialized string. Depending on the type of sensor, the capture zone may for instance refer to: \n- A JSON object describing a camera's settings (elevation, horizontal and vertical field of view, azimuth, etc.)\n- A description of the IP network where packet capture is taking place.", "type": "string" } }, "additionalProperties": false, "type": "object", "required": [ "Name" ] } }, "Source": { "type": "array", "items": { Lehmann Expires 28 October 2026 [Page 115] Internet-Draft IDMEFv2 April 2026 "description": "The Source class describes the origin(s) of the event(s) leading up to the creation of this alert.", "properties": { "ID": { "description": "Unique identifier for the source.", "$ref": "#/definitions/uuidType" }, "IP": { "description": "Source IP address.", "$ref": "#/definitions/ipType" }, "Hostname": { "description": "Hostname of this source. This SHOULD be a fully qualified domain name, but may not conform exactly because values extracted from logs, messages, DNS, etc. may themselves be malformed. An empty string MAY be used to explicitly state that this value was inquired but not found (missing DNS entry).", "type": "string" }, "Category": { "description": "Source category", "type": "array", "items": { "$ref": "#/definitions/sourceCategoryEnum" } }, "Note": { "description": "Free text human-readable additional note for this source.", "type": "string" }, "TI": { "description": "Threat Intelligence data about the source. Values in this list MUST use the format \"attribute:origin\", where \"attribute\" refers to the attribute inside this source found inside a Threat Intelligence database, and \"origin\" contains a short identifier for the Threat Intelligence database. E.g. \"IP:Dshield\". Please note that the same attribute may appear multiple times inside the list (because a match was found in multiple Threat Intelligence databases).", "type": "array", "items": { "type": "string" } }, "User": { "description": "User ID or login responsible for the incident.", "type": "string" }, "Email": { "description": "Email address responsible for the incident. E.g. the value of the \"Reply-To\" or \"From\" header inside a phishing e-mail.", "type": "string", "format": "email" }, "Protocol": { "description": "Protocols related to connections from/to this source. If several protocols are stacked, they MUST be ordered from the lowest (the closest to the medium) to the highest (the closest to the application) according to the ISO/OSI model.", "type": "array", "items": { "$ref": "#/definitions/protocolType" } }, Lehmann Expires 28 October 2026 [Page 116] Internet-Draft IDMEFv2 April 2026 "Port": { "description": "Source ports involved in the incident. Values in this list MUST be integers and MUST be in the range 1-65535.", "type": "array", "items": { "type": "integer" } }, "GeoLocation": { "description": "GPS coordinates for the source.", "$ref": "#/definitions/geolocType" }, "UnLocation": { "description": "Standard UN/Locode for the source.", "$ref": "#/definitions/unlocodeType" }, "Location": { "description": "Internal name for the location of the source.", "type": "string" }, "Attachment": { "description": "Identifiers for attachments related to this source. Each identifier listed here MUST match the \"Name\" attribute for one of the attachments described using the Attachment class .", "type": "array", "items": { "$ref": "#/definitions/attachmentNameType" } } }, "additionalProperties": false, "type": "object", "required": [ "ID" ] } }, "Target": { "type": "array", "items": { "description": "The Target class describes the target(s) impacted by the event(s) leading up to the creation of this alert.", "properties": { "ID": { "description": "Unique identifier for the target.", "$ref": "#/definitions/uuidType" }, "IP": { "description": "Target IP address.", "$ref": "#/definitions/ipType" }, "Hostname": { Lehmann Expires 28 October 2026 [Page 117] Internet-Draft IDMEFv2 April 2026 "description": "Hostname of this target. This SHOULD be a fully qualified domain name, but may not conform exactly because values extracted from logs, messages, DNS, etc. may themselves be malformed. An empty string MAY be used to explicitly state that this value was inquired but not found (missing DNS entry).", "type": "string" }, "Category": { "description": "Target category", "type": "array", "items": { "$ref": "#/definitions/targetCategoryEnum" } }, "Note": { "description": "Free text human-readable additional note for this target.", "type": "string" }, "Service": { "description": "Service or process impacted by the incident.", "type": "string" }, "User": { "description": "User ID or login impacted by the incident.", "type": "string" }, "Email": { "description": "Email address impacted by the incident. E.g. the value of the \"To\" header inside a phishing e-mail.", "type": "string", "format": "email" }, "Port": { "description": "Target ports involved in the incident. Values in this list MUST be integers and MUST be in the range 1-65535.", "type": "array", "items": { "type": "integer" } }, "GeoLocation": { "description": "GPS coordinates for the target.", "$ref": "#/definitions/geolocType" }, "UnLocation": { "description": "Standard UN/Locode for the target.", "$ref": "#/definitions/unlocodeType" }, "Location": { "description": "Internal name for the location of the target.", "type": "string" }, "Attachment": { "description": "Identifiers for attachments related to this target. Each identifier listed here MUST match the \"Name\" attribute for one of the attachments described using the Attachment class .", Lehmann Expires 28 October 2026 [Page 118] Internet-Draft IDMEFv2 April 2026 "type": "array", "items": { "$ref": "#/definitions/attachmentNameType" } } }, "additionalProperties": false, "type": "object", "required": [ "ID" ] } }, "Attachment": { "type": "array", "items": { "description": "The Attachment class contains additional data which was captured in relation with the event.", "properties": { "Name": { "description": "A unique identifier among attachments that can be used to reference this attachment from other classes using the \"Attachment\" attribute.", "$ref": "#/definitions/attachmentNameType" }, "FileName": { "description": "Attachment filename. This will usually be the original name of the captured file or the name of the file containing the captured content (e.g. a packet capture file).", "type": "string" }, "Hash": { "description": "A list of hash results for the attachment's Content. The values in this list are computed by taking the raw value of the attachment's \"Content\" attribute. The hash result is computed before any other transformation (e.g. Base64 encoding) is applied to the content, so that a receiving IDMEF system may reverse the transformation, apply the same hashing function and obtain the same hash result. See also the