Non existing fields
- Confidentiality, Integrity, Availability and Vulnerability impact
- Secret level of the information, like from non protected network (internet) or from VIP network (with secret data)
RE: Non existing fields - Added by SÃ©lim Menouar almost 5 years ago
The comparison with several other formats has pointed out some new missing fields:
- Start and end time of the event. That could possibly be useful, but we have to remember that a lot of time fields are already available and that it tends to confuse users.
- The transport protocol also seems to be missing in the IDMEF schema, whereas CEF has a field for it.
- User privileges could be provided in the alert. CEF does it.
- We mentioned a few times the NAT addresses missing in the schema. It could be very easy to add a category field indicating whether the address is translated or not.
- IDMEF already has a field for PID, but thereâ€™s no field for TID (thread id).