Incident Object Description Exchange Format

Used for computer secutity, IODEF (Incident Object Description Exchange Format) is a data format which is used to describe a comptuter security informations in order to be exchanged between Computer Security Incident Response Teams (CSIRTs).

So, IODEF messages are organized in an human-readeable way, and not a machine format. Details of the format are described in the RFC 5070 . This RFC present an implementation dof the data model in XML as well as the associated DTD.

One of the main caracteristic of IODEF is its compatibility with the Intrusion Detection Message Exchange Format (IDMEF) developped for intrusions detection systems. For this reason, IODEF is heavily based on IDMEF and provide an upward compatibility with it.

Format

IODEF is an oriented-object structured format, composed of 47 classes for the first version. The IODEF and IDMEF formats having a lot in common, the fields structure is similar to the IDMEF one.

Extensible Format

In addition of the usual AditionnalData class, which allow adding any information relevant for the IODEF message, most enumerations are provided with an "ext" field. This field is used when none of the proposed choices are fitting.

Here is a list of the main fields:

IncidentID

One. An incident identification number assigned to this incident by the CSIRT who create the IODEF document.

AlternativeID

Zero or one. The incidents ID numbers used by other CSIRTs to refer to the incident described in the document.

RelatedActivity

Zero or one. The ID numbers of the incidents linked to the one described in this document.

DetectTime

Zero or one. Time at which the incident was detected for the first time.

StartTime

Zero or one. Time at which the incident started.

EndTime

Zero or one. Time at which the incident ended.

ReportTime

One. Time at which the incident was reported.

Description

Zero or more. ML_STRING. A non-formated textual description of the event.

Assessment

One or more. A caracterisation of the incident impact.

Method

Zero or more. Technics used by the intruder during the incident.

Contact

One or more. Contact informations for the groups involved in the incident.

EventData

Zero or more. Description of the events involving the incident.

History

Zero or more. A log, of the events or the notable actions which took place during the incident management.

AdditionalData

Zero or more. Mechanism which extend the data model.

Example

Below, you can find an example un exemple of an IODEF document :

<!--
   ====================================================================
   == IODEF-Document class                                           ==
   ====================================================================
  -->
    <xs:element name="IODEF-Document">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:Incident" 
                      maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="version" 
                      type="xs:string" fixed="1.00"/>
        <xs:attribute name="lang" 
                      type="xs:language" use="required"/>
        <xs:attribute name="formatid" 
                      type="xs:string"/>
      </xs:complexType>
    </xs:element>
  <!--
   ====================================================================
   ===  Incident class                                              ===
   ====================================================================
  -->
    <xs:element name="Incident">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:IncidentID"/>
          <xs:element ref="iodef:AlternativeID" 
                      minOccurs="0"/>
          <xs:element ref="iodef:RelatedActivity" 
                      minOccurs="0"/>
          <xs:element ref="iodef:DetectTime" 
                      minOccurs="0"/>
          <xs:element ref="iodef:StartTime" 
                      minOccurs="0"/>
          <xs:element ref="iodef:EndTime" 
                      minOccurs="0"/>
          <xs:element ref="iodef:ReportTime"/>
          <xs:element ref="iodef:Description" 
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:Assessment" 
                      maxOccurs="unbounded"/>
          <xs:element ref="iodef:Method" 
                      minOccurs="0" maxOccurs="unbounded"/>  <xs:element ref="iodef:Contact" 
                      maxOccurs="unbounded"/>
          <xs:element ref="iodef:EventData" 
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:History" 
                      minOccurs="0"/>
          <xs:element ref="iodef:AdditionalData" 
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="purpose" use="required">
          <xs:simpleType>
            <xs:restriction base="xs:NMTOKEN">
              <xs:enumeration value="traceback"/>
              <xs:enumeration value="mitigation"/>
              <xs:enumeration value="reporting"/>
              <xs:enumeration value="other"/>
              <xs:enumeration value="ext-value"/>
            </xs:restriction>
          </xs:simpleType>
        </xs:attribute>
        <xs:attribute name="ext-purpose" 
                      type="xs:string" use="optional"/>
        <xs:attribute name="lang" 
                      type="xs:language"/>
        <xs:attribute name="restriction" 
                      type="iodef:restriction-type" default="private"/>
      </xs:complexType>
    </xs:element>

Softwares using IODEF

Prelude SIEM

External Links

RFC 5070 - The Incident Object Description Exchange Format (IODEF)
RFC 6685 – Expert Review for Incident Object Description Exchange Format (IODEF) Extensions in IANA XML Registry
RFC 7203 – An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information
SECEF, Project to promote the IDMEF and IODEF formats