definition for the \"ContentEncoding\" attribute below. It is RECOMMENDED that compatible implementations use one of the hashing functions from the SHA-2 or SHA-3 families to compute the hash results in this list.", "type": "array", "items": { "$ref": "#/definitions/hashType" } }, "Size": { "description": "Length of the content (in bytes). This value MUST be a non-negative integer.", "type": "integer" }, "Ref": { "description": "References to sources of information related to the incident and/or vulnerability, and specific to this attachment.", "type": "array", "items": { "type": "string", "format": "uri" } }, "ExternalURI": { "description": "If the attachment's content is available and/or recognizable from an external resource, this is the URI (usually a URL) to that resource. This MAY also be a URN in a registered or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as \"urn:mhr:55eaf7effadc07f866d1eaed9c64e7ee49fe081a\" or \"magnet:?xt=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C\".", "type": "array", Lehmann Expires 28 October 2026 [Page 119] Internet-Draft IDMEFv2 April 2026 "items": { "type": "string", "format": "uri" } }, "Note": { "description": "Free text human-readable additional note for this attachment.", "type": "string" }, "ContentType": { "description": "Internet Media Type of the attachment. For compatibility reasons, implementations SHOULD prefer one of the well-known media types registered in IANA .", "$ref": "#/definitions/mediatypeType" }, "ContentEncoding": { "description": "Content encoding. The following encodings are defined in this version of the specification: \n- \"json\": The content refers to a JSON object which has been serialized to a string using the serialization procedure defined in .\n- \"base64\": The content has been serialized using the Base64 encoding defined in . The \"base64\" encoding SHOULD be used when the content contains binary data. If omitted, the \"json\" encoding MUST be assumed.", "type": "string" }, "Content": { "description": "The attachment's content, in case it is directly embedded inside the message. For large attachments, it is RECOMMENDED that implementations make use of the \"ExternalURI\" attribute to refererence a copy of the content saved in an external storage mechanism.", "type": [ "object", "string" ] } }, "additionalProperties": false, "type": "object", "required": [ "Name" ] } } }, "additionalProperties": false, "type": "object", "required": [ "Analyzer", "Version", "ID", "CreateTime" ], "definitions": { "entitysectorEnum": { "enum": [ "Undefined", "Banking.Banking", "Banking.Other", "Cemeteries.Crematoria", Lehmann Expires 28 October 2026 [Page 120] Internet-Draft IDMEFv2 April 2026 "Cemeteries.Public", "Cemeteries.Other", "Chemical.Production", "Chemical.Storage", "Chemical.Other", "Civil.ElectionMonitoring", "Civil.HumanitarianAid", "Civil.NGOs", "Civil.Other", "Cultural.Archives", "Cultural.HistoricalSites", "Cultural.Libraries", "Cultural.Museums", "Cultural.Other", "Defense.CommandControl", "Defense.Cyber", "Defense.IndustrialBase", "Defense.Logistics", "Defense.Installations", "Defense.Research", "Defense.Other", "Digital.CloudServices", "Digital.DataCenters", "Digital.DigitalProviders", "Digital.DomainNameSystems", "Digital.ICTServiceManagement", "Digital.SatelliteCommunications", "Digital.TelecomNetworks", "Digital.UnderseaCables", "Digital.Other", "Education.PrimarySecondary", "Education.ResearchSchools", "Education.Universities", "Education.Other", "Emergency.CivilProtection", "Emergency.Medical", "Emergency.FireAndRescue", "Emergency.Police", "Emergency.Other", "Energy.DistrictHeating", "Energy.Electricity", "Energy.Gas", "Energy.Hydrogen", "Energy.Nuclear", "Energy.Oil", "Energy.Other", "Finance.MarketInfrastructures", "Finance.Insurance", Lehmann