The CEE Core Profile contains a field dictionary and taxonomy that should be generally useful for reporting operating system and network-level events. It is published by the CEE Community and serves as the root profile for all CEE Events.
The URI for this profile is: http://cee.mitre.org/1.0-beta1/core-profile. The XSD version can be found at http://cee.mitre.org/core-profile/1.0-beta1.xsd
| Object | Name | Type | Description |
|---|---|---|---|
| host | STRING | Hostname of the event source | |
| pname | STRING | Process name that generated the event | |
| time | DATETIME | Event Start Time | |
| app | OBJECT | Application | |
| appname | STRING | Name of the application that generated the event | |
| auid | STRING | Source User login authentication ID (login id) | |
| cmd | STRING | Command | |
| dst | OBJECT | Network destination | |
| egid | STRING | Source user group effective ID (egid) | |
| eid | STRING | Source user effective ID (euid) | |
| file | OBJECT | File information | |
| ipv4 | IPv4 | IPv4 address of the event source | |
| ipv6 | IPv6 | IPv6 address of the event source | |
| msg | STRING | The event message | |
| msgid | STRING | The event message identifier | |
| pid | STRING | Process ID that generated the event | |
| pri | STRING | Event priority (ERROR|WARN|DEBUG|CRIT) | |
| proc | OBJECT | Process | |
| sev | NUMBER | Event severity | |
| src | OBJECT | Network source | |
| subsys | STRING | Application subsystem responsible for generating the event | |
| syslog | OBJECT | Syslog compatibility | |
| tid | NUMBER | Numeric thread ID associated with the process generating the event | |
| uid | STRING | Source user account ID (uid) | |
| user | OBJECT | User account | |
| username | STRING | Source user name | |
| vend | STRING | Vendor of the event source application | |
| ver | STRING | Application version of the event source application | |
| app | name | STRING | Application name |
| app | vend | STRING | Application vendor |
| app | ver | STRING | Application version |
| dst | host | STRING | Network destination hostname |
| dst | ipv4 | IPv4 | Network destination IPv4 address |
| dst | ipv6 | IPv6 | Network destination IPv6 address |
| dst | port | NUMBER | Network destination port |
| file | hashmd5 | STRING | File MD5 Hashsum |
| file | line | NUMBER | File line number |
| file | mode | STRING | File mode flags |
| file | name | STRING | File name |
| file | path | STRING | File system path |
| file | perm | STRING | File permissions |
| file | size | NUMBER | File size in octets |
| proc | id | STRING | Process ID (pid) |
| proc | name | STRING | Process name |
| proc | tid | NUMBER | Thread identifier of the process |
| src | host | STRING | Network source hostname |
| src | ipv4 | IPv4 | Network source IPv4 address |
| src | ipv6 | IPv6 | Network source IPv6 address |
| src | port | NUMBER | Network source port |
| syslog | fac | NUMBER | Syslog facility value |
| syslog | pri | NUMBER | Syslog priority value |
| syslog | tag | STRING | Syslog Tag value |
| syslog | ver | NUMBER | Syslog Protocol version (0=legacy/RFC3164; 1=RFC5424) |
| user | domain | STRING | User account domain (NT Domain) |
| user | gid | STRING | Group ID (gid) |
| user | group | STRING | Group name |
| user | id | STRING | User account ID (uid) |
| user | name | STRING | User account name |
| Tag Category | Tag Value | Description | |
|---|---|---|---|
| action | The primary type of action that was undertaken as part of the event. The status or result of the action should be detailed in the status field. | ||
| access | Access Event | A file, user account, network share, or other object has been accessed. If more is known regarding the access, use a more precise action such as read, write, or execute. | |
| alert | Alert Event | ||
| allocate | Memory/Space Allocation Event | ||
| allow | Allow/Permit Event | ||
| audit | Audit Event | ||
| backup | Backup Event | ||
| bind | Bind Event | ||
| block | Block Event | ||
| clean | Clean/Scrub Infected Object Event | ||
| close | Close Event | ||
| compress | Compress Event | ||
| connect | |||
| copy | Copy Event | An object was duplicated or copied. Commonly copied objects include files, partitions, and database tables. | |
| create | Create Event | An object was created. Commonly created objects include files, accounts, and roles. If the object is a stream or session, then the action [open] must be used. | |
| decode | |||
| decompress | Decompress Event | ||
| decrypt | |||
| depress | |||
| detect | Detect Event | Finding evidence of something as it is occurring, usually through the use of sensors or triggers. For example, an attack or exploit can be detected as it is occurring, or evidence of the event can be found through later searches. | |
| disconnect | |||
| download | |||
