|
|||||
 |
 |
||||
| CEE Website is in "Archive" status — read the announcement | |||||
|---|---|---|---|---|---|
| CEE Language |
|---|
Additional Information |
CEE Dictionary and Event Taxonomy — Archive
Dictionary | Event Taxonomy | About the Specification | Feedback Requested
The CEE Common Dictionary and Event Expression Taxonomy (CDET) is an unambiguous event language for classifying logged events.
CEE Dictionary
The CDET Dictionary defines a collection of event fields and field value types for use with CEE Events. The fields and types are used within event records to specify the values of an event property associated with a specific event instance.
Each field type definition has a name, format, and description. The type format is either a union or restriction. The restriction type places a limitation on the acceptable values supported by that type. One restriction is a pattern indicating how the character sequence an acceptable value should match, such as an IPv4 address field type must have a specific pattern: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}. The format may also specify the minimum or maximum value for an integer, such as a network port is a number between 0 and 65535. The union type defines entry types as combination of other types (e.g., an IP address type may be a union of an IPv4 and IPv6 address type).
Each "event field" definition is represented by a name that identifies one event characteristic (e.g., source IPv4 address, filename, username, destination port number). Each field is defined by a unique name, definition, and is associated with one field type (e.g., integer, string, timestamp, IPv4 address).
For both fields and field types, the name is a unique character sequence used to reference a specific definition. Using a name in the CDET Dictionary is similar to using a standard dictionary. Users can look up the meaning of, or locate the proper term to describe a certain event characteristic. For example, if a product wants to provide the account name of a user involved in an event, a search through the CDET Dictionary entries would inform that the correct event field to use would be acct.name. Similarly, if a product records an event field entitled proc_id, the Dictionary would explain that this field describes the numerical process identifier of an executing process.
CEE Event Taxonomy
The CDET Taxonomy is the other half of the CDET component. The CDET Taxonomy defines a collection of "CEE Tags" that can be used to systematically categorize events. Its goal is to support common event categorization methodologies and identify records that pertain to similar types of events. CEE Tags are grouped by common event categories based on their tag type, which are used by event producers can provide obvious and consistent event categorization. Users and event consumers can leverage these categories to improve event correlation or easily locate certain classes of events.
| Example CEE Tag Types & Names | |
|---|---|
| Tag Types | Tag Names |
| action | start, stop, execute, read, delete, login |
| object | file, acct, app, db, system, malware |
| status | success, failure, error |
| attack | dos, exploit, xss, buffer-overflow |
| device type | finance, dev, prod, test, dmz |
The CDET Taxonomy defines a tag type as way to categorize events. Each tag type consists of one or more CEE Tags. Each tag represents on event classification concept and is associated with a unique name. These tag types allow each event to be associated with multiple tags representing multiple categories. This gives the event consumers the flexibility to identify similar events based upon their needs.
Common tag types include event action, status, and object, and might include other categorizations such as attack type, device type, or other categorizations that are required by the event consumer.
These CEE Tags can be specified within an event record to indicate that event’s categorization. For example, an event could be tagged with a login, success, and db tag, indicating that the event probably pertains to a successful login to a database.
About the Specification
MITRE and the CEE Community have created a single "CEE Profile Specification" that combines two important components of the CEE Overview Architecture, the CEE Dictionary and Event Taxonomy (CDET) described on this page and the CEE Event Log Recommendations (CELR), into the single, machine-interpretable CEE Profile Specification document provided below.
As CDET and CELR share common requirements and have interdependencies, they have been combined into the single specification below. The CDET component consists of a dictionary and taxonomy portions. The CDET Dictionary defines a common terminology, which can be used to describe the various properties of an event instance. The CDET Taxonomy provides a common event classification system to help identify similar events. By combining the Dictionary and Taxonomy, end users and products can use the same terms to describe the same event characteristics, producing a more unified record of an event. CELR provides the ability to identify recommended event types and event properties for IT devices. Logging recommendations, to include specific events and event properties, are identified with the use of "event profiles". The CELR profiles are defined based on a collection of best practices from various sources, including information assurance recommendations, requirements, forensics, and inputs from the CEE Community.
CEE Profiles are intended for use with the CEE Log Syntax (CLS) and the CLS Encodings, but may be used within other contexts.
View the Specification
The most current version of the CEE Profile Specification for CDET and CELR is available on the CEE Profile Specification page.
Previous versions of this specification, when available, are archived in the CEE Archive.
Feedback Requested
We encourage event producers, event consumers, and IT and security operations end users to participate in the development of the CEE Profile Specification for CDET and CELR on the CEE Email Discussion List.
Page Last Updated: May 15, 2013