Expires 28 October 2026 [Page 121] Internet-Draft IDMEFv2 April 2026 "Finance.PaymentSystems", "Finance.Other", "Food.AgriculturalProduction", "Food.FoodDistribution", "Food.FoodProcessing", "Food.FoodSafety", "Food.Other", "Health.BloodAndTissue", "Health.HealthcareProviders", "Health.Laboratories", "Health.MedicalDevices", "Health.PharmaceuticalSupplyChain", "Health.PublicHealth", "Health.Other", "Logistics.FreightForwarding", "Logistics.LastMileDelivery", "Logistics.ThirdPartyLogistics", "Logistics.Warehousing", "Logistics.Other", "Manufacturing.Aerospace", "Manufacturing.Batteries", "Manufacturing.Chemical", "Manufacturing.Electronic", "Manufacturing.Defense", "Manufacturing.MedicalDevices", "Manufacturing.MotorVehicles", "Manufacturing.Pharmaceutical", "Manufacturing.Semiconductors", "Manufacturing.Strategic", "Manufacturing.Other", "Media.Infrastructure", "Media.OnlineMedia", "Media.Press", "Media.Radio", "Media.Television", "Media.Other", "Mining.CriticalRawMaterials", "Mining.EnergyMinerals", "Mining.Other", "Nuclear.FuelCycle", "Nuclear.Medical", "Nuclear.PowerGeneration", "Nuclear.Research", "Nuclear.Other", "Postal.CourierServices", "Postal.Other", "Administration.CentralGovernment", "Administration.Diplomatic", Lehmann Expires 28 October 2026 [Page 122] Internet-Draft IDMEFv2 April 2026 "Administration.EmergencyServices", "Administration.Judiciary", "Administration.Local", "Administration.Other", "Religious.PilgrimageSites", "Religious.PlacesOfWorship", "Religious.Other", "Research.BiologicalSafety", "Research.ChemicalSafety", "Research.Research", "Research.Other", "Space.GroundStations", "Space.LaunchFacilities", "Space.SpaceActivities", "Space.Other", "Transport.Aviation", "Transport.Maritime", "Transport.Pipeline", "Transport.PublicTransport", "Transport.Rail", "Transport.Road", "Transport.Other", "Waste.Hazardous", "Waste.NonHazardous", "Waste.Nuclear", "Waste.Recycling", "Waste.Other", "Water.DamsAndReservoirs", "Water.DrinkingWater", "Water.Irrigation", "Water.Wastewater", "Water.Other" ], "description": "Possible alert entitysector" }, "typeEnum": { "enum": [ "Cyber", "Physical", "Availability", "Combined" ], "description": "Possible alert type" }, "categoryEnum": { "enum": [ "Abuse.Coercion", "Abuse.Extermism", Lehmann Expires 28 October 2026 [Page 123] Internet-Draft IDMEFv2 April 2026 "Abuse.Grooming", "Abuse.Harassment", "Abuse.Trafficking", "Abuse.Other", "Access.Authorized", "Access.Backdoor", "Access.Clonned", "Access.Compromise", "Access.Escalation", "Access.Forced", "Access.Lost", "Access.Tailgating", "Access.Unauthorized", "Access.Other", "Availability.DDoS", "Availability.DoS", "Availability.Failure", "Availability.HeartBeat", "Availability.Misconfiguration", "Availability.Outage", "Availability.Overload", "Availability.Other", "Biological.Animal", "Biological.Epidemic", "Biological.Insect", "Biological.Zombies", "Biological.Other", "Climat.Drought", "Climat.LakeOutburst", "Climat.Wildfire", "Climat.Other", "Extraterrestrial.Aliens", "Extraterrestrial.Impact", "Extraterrestrial.SpaceWeather", "Extraterrestrial.Other", "Fraud.Copyright", "Fraud.Corruption", "Fraud.Espionnage", "Fraud.Masquerade", "Fraud.Phishing", "Fraud.Usage", "Fraud.Other", "Geophysical.Earthquake", "Geophysical.MassMovement", "Geophysical.Other", "Geophysical.Volcanic", "Hydro.Flood", "Hydro.Landslide", Lehmann