IDMEF Time Zoom¶

Whole Diagram

• Time
• Analyzer
  • Node/Address
  • Process
• Source/Target
  • Node/Address
  • Process
  • User/UserId
  • Service
  • File
• Assessment
• Classification
• Additional Data

The AnalyzerTime Class¶

The AnalyzerTime class is used to indicate the current date and time on the analyzer. Its values should be filled in as late as possible in the message transmission process, ideally immediately before placing the message "on the wire".

The CreateTime Class¶

The CreateTime class is used to indicate the date and time the alert or heartbeat was created by the analyzer.

The DetectTime Class¶

The DetectTime class is used to indicate the date and time that the event(s) producing an alert was detected by the analyzer. In the case of more than one event, it is the time that the first event was detected. (This may or may not be the same time as CreateTime; analyzers are not required to send alerts immediately upon detection).