CEE Profile

Related Links
CEE Profile	XML	cee_base_profile.xml
Associated Schema	XSD	cee-profile.xsd
CEE Homepage	HTML	http://cee.mitre.org

Summary
Includes	0
Tag Types	2
Tags	61
Field Types	34
Fields	242
Event Profiles	cee_base_event

Tag	access
Type	actionTag
Title	Access Event
Description	A file, user account, network share, or other object has been accessed. If more is known regarding the access, use a more precise action such as read, write, or execute.

Tag	alert
Type	actionTag
Title	Alert Event

Tag	audit
Type	actionTag
Title	Audit Event

Tag	backup
Type	actionTag
Title	Backup Event

Tag	bind
Type	actionTag
Title	Bind Event

Tag	clean
Type	actionTag
Title	Clean Event

Tag	close
Type	actionTag
Title	Close Event

Tag	connect
Type	actionTag
Title	Connect Event

Tag	copy
Type	actionTag
Title	Copy Event
Description	An object was duplicated or copied. Commonly copied objects include files, partitions, and database tables.

Tag	decode
Type	actionTag
Title	Decode Event

Tag	detect
Type	actionTag
Title	Detect Event
Description	Finding evidence of something as it is occurring, usually through the use of sensors or triggers. For example, an attack or exploit can be detected as it is occurring, or evidence of the event can be found through later searches.

Tag	filter
Type	actionTag
Title	Filter Event

Tag	find
Type	actionTag
Title	Find Event
Description	An object was found, usually as a result of a search or scan, such as an anti-virus product found malware or an IDS found suspicious packets.

Tag	get
Type	actionTag
Title	Get Event

Tag	initialize
Type	actionTag
Title	Initialize Event
Description	Initialize memory or set a buffer or variable to their initial values.

Tag	initiate
Type	actionTag
Title	Initiate Event
Description	Initiate an external connection, stream, or other object, usually as part of a hand-shake or other initialization process

Field Types

actionTagType

actionTag

Field Type	binary
Title	Binary
Description	A sequence of binary octets

boolean

Boolean

A Boolean value: "true" or "false"

Enumeration	true or false
ABNF	boolean = "true" / "false"

cpe

Common Platform Enumeration (CPE) Formatted String Identifier

A Common Platform Enumeration (CPE) 2.3 Formatted String identifier as listed http://nvd.nist.gov/cpe.cfm or http://cpe.mitre.org

cpe:[^/?#]*[^?#]*

cve

Common Vulnerability and Exposure (CVE) Identifier

A Common Vulnerability and Exposure (CVE) identifier as listed http://nvd.nist.gov or http://cve.mitre.org

CVE-\d{4}-\d{4}

dirEnum

The direction of something, such as a network flow

in
or
out

duration

Duration

The specification of a period of time, or duration. Due to problems with the processing and calculations surrounding the use of the XML Schema 1.0 xs:duration datatype, this definition is most compatible with IETF RFC 3339 http://tools.ietf.org/html/rfc3339, and fully compatible with ISO 8601:2004 and XML 1.0 xs:duration definitions http://dotat.at/tmp/ISO_8601-2004_E.pdf, http://www.w3.org/TR/xmlschema-2/#duration. For use with events and to avoid issues surrounding time duration calculations with days and months, the CEE duration field type only supports the specification of duration in seconds, minutes, hours, and days

P(\d+D)?(T((\d+H)|(\d+M)|(\d+(\.\d+)?S))?)?

duration = "P" DAYTIME-DURATION
DAYTIME-DURATION = DUR-DATE / DUR-TIME
DUR-SECOND  = 1*DIGIT [DUR-FRACSEC] "S"
DUR-FRACSEC = "." 1*DIGIT
DUR-MINUTE  = 1*DIGIT "M" [DUR-SECOND]\
DUR-HOUR    = 1*DIGIT "H" [DUR-MINUTE]
DUR-TIME    = "T" (DUR-HOUR / DUR-MINUTE / DUR-SECOND)
DUR-DAY     = 1*DIGIT "D"
DUR-DATE    = DUR-DAY [DUR-TIME]

emailAddress

E-mail Address

[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]+

float

Floating-point Number

A floating-point number, represented as a 64-bit binary ("double") IEEE floating point

[+-]?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))([eE][-+]?[0-9]+)?

decimal = DECIMAL-NUM [DEC-SCI-NOT]
DECIMAL-NUM = [ "+" / "-" ] DEC-NUM-PT-NUM / DEC-PT-NUM
DEC-NUM-PT-NUM = 1*DIGIT [ "." *DIGIT ]
DEC-PT-NUM = "." 1*DIGIT
DEC-SCI-NOT = [ "e" / "E" ] 1*DIGIT

fqdn

Fully-Qualified Domain Name (FQDN)

([^\.]+\.)*[^\.]+

hostname

Hostname

idType

[^\s]+

integer

Integer

A bounded integer that is constrained to a 64-bit integer value.