Expires 28 October 2026 [Page 124] Internet-Draft IDMEFv2 April 2026 "Hydro.Wave", "Hydro.Other", "Insider.Malicious", "Insider.Negligent", "Insider.Other", "Malware.Adware", "Malware.Backdoor", "Malware.Cryptominer", "Malware.Downloader", "Malware.Ransomware", "Malware.Rootkit", "Malware.Spyware", "Malware.Trojan", "Malware.Virus", "Malware.Worm", "Malware.Other", "Meteo.Cold", "Meteo.Fog", "Meteo.Heat", "Meteo.Rain", "Meteo.Snow", "Meteo.Wind", "Meteo.Other", "National.Conflict", "National.Crime", "National.Cyber", "National.Economical", "National.Environemental", "National.Societal", "National.Terrorism", "National.Other", "Operational.Misuse", "Operational.Policy Violation", "Operational.Process Failure", "Operational.Other", "Recon.Aerial", "Recon.Landscape", "Recon.Network", "Recon.OSINT", "Recon.Other", "Sabotage.Data", "Sabotage.Destruction", "Sabotage.Disruption", "Sabotage.Equipment", "Sabotage.Graffiti", "Sabotage.Tampering", "Sabotage.Vandalism", "Sabotage.Other", Lehmann Expires 28 October 2026 [Page 125] Internet-Draft IDMEFv2 April 2026 "Safety.Accident", "Safety.Agression", "Safety.Explosion", "Safety.Fire", "Safety.Hostage", "Safety.Sexual", "Safety.Other", "SocialEng.Baiting", "SocialEng.Phishing", "SocialEng.Pretexting", "SocialEng.QuidProQuo", "SocialEng.Smishing", "SocialEng.Spear Phishing", "SocialEng.Vishing", "SupplyChain.Compromise", "SupplyChain.Disruption", "SupplyChain.Other", "SocialEng.Other", "Theft.Breaches", "Theft.Data", "Theft.Equiment", "Theft.FinInfo", "Theft.IP", "Theft.Machinery", "Theft.PII", "Theft.Other", "Other.Uncategorised", "Other.Undetermined", "Other.Test", "Other.ext-value" ], "description": "Possible alert category" }, "causeEnum": { "enum": [ "Normal", "Error", "Malicious", "Malfunction", "Hazard", "Unknown" ], "description": "Possible alert cause" }, "statusEnum": { "enum": [ "Event", "Incident", Lehmann Expires 28 October 2026 [Page 126] Internet-Draft IDMEFv2 April 2026 "Open", "Closed", "FalsePositive", "Reported" ], "description": "Possible alert status" }, "priorityEnum": { "enum": [ "Unknown", "Info", "Low", "Medium", "High" ], "description": "Possible alert priority" }, "analyzerCategoryEnum": { "enum": [ "Undetermined", "APP.BAST", "APP.DAST", "APP.IAST", "APP.RASP", "APP.SAST", "CLD.CASB", "CLD.CIEM", "CLD.CSPM", "CLD.CWPP", "DDoS.ANTI-DDOS", "DDoS.SCRUB", "DDoS.WAF-DDOS", "EMAIL.ANTI-PHISH", "EMAIL.DMARC", "EMAIL.SEG", "EMAIL.SPAM-FILTER", "END.AM", "END.AV", "END.DLP-EP", "END.EDR", "END.EPP", "END.HIDS", "END.HIPS", "END.HPT", "END.RASP", "ID.DCAP", "ID.DLP", "ID.IAM", Lehmann Expires 28 October 2026 [Page 127] Internet-Draft IDMEFv2 April 2026 "ID.IRM", "ID.PAM", "ID.PIM", "ID.UEBA", "NET.DNS-FW", "NET.DPI", "NET.FW", "NET.NAC", "NET.NBAD", "NET.NDR", "NET.NGFW", "NET.NIDS", "NET.NIPS", "NET.PROXY", "NET.WAF", "NET.WIDS", "NET.WIPS", "OT.IoT-IDS", "OT.OT-IDS", "OT.PLC-SCAN", "PHY.1D-LAS", "PHY.1D-LiDAR", "PHY.2D-LAS", "PHY.2D-LiDAR", "PHY.3D-LAS", "PHY.3D-LiDAR", "PHY.ACCESS-CTRL", "PHY.ADS", "PHY.FR-CAM", "PHY.GLASS-BRK", "PHY.HAR", "PHY.LWIR", "PHY.MOT-SEN", "PHY.MWIR", "PHY.OBJ-DET", "PHY.SWIR", "PHY.VAD", "PHY.VNIR", "SIEM.ETL", "SIEM.LOG", "SIEM.NMS", "SIEM.SIEM", "SIEM.SOAR", "TI.CTI", "TI.TI-FEED", "TI.TIP", "VM.ASM", "VM.PENTEST", Lehmann