Specifications   Search
CEE™ Common Event Expression: A Unified Event Language for Interoperability
CEE Website is in "Archive" status — read the announcement
 

About CEE

Documents

FAQs

CEE Language

Current Release

Previous Releases

CEE Community

CEE Board

Discussion Archive

News & Events

Calendar

Search the Site

CEE Language

Current Release

Specifications

Schemas

Downloads

Profiles

Versioning

Terminology

Implementations

Additional Information

Previous Releases

Terms of Use

CEE Event Log Recommendations — Archive

CEE Profiles | About the Specification | Feedback Requested

CEE Event Log Recommendations (CELR) provides recommendations as to which events and fields should be recorded in certain situations in the form of machine-readable "Event Profiles." As described in the CEE Overview Architecture Specification, an Event Profile defines the optional and mandatory fields for a spec and values defined as part of the Event Profile. Each CEE-defined Event Profile is developed by subject-matter experts and validated against related best practices, including requirements documents, information assurance guidance, forensics guidance, and inputs from the CEE Community.

CEE Profiles

A "CEE Profile" is a document that defines Event Profiles, CDET Dictionary Fields, and Taxonomy Tags. This allows for all of the CEE event profiles and vocabularies to be packaged with a single document.

There are three (3) different types of CEE Profiles:

Tools can be used to check whether a CEE Event is compliant with a CEE Profile. If the event contains all of the fields required by the profile, and each field’s value corresponds to the field's value type defined in the profile, then the event record is said to be compliant with the profile.

About the Specification

MITRE and the CEE Community have created a single "CEE Profile Specification" that combines two important components of the CEE Architecture, the CEE Event Log Recommendations (CELR) described on this page, and the CEE Dictionary and Event Taxonomy (CDET) into the single, machine-interpretable CEE Profile Specification document.

As CDET and CELR share common requirements and have interdependencies, they have been combined into the single specification below. The CDET component consists of a dictionary and taxonomy portions. The CDET Dictionary defines a common terminology, which can be used to describe the various properties of an event instance. The CDET Taxonomy provides a common event classification system to help identify similar events. By combining the Dictionary and Taxonomy, end users and products can use the same terms to describe the same event characteristics, producing a more unified record of an event. CELR provides the ability to identify recommended event types and event properties for IT devices. Logging recommendations, to include specific events and event properties, are identified with the use of "event profiles". The CELR profiles are defined based on a collection of best practices from various sources, including information assurance recommendations, requirements, forensics, and inputs from the CEE Community.

CEE Profiles are intended for use with the CEE Log Syntax (CLS) and the CLS Encodings, but may be used within other contexts.

View the Specifications

The most current version of the CEE Profile Specification for CDET and CELR is available on the CEE Profile Specification v1.0-alpha page.

Previous versions of these specifications, when available, are archived in the CEE Archive.

Feedback Requested

We encourage event producers, event consumers, and IT and security operations end users to participate in the development of the CEE Profile Specification on the CEE Email Discussion List.

BACK TO TOP

Page Last Updated: May 15, 2013