MinValue	-9223372036854775808
MaxValue	9223372036854775807

ipv4Address

IPv4 Address

An IPv4 address, represented in dot-decimal notation

(((25[0-5])|(2[0-4]\d)|(1?\d{1,2}))\.){3}((25[0-5])|(2[0-4]\d)|(1?\d{1,2}))

ipv4Address = DEC-OCTET "." DEC-OCTET "." DEC-OCTET "." DEC-OCTET
DEC-OCTET = DIGIT      ; 0-9
  / %x31-39 DIGIT      ; 10-99
  / "1" 2DIGIT         ; 100-199
  / "2" %x30-34 DIGIT  ; 200-249
  / "25" %x30-35       ; 250-255

ipv6Address

IPv6 Address

An IPv6 address, represented in hex-colon notation according to the IETF RFC 4291 specification http://tools.ietf.org/html/rfc4291. The IPv6 address should adhere to the recommendations in RFC 5952 http://tools.ietf.org/html/rfc5952

([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}(%[^%\s]+)?
or
(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)(%[^%\s]+)?
or
(([0-9A-Fa-f]{1,4}:){6,6})(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}(%[^%\s]+)?
or
(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}(%[^%\s]+)?

ipv6Address = IPv6Literal [ IPv6ZoneID ]
IPv6Literal =                             6( H16 ":" ) LS32
             /                       "::" 5( H16 ":" ) LS32
             / [               H16 ] "::" 4( H16 ":" ) LS32
             / [ *1( H16 ":" ) H16 ] "::" 3( H16 ":" ) LS32
             / [ *2( H16 ":" ) H16 ] "::" 2( H16 ":" ) LS32
             / [ *3( H16 ":" ) H16 ] "::"    H16 ":"   LS32
             / [ *4( H16 ":" ) H16 ] "::"              LS32
             / [ *5( H16 ":" ) H16 ] "::"              H16
             / [ *6( H16 ":" ) H16 ] "::"
H16         = 1*4HEXDIG
LS32        = ( H16 ":" H16 ) / ipv4Address
IPv6ZoneID  = "%" 1*ZoneIDChar  ; SHOULD be an non-negative number
ZoneIDChar  = %x21-24 / %x26-7E ; MUST NOT contain '%'
ipv4Address = DEC-OCTET "." DEC-OCTET "." DEC-OCTET "." DEC-OCTET
DEC-OCTET = DIGIT      ; 0-9
           / %x31-39 DIGIT      ; 10-99
           / "1"  2DIGIT        ; 100-199
           / "2"  %x30-34 DIGIT ; 200-249
           / "25" %x30-35       ; 250-255

latDecDegrees

Latitude in Decimal Degrees

MinValue	-90.0
MaxValue	90.0

ldapName

LDAP Distinguished Name

Distinguished name (DN) as defined in IETF RFC 4514 and used by LDAP

ldapName = [ relativeDistinguishedName *( COMMA relativeDistinguishedName ) ]
relativeDistinguishedName = attributeTypeAndValue *( PLUS attributeTypeAndValue )
attributeTypeAndValue = attributeType EQUALS attributeValue
attributeType = descr / numericoid
attributeValue = string / hexstring ; The following characters are to be escaped when they appear
                                    ; in the value to be encoded: ESC, one of [escaped], leading
                                    ; SHARP or SPACE, trailing SPACE, and NULL.
string = [ ( leadchar / pair ) [ *( stringchar / pair ) ( trailchar / pair ) ] ]
leadchar = LUTF1 / UTFMB
LUTF1 = %x01-1F / %x21 / %x24-2A / %x2D-3A / %x3D / %x3F-5B / %x5D-7F
trailchar = TUTF1 / UTFMB
TUTF1 = %x01-1F / %x21 / %x23-2A / %x2D-3A / %x3D / %x3F-5B / %x5D-7F
stringchar = SUTF1 / UTFMB
SUTF1 = %x01-21 / %x23-2A / %x2D-3A / %x3D / %x3F-5B / %x5D-7F
pair = ESC ( ESC / special / hexpair )
special = escaped / SPACE / SHARP / EQUALS
escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE
hexstring = SHARP 1*hexpair
hexpair = HEX HEX

localHostname

Local Hostname

Pattern	[^\.]+
MaxLength	255

longDecDegrees

Longitude in Decimal Degrees

MinValue	-180.0
MaxValue	180.0

macAddress

48-bit MAC Hardware Address

Pattern	([0-9a-fA-F]{2}[:-]){5}[0-9a-fA-F]{2}
ABNF	macAddress = 5( 2HEXDIG (":" / "-") ) 2HEXDIG

netbiosName

NetBIOS Name

The NetBIOS name or domain of a system

Pattern	[^\\/:\*\?";\\|]{1,15}
MinLength	1
MaxLength	15

number

Number

An unbounded integer value. This is comparable to the XML Schema 1.0 xs:integer simpleType.