Expires 28 October 2026 [Page 128] Internet-Draft IDMEFv2 April 2026 "VM.VULN-SCANNER", "ext-value" ], "description": "Possible analyzer category" }, "analyzerDataEnum": { "enum": [ "Undetermined", "Light", "Acoustics", "Contact", "Vibration", "Temperature", "Humidity", "Rain", "Water", "Fog", "Particles", "Seismic", "Magnetic", "Images", "Thermal", "Lidar", "Network", "Flow", "Protocol", "Datagram", "Host", "Connection", "Port", "SNMP", "Authentication", "Log", "File", "Content", "Data", "Reporting", "Alert", "Relay", "External", "ext-value" ], "description": "Possible analyzer data" }, "analyzerMethodEnum": { "enum": [ "Undetermined", "AI", Lehmann Expires 28 October 2026 [Page 129] Internet-Draft IDMEFv2 April 2026 "Anomaly", "Behavioral", "Biometric", "Blackhole", "Contextual", "Correlation", "Ensemble", "Fingerprinting", "Frequency", "Fusion", "Geolocation", "Graph-based", "Heat", "Heuristic", "Honeypot", "Hygiene", "Integrity", "Metadata", "Monitor", "Movement", "Orchestration", "Pattern", "Policy", "Predictive", "Protocol", "Recon", "Reputation", "Rule-based", "Sequence", "Signature", "Statistical", "Tarpit", "Threat Intelligence", "Threshold", "Trend", "ext-value" ], "description": "Possible analyzer method" }, "sourceCategoryEnum": { "enum": [ "Undetermined", "Acoustic.Sound.GlassBreak", "Acoustic.Sound.Infrasound", "Acoustic.Sound.PressurizedLeak", "Acoustic.Sound.SonarEcho", "Acoustic.Sound.UltrasonicNoise", "Acoustic.Vibration.Footstep", Lehmann Expires 28 October 2026 [Page 130] Internet-Draft IDMEFv2 April 2026 "Acoustic.Vibration.Seismic", "Acoustic.Vibration.StructuralCrack", "Acoustic.Vibration.VehicleVibe", "Acoustic.Vibration.VibAnalysis", "ChemBio.Gases.CO", "ChemBio.Gases.CWA", "ChemBio.Gases.Freon", "ChemBio.Gases.Hydrogen", "ChemBio.Gases.Methane", "ChemBio.Gases.O2Level", "ChemBio.Gases.Propane", "ChemBio.Gases.Radon", "ChemBio.Gases.VOC", "ChemBio.Properties.ORP", "ChemBio.Properties.pHLevel", "ChemBio.Properties.Salinity", "ChemBio.Threats.Anthrax", "ChemBio.Threats.Botulinum", "ChemBio.Threats.Pathogen", "ChemBio.Threats.Ricin", "Cyber.Application.SQLQuery", "Cyber.Application.XSSPayload", "Cyber.Cloud.APIToken", "Cyber.Cloud.BucketName", "Cyber.Cloud.CloudResourceID", "Cyber.Cloud.OAuthApp", "Cyber.Email.EmailAuthResult", "Cyber.Email.MessageID", "Cyber.Email.RecipientEmail", "Cyber.Email.ReplyToEmail", "Cyber.Email.ReturnPath", "Cyber.Email.SenderEmail", "Cyber.Email.XOrigIP", "Cyber.Endpoint.CmdLine", "Cyber.Endpoint.DLL", "Cyber.Endpoint.FileHash", "Cyber.Endpoint.FilePath", "Cyber.Endpoint.MemoryArtifact", "Cyber.Endpoint.PID", "Cyber.Endpoint.ProcessName", "Cyber.Endpoint.RegistryKey", "Cyber.Endpoint.ScheduledTask", "Cyber.Endpoint.ServiceName", "Cyber.Forensics.NetFlow", "Cyber.Forensics.PacketPayload", "Cyber.Hardware.DeviceSerial", "Cyber.Hardware.USBDeviceID", "Cyber.Identity.LoginTimestamp", Lehmann Expires 28 October 2026 [Page 131] Internet-Draft IDMEFv2 April 2026 "Cyber.Identity.Username", "Cyber.Network.IPv4", "Cyber.Network.IPv6", "Cyber.Network.MAC", "Cyber.Network.Port", "Cyber.Network.Protocol", "Cyber.Web.Domain", "Cyber.Web.HTTPMethod", "Cyber.Web.ReferrerHeader", "Cyber.Web.SessionID", "Cyber.Web.URIPath", "Cyber.Web.URL", "Cyber.Web.UserAgent", "ElectroMag.Infrared.GasLeakIR", "ElectroMag.Infrared.HeatTemp", "ElectroMag.Infrared.MoistureContent", "ElectroMag.Infrared.ThermalGradient", "ElectroMag.Infrared.WarmBody", "ElectroMag.Ultraviolet.BioContamUV", "ElectroMag.Ultraviolet.CoronaArc", "ElectroMag.Ultraviolet.FlameUV", "ElectroMag.Ultraviolet.ForgeryUV", "ElectroMag.Light.BiometricEye", "ElectroMag.Light.EdgesShapes", "ElectroMag.Light.Flicker", "ElectroMag.Light.LightColor", "ElectroMag.Light.LightPresence", "ElectroMag.Light.MotionOptical", "ElectroMag.Light.ObjectsGeneric", "Force.Atmospheric.Altitude", "Force.Atmospheric.BaroPress", "Force.Atmospheric.VacuumLevel", "Force.Fluid.Airflow", "Force.Fluid.WaterPressure", "Force.Touch.GripStrength", "Force.Touch.PhysicalContact", "Force.Touch.TirePressure", "Force.Touch.Weight", "Radiation.General.Alpha", "Radiation.General.Beta", "Radiation.General.Cosmic", "Radiation.General.Gamma", "Radiation.General.Neutron", "Radiation.General.RadonDecay", "Radiation.General.Xray", "Magnetic.General.CurrentFlow", "Magnetic.General.ESD", "Magnetic.General.Ferrous", Lehmann Expires 28 October 2026 [Page 132] Internet-Draft IDMEFv2 April 2026 "Magnetic.General.MagneticAnomaly", "Magnetic.General.Orientation", "Magnetic.General.Powerline", "Magnetic.General.Voltage", "Object.Indoor.Container", "Object.Indoor.Document", "Object.Indoor.Electronics", "Object.Indoor.Furniture", "Object.Indoor.Weapon", "Object.LivingBeings.Animal", "Object.LivingBeings.BodyPose", "Object.LivingBeings.EyeGaze", "Object.LivingBeings.Face", "Object.LivingBeings.HandGesture", "Object.LivingBeings.Human", "Object.Outdoor.Building", "Object.Outdoor.Pothole", "Object.Outdoor.RoadSign", "Object.Outdoor.Vegetation", "Object.SpecificScenes.FireVisual", "Object.SpecificScenes.Flood", "Object.SpecificScenes.SmokeVisual", "Object.SpecificScenes.Snow", "Object.Vehicles.Aircraft", "Object.Vehicles.Boat", "Object.Vehicles.Bus", "Object.Vehicles.Car", "Object.Vehicles.LicensePlate", "Object.Vehicles.Moto", "Object.Vehicles.Truck", "Particulate.Aerosols.Bioaerosol", "Particulate.Aerosols.Dust", "Particulate.Aerosols.Pollen", "Particulate.Aerosols.SmokeIonization", "Particulate.Aerosols.SmokePhotoelectric", "Particulate.Liquids.ChemicalSpill", "Particulate.Liquids.FuelSheen", "Particulate.Liquids.LiquidLevel", "Particulate.Liquids.WaterLeak", "Particulate.Solids.DensityChange", "Particulate.Solids.ForeignObject", "Particulate.Solids.GrainFlow", "Particulate.Solids.Landmine", "Particulate.Solids.Metal", "Software.Detected.Crowd", "Software.Detected.CyberAttack", "Software.Detected.Drowsiness", "Software.Detected.Explosion", Lehmann Expires 28 October 2026 [Page 133] Internet-Draft IDMEFv2 April 2026 "Software.Detected.FailedBiometric", "Software.Detected.FireFusion", "Software.Detected.Intrusion", "Software.Detected.Loitering", "Software.Detected.Tailgating", "ext-value" ], "description": "Possible source category" }, "targetCategoryEnum": { "enum": [ "Undetermined", "Commercial.ClientBase", "Commercial.Partnerships", "Commercial.Reputation", "Financial.Cash", "Financial.Investments", "Financial.Receivables", "Furniture.Fittings", "Furniture.HVAC", "Furniture.OfficeFurniture", "Human.EmployerBrand", "Human.Organization", "Human.Skills", "Infrastructure.CivilWorks", "Infrastructure.Foundations", "Infrastructure.Networks", "IP.Copyrights", "IP.Patents", "IP.Trademarks", "IT.Endpoints", "IT.Hardware", "IT.Telecom", "Logistics.Containers", "Logistics.SpecialVehicles", "Logistics.Vehicles", "Marketing.Content", "Marketing.Domains", "Marketing.Identity", "Production.HeavyEquipment", "Production.Machinery", "Production.MachineTools", "RealEstate.Buildings", "RealEstate.Land", "RealEstate.SpecialStructures", "Software.Applications", "Software.Data", "Software.Licenses", Lehmann