| encode | |||
| encrypt | |||
| execute | Execute Event | An object (usually a file or memory) was run or executed. | |
| filter | |||
| find | Find Event | An object was found, usually as a result of a search or scan, such as an anti-virus product found malware or an IDS found suspicious packets. | |
| free | Free Event | The deallocation or freeing of memory | |
| get | |||
| initialize | Initialize Event | Initialize memory or set a buffer or variable to their initial values. | |
| initiate | Initiate Event | Initiate an external connection, stream, or other object, usually as part of a hand-shake or other initialization process | |
| install | |||
| lock | |||
| login | Login Event | A user or other entity gains access to a system through a successful authentication or login attempt | |
| logout | Logout Event | An entity that has already gained access to a system or application (through a login action), ends their user account session. Another session can be established to the user account only through another successful logon action. | |
| modify | |||
| move | Move Event | An object was moved. Usually 'move' describes the moving of a file between directories. A 'move' may be implemented as a sequence of [copy] and [remove] actions. | |
| open | |||
| quarantine | |||
| read | |||
| release | |||
| remove | |||
| replicate | |||
| resume | |||
| save | |||
| scan | |||
| search | Search Event | An actor (user or application) searched or queried for something. For 'search' actions, the object should contain the query of what was sought. | |
| start | Start Event | A service, task, scan, or related object activity has begun. | |
| stop | Stop Event | A service, task, scan, or related activity was been stopped, usually by another process or user, or due to an error condition. | |
| suspend | |||
| uninstall | |||
| unlock | |||
| update | |||
| upgrade | Upgrade Event | A type of [update] that upgrades an entire application, usually involving substantial changes and a change in major version numbers. For example, installing the Microsoft Windows XP Service Pack 2 (SP2) would upgrade a base Windows XP installation. | |
| upload | |||
| violate | Violate Event | The infringement or breaking of a policy, rule, or other guideline. | |
| write | Write Event | An object (usually a file or memory location) was written to. | |
| domain | The environment or domain of the event. Typical event domains include network (net), operating system (os), and application (app). | ||
| app | Application-level Event | ||
| device | Device-level Event | ||
| net | Network-based Event | The event is occurs within or is associated with the network | |
| os | Operating System Event | ||
| object | The type of object that is targeted or otherwise affected by the event | ||
| account | User Account | ||
| app | Application | ||
| bios | System BIOS | ||
| driver | Device Driver | ||
| event | Audit or Event Record | ||
| file | File | ||
| flow | Network Flow | ||
| connection | Network Connection | ||
| memory | |||
| packet | Network Packet | ||
| process | Process | ||
| rule | Firewall, IDS, Malware, or similar Rule | ||
| session | User Session | ||
| system | System | ||
| thread | Processing Thread | ||
| vuln | Vulnerability | ||
| service | The service the event involves. The service field value provides context to the event action or more precision to the event domain. | ||
| audit | Audit Service | ||
| auth | Authentication Service | ||
| authorize | Authorization Service | ||
| backup | Backup Service | ||
| db | Database Service | ||
| E-mail Service | Event involves an e-mail server or service | ||
| fw | Firewall Service | ||
| web | Web Service | The event involve a web service, such as an HTTP server | |
| status | The end result or status of the event action identified by the action field. | ||
| cancel | Event Canceled | The event action was canceled | |
| error | Event Errored | The event action terminated with an error | |
| failure | Event Failed | The event failed due to some unmet condition, such as an incorrect password | |
| ongoing | Event Ongoing | The event has started and has yet to complete. Another event should be sent to notify when the event completed and the final status | |
| success | Event Success | The event completed successfully. For example, a successful user authentication event would be an instance where the authentication activity was successfully completed and the user was fully authenticated. | |
| unknown | Event Status Unknown | The result state of an event occurrence was unknown. It was not known to the observer of the event whether or not the event successfully completed. | |
| subject | The type of object that initiated or started the event action identified by the action field. |
Page Last Updated: July 23, 2012