[+-]?[0-9]+

signed16

MinValue	-32768
MaxValue	32767

signed32

MinValue	-2147483648
MaxValue	2147483647

signed8

MinValue	-128
MaxValue	127

ssidType

MinLength	2
MaxLength	32

statusTagType

statusTag

Field Type	string
Title	Unicode String
Description	A sequence of characters

tag

CEE Taxonomy Tag

timestamp

Timestamp

A date and time according to the IETF RFC 3339 http://tools.ietf.org/html/rfc3339 specification, which provides an ISO 8601:2004 and xs:dateTime compatible definition http://dotat.at/tmp/ISO_8601-2004_E.pdf, http://www.w3.org/TR/xmlschema-2/#dateTime

\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?(Z|([+-]\d{2}:\d{2}))?

timestamp = DATE "T" TIME
DATE-FULLYEAR  = 4DIGIT
DATE-MONTH     = 2DIGIT ; 01-12
DATE-MDAY      = 2DIGIT ; 01-28, 01-29, 01-30, 01-31 based on month/year
DATE           = DATE-FULLYEAR "-" DATE-MONTH "-" DATE-MDAY
TIME-HOUR      = 2DIGIT ; 00-23
TIME-MINUTE    = 2DIGIT ; 00-59
TIME-SECOND    = 2DIGIT ; 00-59, 00-60 based on leap-second rules
TIME-FRACTION  = "." 1*DIGIT
TIME-NUMOFFSET = ("+" / "-") TIME-HOUR ":" TIME-MINUTE
TIME-ZONE      = "Z" / TIME-NUMOFFSET
TIMESPEC-BASE  = TIME-HOUR ":" TIME-MINUTE ":" TIME-SECOND
TIME           = TIMESPEC-BASE [TIME-FRACTION] [TIME-ZONE]

unsigned16

MinValue	0
MaxValue	65535

unsigned32

MinValue	0
MaxValue	4294967295

unsigned8

MinValue	0
MaxValue	255

uri

([^:/?#]+:)?(//[^/?#]*)?([^?#]*)(\?[^#]*)?#.*

uri           = scheme ":" hier-part [ "?" query ] [ "#" fragment ]

hier-part     = "//" authority path-abempty
              / path-absolute
              / path-rootless
              / path-empty
URI-reference = URI / relative-ref
absolute-URI  = scheme ":" hier-part [ "?" query ]
relative-ref  = relative-part [ "?" query ] [ "#" fragment ]
relative-part = "//" authority path-abempty
              / path-absolute
              / path-noscheme
              / path-empty
scheme        = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
authority     = [ userinfo "@" ] host [ ":" port ]
userinfo      = *( unreserved / pct-encoded / sub-delims / ":" )
host          = IP-literal / IPv4address / reg-name
port          = *DIGIT

IP-literal    = "[" ( IPv6address / IPvFuture  ) "]"
IPvFuture     = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" )
IPv6address   =                            6( h16 ":" ) ls32
/                       "::" 5( h16 ":" ) ls32
/ [               h16 ] "::" 4( h16 ":" ) ls32
/ [ *1( h16 ":" ) h16 ] "::" 3( h16 ":" ) ls32
/ [ *2( h16 ":" ) h16 ] "::" 2( h16 ":" ) ls32
/ [ *3( h16 ":" ) h16 ] "::"    h16 ":"   ls32
/ [ *4( h16 ":" ) h16 ] "::"              ls32
/ [ *5( h16 ":" ) h16 ] "::"              h16
/ [ *6( h16 ":" ) h16 ] "::"

h16           = 1*4HEXDIG
ls32          = ( h16 ":" h16 ) / IPv4address
IPv4address   = dec-octet "." dec-octet "." dec-octet "." dec-octet
dec-octet     = DIGIT                 ; 0-9
/ %x31-39 DIGIT         ; 10-99
/ "1" 2DIGIT            ; 100-199
/ "2" %x30-34 DIGIT     ; 200-249
/ "25" %x30-35          ; 250-255

reg-name      = *( unreserved / pct-encoded / sub-delims )
path          = path-abempty    ; begins with "/" or is empty
              / path-absolute   ; begins with "/" but not "//"
              / path-noscheme   ; begins with a non-colon segment
              / path-rootless   ; begins with a segment
              / path-empty      ; zero characters
path-abempty  = *( "/" segment )
path-absolute = "/" [ segment-nz *( "/" segment ) ]
path-noscheme = segment-nz-nc *( "/" segment )
path-rootless = segment-nz *( "/" segment )
path-empty    = 0<pchar>
    
segment       = *pchar
segment-nz    = 1*pchar
segment-nz-nc = 1*( unreserved / pct-encoded / sub-delims / "@" )
; non-zero-length segment without any colon ":"
pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"
query         = *( pchar / "/" / "?" )
fragment      = *( pchar / "/" / "?" )
pct-encoded   = "%" HEXDIG HEXDIG
unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
reserved      = gen-delims / sub-delims
gen-delims    = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims    = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="

Fields

Field	acct_disabled_bool
Type	boolean
Title	Account Disabled
Description	If 'true', the account has been disabled

Field	acct_disabled_bool_old
Type	boolean
Title	Previous Account Disabled
Description	Previous If 'true', the account has been disabled

Field	acct_domain
Type	string
Title	Account Domain
Description	The local domain or system to which the account belongs

Field	acct_domain_old
Type	string
Title	Previous Account Domain
Description	Previous The local domain or system to which the account belongs

Field	acct_fullname
Type	string
Title	Account FullName
Description	The full name of the user persona associated with the account

Field	acct_fullname_old
Type	string
Title	Previous Account FullName
Description	Previous The full name of the user persona associated with the account

Field	acct_grp_id
Type	string
Title	Account Group ID
Description	The ID of the group to which the user account belongs

Field	acct_grp_id_old
Type	string
Title	Previous Account Group ID
Description	Previous The ID of the group to which the user account belongs