Expires 28 October 2026 [Page 134] Internet-Draft IDMEFv2 April 2026 "ext-value" ], "description": "Possible target category" }, "attachmentNameType": { "description": "A a unique identifier among attachments.", "type": "string", "pattern": "^[a-zA-Z0-9]+$" }, "portType": { "description": "A network port number. The value 0 is excluded from the range because it never appears in an actual network connection.", "type": "integer", "minimum": 0, "maximum": 65535, "exclusiveMinimum": true }, "timestampType": { "description": "A JSON string containing a timestamp conforming to the format given in section 5.6 of RFC 3339.", "type": "string", "pattern": "^[0-9]{4}-(0[0-9]|1[012])-([0-2][0-9]|3[01])T([0-1][0-9]|2[0-3]):[0-5][0-9]:([0-5][0-9]|60)(\\.[0-9]+)?(Z|[-+]([0-1][0-9]|2[0-3]):[0-5][0-9])?$" }, "geolocType": { "description": "Geolocation coordinates. The format for this type matches the definition for locations inside ISO 6709 (eg. \"+48.75726, +2.299528, +65.1\").", "type": "string", "pattern": "^[-+]?([0-9]+(\\.[0-9]*)?)(, ?[-+]?([0-9]+(\\.[0-9]*)?)){1,2}$" }, "unlocodeType": { "description": "A valid UN/LOCODE location (e.g. \"FR PAR\"). See also the UN/LOCODE Code List 2020-2 at https://unece.org/trade/cefact/unlocode-code-list-country-and-territory.", "type": "string", "pattern": "^[A-Z]{2} ?[A-Z]{3}$" }, "ipType": { "description": "An Internet Protocol address, either version 4 or version 6.", "type": "string", "pattern": "^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$" }, "mediatypeType": { "description": "A valid media type (e.g. \"text/plain\") conforming to the format defined in section 3.1.1.1 of RFC 7231. See also http://www.iana.org/assignments/media-types/media-types.xhtml.", "type": "string", "pattern": "^[-!#$%&'*+.^_`|~0-9a-zA-Z]+/[-!#$%&'*+.^_`|~0-9a-zA-Z]+([ \t]*;[ \t]*[-!#$%&'*+.^_`|~0-9a-zA-Z]+=([-!#$%&'*+.^_`|~0-9a-zA-Z]+|\"([\\x5D-~\t !#-\\x5B]|\\\\([\t 0-9a-zA-Z]))*\"))*$" }, "uuidType": { "description": "Canonical textual representation for an UUID, as defined in RFC 4122 (e.g. \"e5f9bbae-163e-42f9-a2f2-0daaf78fefb1\")", "type": "string", "pattern": "^[0-9A-Fa-f]{8}(-[0-9A-Fa-f]{4}){3}-[0-9A-Fa-f]{12}$" }, "protocolType": { "description": "A JSON string containing a service or protocol name from the set of permitted values defined in the IANA \"Service Name and Transport Protocol Port Number\" registry (http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml).", Lehmann Expires 28 October 2026 [Page 135] Internet-Draft IDMEFv2 April 2026 "type": "string", "pattern": "^[a-zA-Z0-9](-?[a-zA-Z0-9])*$" }, "hashType": { "description": "A cryptographic hash acting as a checksum for some content, using the format \"function:hex-value\" (e.g. \"md5:dc89f0b4ff9bd3b061dd66bb66c991b1\").", "type": "string", "pattern": "^[a-zA-Z0-9-]+:([a-fA-F0-9]{2})+$" } }, "$schema": "http://json-schema.org/draft-04/schema#", "title": "IDMEF 2.D.V08" } Author's Address Gilles Lehmann Telecom SudParis France Email: gilles.lehmann@telecom-sudparis.eu Lehmann Expires 28 October 2026 [Page 136]