Field	acct_grp_name
Type	string
Title	Account Group Name
Description	The name of the group to which the user account belongs

Field	acct_grp_name_old
Type	string
Title	Previous Account Group Name
Description	Previous The name of the group to which the user account belongs

Field	acct_home_path
Type	string
Title	Account Home Directory
Description	The home directory associated with the user account

Field	acct_home_path_old
Type	string
Title	Previous Account Home Directory
Description	Previous The home directory associated with the user account

Field	acct_id
Type	string
Title	Account ID
Description	The unique identifier assigned to the user account, often called the user id (UID)

Field	acct_id_old
Type	string
Title	Previous Account ID
Description	Previous The unique identifier assigned to the user account, often called the user id (UID)

Field	acct_locked_bool
Type	boolean
Title	Account Locked Out
Description	If 'true', the account has been locked out

Field	acct_locked_bool_old
Type	boolean
Title	Previous Account Locked Out
Description	Previous If 'true', the account has been locked out

Field	acct_login_time
Type	timestamp
Title	Account Login Time
Description	The time the account was last logged into

Field	acct_login_time_old
Type	timestamp
Title	Previous Account Login Time
Description	Previous The time the account was last logged into

Field	acct_name
Type	string
Title	Account Name
Description	The name of the user account

Field	acct_name_old
Type	string
Title	Previous Account Name
Description	Previous The name of the user account

Field	acct_priv
Type	string
Title	Account Privilege
Description	Account privileges

Field	acct_priv_old
Type	string
Title	Previous Account Privilege
Description	Previous Account privileges

Field	acct_pwAge_dur
Type	duration
Title	Account Password Age
Description	The age of the account password

Field	acct_pwReq_bool
Type	boolean
Title	Account Password Required
Description	If 'true', the account requires a password

Field	acct_pwReq_bool_old
Type	boolean
Title	Previous Account Password Required
Description	Previous If 'true', the account requires a password

Field	acct_role
Type	string
Title	Account Role
Description	The role assigned to the user account. Used for role-based access control (RBAC) and in systems such as Security Enhanced (SE) Linux

Field	acct_role_old
Type	string
Title	Previous Account Role
Description	Previous The role assigned to the user account. Used for role-based access control (RBAC) and in systems such as Security Enhanced (SE) Linux

Field	acct_script_path
Type	string
Title	Account Script Path
Description	The script path ($PATH) used by the user account

Field	acct_script_path_old
Type	string
Title	Previous Account Script Path
Description	Previous The script path ($PATH) used by the user account

Field	action
Type	actionTagType
Title	Event Action

Field	bios_name
Type	string
Title	System BIOS Name

Field	bios_name_old
Type	string
Title	Previous System BIOS Name

Field	bios_time
Type	timestamp
Title	System BIOS Timestamp

Field	bios_time_old
Type	timestamp
Title	Previous System BIOS Timestamp

Field	bios_ver
Type	string
Title	System BIOS Version

Field	bios_ver_old
Type	string
Title	Previous System BIOS Version

Field	conf
Type	string
Title	Event Record Confidence

Field	count
Type	unsigned32
Title	Event Count
Description	The number of times similar events were observed

Field	crit
Type	string
Title	Event Criticality
Description	An identification of the event's criticality. This criticality is specific to the event source and should be interpreted within the role of the event source

Field	direction
Type	dirEnum
Title	Network Flow Direction
Description	The direction of the network flow, relative to the observer. A value of "in" indicates an ingress (inbound) flow direction; "out" indicates an egress (outbound) flow (to keep compatibility with the IPFIX specification

Field	dst_ipv4
Type	ipv4Address
Title	Destination IPv4 Address

Field	dst_ipv6
Type	ipv6Address
Title	Destination IPv6 Address

Field	dst_mac
Type	macAddress
Title	Destination Mac Address
Description	The destination MAC (IEEE-802) address

Field	dst_port
Type	unsigned16
Title	Destination Transport Port
Description	The destination port number

Field	dst_prefix_ipv4
Type	ipv4Address
Title	Destination IPv4 Prefix
Description	The prefix for the destination IPv4 address. The relevant number of prefix bits should be specified in the dst_prefix_len field

Field	dst_prefix_ipv6
Type	ipv6Address
Title	Destination IPv6 Prefix
Description	The prefix for the destination IPv6 address. The relevant number of prefix bits should be specified in the dst_prefix_len field

Field	dst_prefix_len
Type	unsigned8
Title	Destination IP Address Prefix Length
Description	The size (in number of bits) used to specify the destination IP address prefix from a dst_prefix_ipv4 or dst_prefix_ipv6 field

Field	dur
Type	duration

Field	eff_grp_id
Type	string
Title	Effective Group ID
Description	The identifier of the primary group associated with the effective/authorized user session

Field	eff_grp_name
Type	string
Title	Effective Group Name
Description	The name of the primary group associated with the effective/authorized user session

Field	eff_id
Type	string
Title	Effective ID
Description	The effective or authorized user ID (UID) for the current user session

Field	eff_name
Type	string
Title	Effective Name
Description	The effective or authorized user name associated with the current user session

Field	email_from_email
Type	emailAddress
Title	Email 'From:' Address

Field	email_subj_str
Type	string
Title	Email 'Subject' Line

Field	email_to_email
Type	emailAddress
Title	Email 'To:' Address

Field	end_time
Type	timestamp
Title	Event End Time
Description	An ISO8601 compliant timestamp designating the date, time, and timezone offset when the event completed

Field	file_a_time
Type	timestamp
Title	File Last Accessed Time
Description	The time the file was last accessed. On Unix systems, this information can be found by calling stat() on a file inode

Field	file_a_time_old
Type	timestamp
Title	Previous File Last Accessed Time
Description	Previous The time the file was last accessed. On Unix systems, this information can be found by calling stat() on a file inode

Field	file_bytes
Type	integer
Title	File Size in Bytes
Description	The size of the file in 8-bit bytes

Field	file_bytes_old
Type	integer
Title	Previous File Size in Bytes
Description	Previous The size of the file in 8-bit bytes

Field	file_c_time
Type	timestamp
Title	File Create Time
Description	The time the file was created. On Unix systems, this information can be found by calling stat() on a file inode

Field	file_c_time_old
Type	timestamp
Title	Previous File Create Time
Description	Previous The time the file was created. On Unix systems, this information can be found by calling stat() on a file inode

Field	file_data
Type	binary
Title	File Contents

Field	file_data_old
Type	binary
Title	Previous File Contents

Field	file_dev_id
Type	string
Title	File Device ID

Field	file_dev_id_old
Type	string
Title	Previous File Device ID

Field	file_dev_path
Type	string
Title	File Device Path

Field	file_dev_path_old
Type	string
Title	Previous File Device Path

Field	file_drive_name
Type	string
Title	File Drive

Field	file_drive_name_old
Type	string
Title	Previous File Drive

Field	file_ext
Type	string
Title	File Extension

Field	file_ext_old
Type	string
Title	Previous File Extension

Field	file_fullpath
Type	string
Title	File Full Path
Description	The path to the file that is the object of the event, including the file name

Field	file_fullpath_old
Type	string
Title	Previous File Full Path
Description	Previous The path to the file that is the object of the event, including the file name

Field	file_grp_name
Type	string
Title	File Group

Field	file_grp_name_old
Type	string
Title	Previous File Group

Field	file_id
Type	string
Title	File Identifier

Field	file_id_old
Type	string
Title	Previous File Identifier

Field	file_inode_num
Type	integer
Title	File Inode

Field	file_inode_num_old
Type	integer
Title	Previous File Inode

Field	file_m_time
Type	timestamp
Title	File Modify Time
Description	The time the file was last modified. On Unix systems, this information can be found by calling stat() on a file inode

Field	file_m_time_old
Type	timestamp
Title	Previous File Modify Time
Description	Previous The time the file was last modified. On Unix systems, this information can be found by calling stat() on a file inode

Field	file_md5_hash
Type	binary
Title	File MD5 Hash

Field	file_md5_hash_old
Type	binary
Title	Previous File MD5 Hash

Field	file_mode
Type	string
Title	File Mode

Field	file_mode_old
Type	string
Title	Previous File Mode

Field	file_name
Type	string
Title	File Name

Field	file_name_old
Type	string
Title	Previous File Name

Field	file_path
Type	string
Title	File Path
Description	The directory path to the file, excluding the file name

Field	file_path_old
Type	string
Title	Previous File Path
Description	Previous The directory path to the file, excluding the file name

Field	file_perm
Type	string
Title	File Permissions
Description	The permissions assigned to the file by the operating system or file system

Field	file_perm_old
Type	string
Title	Previous File Permissions
Description	Previous The permissions assigned to the file by the operating system or file system

Field	file_secAttr
Type	string
Title	File Security Attributes

Field	file_secAttr_old
Type	string
Title	Previous File Security Attributes

Field	file_sha1_hash
Type	binary
Title	SHA1 File Hash

Field	file_sha1_hash_old
Type	binary
Title	Previous SHA1 File Hash

Field	file_sha256_hash
Type	binary
Title	SHA256 File Hash

Field	file_sha256_hash_old
Type	binary
Title	Previous SHA256 File Hash

Field	file_sys_id
Type	string
Title	File System ID

Field	file_sys_id_old
Type	string
Title	Previous File System ID

Field	file_user_name
Type	string
Title	File Owner Username
Description	The name of the user account that owns the file

Field	file_user_name_old
Type	string
Title	Previous File Owner Username
Description	Previous The name of the user account that owns the file

Field	fname_a_time
Type	timestamp
Title	Filename Last Accessed Time
Description	The time the filename was last accessed by the filesystem

Field	fname_a_time_old
Type	timestamp
Title	Previous Filename Last Accessed Time
Description	Previous The time the filename was last accessed by the filesystem

Field	fname_c_time
Type	timestamp
Title	Filename Create Time
Description	The time the file's filename was created in the filesystem

Field	fname_c_time_old
Type	timestamp
Title	Previous Filename Create Time
Description	Previous The time the file's filename was created in the filesystem

Field	fname_m_time
Type	timestamp
Title	Filename Modify Time
Description	The time the file's filename was last modified in the filesystem

Field	fname_m_time_old
Type	timestamp
Title	Previous Filename Modify Time
Description	Previous The time the file's filename was last modified in the filesystem

Field	icmp_code
Type	unsigned8
Title	IPv4 ICMP Code
Description	The code from the "TypeCode" Description of an IPv4 ICMP message. The TypeCode value is designated to be: (256 * ICMP Type) + ICMP Code

Field	icmp_type
Type	unsigned8
Title	IPv4 ICMP Type
Description	The type from the "TypeCode" Description of an IPv4 ICMP message. The TypeCode value is designated to be: (256 * ICMP Type) + ICMP Code

Field	id
Type	string
Title	Event ID
Description	A unique identifier provided by the event producer that identifies the type of event. If the identifier is intended to be globally unique reference to a specific event instance, use rec_id field instead. Examples of event identifiers are the Microsoft Windows Event ID, the Cisco PIX ID (e.g., %PIX-2-106001), or the Sourcefire Snort snortid.

Field	in_bytes
Type	integer
Title	Inbound (Ingress) Bytes
Description	The number of incoming bytes received from the network

Field	in_pkts
Type	integer
Title	Inbound (Ingress) Packet Count
Description	The number of incoming packets received from the network

Field	ip_dscp
Type	unsigned8
Title	IP Differentiated Service Class
Description	For IPv4 packets, this is the value of the TOS field in the IPv4 packet Description. For IPv6 packets, this is the value of the Traffic Class field in the IPv6 packet Description.

Field	ip_frag_id
Type	unsigned32
Title	IPv4/IPv6 Fragment Identification
Description	The fragmentation of the IP packet. This value is in the IPv4 "Identification" Description field or in the IPv6 "Fragment" Description

Field	ip_frag_offset
Type	unsigned16
Title	IPv4/IPv6 Fragment Offset
Description	The value of the IP fragment offset field in the IPv4 packet Description or the IPv6 Fragment Description

Field	ip_multicastRep_count
Type	unsigned32
Title	Multicast Replication Factor
Description	The amount of multicast replication that's applied to a traffic stream

Field	ip_proto_id
Type	unsigned8
Title	Protocol ID Number
Description	The protocol ID value identifying the encapsulated IP payload. The protocol ID values are established by IANA and contained in the Description of an IP packet. In IPv4 packets, the protoID is in the "Protocol" field; in IPv6 packets, the value is in the "Next Description" field

Field	ip_ttl
Type	unsigned8
Title	Time To Live (TTL)
Description	The TTL (Time-to-Live) value specified in the "ttl" field of the IP packet

Field	ip_ver
Type	unsigned8
Title	IP Version
Description	The value of the IPv6 Flow Text_Title field in the IP packet Description.

Field	ipv6_extHdrs_count
Type	unsigned32
Title	IPv6 Extension Descriptions
Description	The number of extension Descriptions attached to the IPv6 packet(s)

Field	ipv6_flow_label
Type	unsigned32
Title	IPv6 Flow Label
Description	The value of the IPv6 Flow Label field in the IPv6 packet Description.

Field	mem_avail_bytes
Type	integer
Title	Available Physical Memory In Bytes

Field	mem_avail_bytes_old
Type	integer
Title	Previous Available Physical Memory In Bytes

Field	mem_total_bytes
Type	integer
Title	Total Physical Memory In Bytes

Field	mem_total_bytes_old
Type	integer
Title	Previous Total Physical Memory In Bytes

Field	nextHop_ipv4
Type	ipv4Address
Title	IPv4 Next Hop Address
Description	The IPv4 address of the next hop

Field	nextHop_ipv6
Type	ipv6Address
Title	IPv6 Next Hop Address
Description	The IPv6 address of the next hop

Field	out_bytes
Type	integer
Title	Outbound (Egress) Bytes
Description	The number of outgoing bytes sent to the network

Field	out_pkts
Type	integer
Title	Outbound (Egress) Packet Count
Description	The number of outgoing packets sent to the network

Field	p_proc_id
Type	string
Title	Producer Process ID

Field	p_proc_name
Type	string
Title	Producer Process Name

Field	p_prod_cpe
Type	cpe
Title	Producer Product CPE Identifier
Description	Event Producer The CPE Identifier corresponding to the product. The CPE name should be listed in http://nvd.nist.gov/cpe.cfm or http://cpe.mitre.org

Field	p_prod_id
Type	string
Title	Producer Product Identifier

Field	p_prod_name
Type	string
Title	Producer Product Name

Field	p_prod_vend
Type	string
Title	Producer Product Vendor

Field	p_prod_ver
Type	string
Title	Producer Product Version

Field	p_sys_domain
Type	string
Title	Producer System Domain

Field	p_sys_fqdn
Type	fqdn
Title	Producer System Fully-Qualified Domain Name (FQDN)

Field	p_sys_host
Type	hostname
Title	Producer System Name

Field	p_sys_id
Type	string
Title	Producer System Identifier

Field	p_sys_ipv4
Type	ipv4Address
Title	Producer System IPv4 Address

Field	p_sys_ipv6
Type	ipv6Address
Title	Producer System IPv6 Address

Field	p_sys_lat
Type	latDecDegrees
Title	Producer System Latitude
Description	Event Producer The latitude of the system, in decimal degrees

Field	p_sys_loc
Type	string
Title	Producer System Location
Description	Event Producer A description of the physical location of the system

Field	p_sys_long
Type	longDecDegrees
Title	Producer System Longitude
Description	Event Producer The longitude of the system, in decimal degrees

Field	p_sys_mac
Type	macAddress
Title	Producer System Interface MAC Address
Description	Event Producer The 48 or 64-bit MAC (Media Access Control), EUI (Extended Unique Identifier), or hardware address of the system

Field	p_sys_netBIOS
Type	string
Title	Producer System NetBIOS Name

Field	p_sys_ntDomain
Type	string
Title	Producer System NT Domain

Field	pri
Type	integer
Title	Event Priority
Description	The event priority

Field	proc_id
Type	string
Title	Process ID

Field	proc_name
Type	string
Title	Process Name

Field	proc_par_id
Type	string
Title	Process Parent ID

Field	processor_name
Type	string
Title	System Processor Name

Field	processor_name_old
Type	string
Title	Previous System Processor Name

Field	processor_type
Type	string
Title	System Processor Type

Field	processor_type_old
Type	string
Title	Previous System Processor Type

Field	prod_cpe
Type	cpe
Title	Product CPE Identifier
Description	The CPE Identifier corresponding to the product. The CPE name should be listed in http://nvd.nist.gov/cpe.cfm or http://cpe.mitre.org

Field	prod_cpe_old
Type	cpe
Title	Previous Product CPE Identifier
Description	Previous The CPE Identifier corresponding to the product. The CPE name should be listed in http://nvd.nist.gov/cpe.cfm or http://cpe.mitre.org

Field	prod_id
Type	string
Title	Product Identifier

Field	prod_id_old
Type	string
Title	Previous Product Identifier

Field	prod_name
Type	string
Title	Product Name

Field	prod_name_old
Type	string
Title	Previous Product Name

Field	prod_type
Type	string
Title	Product Type

Field	prod_type_old
Type	string
Title	Previous Product Type

Field	prod_vend
Type	string
Title	Product Vendor

Field	prod_vend_old
Type	string
Title	Previous Product Vendor

Field	prod_ver
Type	string
Title	Product Version

Field	prod_ver_old
Type	string
Title	Previous Product Version

Field	rec_id
Type	string
Title	Event Record ID
Description	A unique identifier that corresponds to an individual record instance. If the identifier indicates the type of event, use id

Field	rec_time
Type	timestamp
Title	Event Record Record Time
Description	The timestamp when the event was recorded/produced

Field	recv_time
Type	timestamp
Title	Event Record Receive Time
Description	A timestamp reflecting when the event record was received by an upstream device

Field	rule_id
Type	string
Title	Rule ID

Field	rule_id_old
Type	string
Title	Previous Rule ID

Field	rule_type
Type	string
Title	Rule Type

Field	rule_val
Type	string
Title	Rule Value

Field	rule_val_old
Type	string
Title	Previous Rule Value

Field	s_eff_grp_id
Type	string
Title	Subject Effective Group ID
Description	Subject The identifier of the primary group associated with the effective/authorized user session

Field	s_eff_grp_name
Type	string
Title	Subject Effective Group Name
Description	Subject The name of the primary group associated with the effective/authorized user session

Field	s_eff_id
Type	string
Title	Subject Effective ID
Description	Subject The effective or authorized user ID (UID) for the current user session

Field	s_eff_name
Type	string
Title	Subject Effective Name
Description	Subject The effective or authorized user name associated with the current user session

Field	s_proc_id
Type	string
Title	Subject Process ID

Field	s_proc_name
Type	string
Title	Subject Process Name

Field	s_proc_par_id
Type	string
Title	Subject Process Parent ID

Field	s_sess_id
Type	string
Title	Subject User Session ID

Field	s_sess_login_time
Type	timestamp
Title	Subject User Session Login Time

Field	s_sess_logout_time
Type	timestamp
Title	Subject User Session Logout Time

Field	sess_id
Type	string
Title	User Session ID

Field	sess_login_time
Type	timestamp
Title	User Session Login Time

Field	sess_logout_time
Type	timestamp
Title	User Session Logout Time

Field	sev
Type	integer
Title	Event Severity
Description	An indication of how severe the impact of the event may be

Field	src_ipv4
Type	ipv4Address
Title	Source IPv4 Address

Field	src_ipv6
Type	ipv6Address
Title	Source IPv6 Address

Field	src_mac
Type	macAddress
Title	Source Mac Address
Description	The source MAC (IEEE-802) address

Field	src_port
Type	unsigned16
Title	Source Transport Port
Description	The source port number

Field	src_prefix_ipv4
Type	ipv4Address
Title	Source IPv4 Prefix
Description	The prefix for the source IPv4 address. The relevant number of prefix bits should be specified in the src_prefix_len field

Field	src_prefix_ipv6
Type	ipv6Address
Title	Source IPv6 Prefix
Description	The prefix for the source IPv6 address. The relevant number of prefix bits should be specified in the src_prefix_len field

Field	src_prefix_len
Type	unsigned8
Title	Source IP Address Prefix Length
Description	The size (in number of bits) used to specify the source IP address prefix from a src_prefix_ipv4 or src_prefix_ipv6 field

Field	status
Type	statusTagType
Title	Event Status

Field	sys_domain
Type	string
Title	System Domain

Field	sys_domain_old
Type	string
Title	Previous System Domain

Field	sys_fqdn
Type	fqdn
Title	System Fully-Qualified Domain Name (FQDN)

Field	sys_fqdn_old
Type	fqdn
Title	Previous System Fully-Qualified Domain Name (FQDN)

Field	sys_host
Type	hostname
Title	System Name

Field	sys_host_old
Type	hostname
Title	Previous System Name

Field	sys_id
Type	string
Title	System Identifier

Field	sys_id_old
Type	string
Title	Previous System Identifier

Field	sys_intf_id
Type	string
Title	System Network Interface Identifier

Field	sys_intf_id_old
Type	string
Title	Previous System Network Interface Identifier

Field	sys_ipv4
Type	ipv4Address
Title	System IPv4 Address

Field	sys_ipv4_old
Type	ipv4Address
Title	Previous System IPv4 Address

Field	sys_ipv6
Type	ipv6Address
Title	System IPv6 Address

Field	sys_ipv6_old
Type	ipv6Address
Title	Previous System IPv6 Address

Field	sys_lat
Type	latDecDegrees
Title	System Latitude
Description	The latitude of the system, in decimal degrees

Field	sys_lat_old
Type	latDecDegrees
Title	Previous System Latitude
Description	Previous The latitude of the system, in decimal degrees

Field	sys_loc
Type	string
Title	System Location
Description	A description of the physical location of the system

Field	sys_loc_old
Type	string
Title	Previous System Location
Description	Previous A description of the physical location of the system

Field	sys_long
Type	longDecDegrees
Title	System Longitude
Description	The longitude of the system, in decimal degrees

Field	sys_long_old
Type	longDecDegrees
Title	Previous System Longitude
Description	Previous The longitude of the system, in decimal degrees

Field	sys_mac
Type	macAddress
Title	System Interface MAC Address
Description	The 48 or 64-bit MAC (Media Access Control), EUI (Extended Unique Identifier), or hardware address of the system

Field	sys_mac_old
Type	macAddress
Title	Previous System Interface MAC Address
Description	Previous The 48 or 64-bit MAC (Media Access Control), EUI (Extended Unique Identifier), or hardware address of the system

Field	sys_netBIOS
Type	string
Title	System NetBIOS Name

Field	sys_netBIOS_old
Type	string
Title	Previous System NetBIOS Name

Field	sys_ntDomain
Type	string
Title	System NT Domain

Field	sys_ntDomain_old
Type	string
Title	Previous System NT Domain

Field	sys_recv_bytes
Type	integer
Title	Bytes Received

Field	sys_recv_bytes_old
Type	integer
Title	Previous Bytes Received

Field	sys_recv_pkts
Type	integer
Title	Number Of Packets Received

Field	sys_recv_pkts_old
Type	integer
Title	Previous Number Of Packets Received

Field	sys_sent_bytes
Type	integer
Title	Bytes Sent

Field	sys_sent_bytes_old
Type	integer
Title	Previous Bytes Sent

Field	sys_sent_pkts
Type	integer
Title	Number Of Packets Sent

Field	sys_sent_pkts_old
Type	integer
Title	Previous Number Of Packets Sent

Field	sys_uptime_dur
Type	duration
Title	System Uptime

Field	tags
Type	tag
Title	Event Tags
Description	Tags describing the event type, such as the action, status, and objects involved in the event. The tags should be chosen from the CEE Taxonomy

Field	tcp_flags
Type	unsigned8
Title	TCP Control Flags
Description	The control flags/bits in a TCP packet

Field	text
Type	string
Title	Event Text
Description	An unstructured text string describing the details of the event

Field	time
Type	timestamp
Title	Event Start Time
Description	An ISO8601 compliant timestamp designating the date, time, and timezone offset when the event began

Field	vlan_id
Type	unsigned16
Title	VLAN ID
Description	The VLAN identifier (VID) (IEEE-802.1Q) as specified in the "Tag Control Information" field of the VLAN'ed packet

Field	vlan_name
Type	string
Title	VLAN Name
Description	The name associated with the VLAN (IEEE-802.1Q) network

Field	vuln_cve
Type	cve
Title	Vulnerability CVE identifier

Field	vuln_id
Type	string
Title	Vulnerability ID

CEE Profile: cee_base_profile

Base Profile

Includes

Tag Types

Tags

Field Types

Fields

Event Profiles

Tag	move
Type	actionTag
Title	Move Event
Description	An object was moved. Usually 'move' describes the moving of a file between directories. A 'move' may be implemented as a sequence of copy and remove actions.

Tag	search
Type	actionTag
Title	Search Event
Description	An actor (user or application) searched or queried for something. For 'search' actions, the object should contain the query of what was sought.

Tag	violate
Type	actionTag
Title	Violate Event
Description	The infringement or breaking of a policy, rule, or other guideline.

Tag	cancel
Type	statusTag
Title	Event Canceled
Description	The event action was canceled

Tag	error
Type	statusTag
Title	Event Errored
Description	The event action terminated with an error

Tag	failure
Type	statusTag
Title	Event Failed
Description	The event failed due to some unmet condition, such as an incorrect password

Tag	ongoing
Type	statusTag
Title	Event Ongoing
Description	The event has started and has yet to complete. Another event should be sent to notify when the event completed and the final status

Tag	success
Type	statusTag
Title	Event Success
Description	The event completed successfully. For example, a successful user authentication event would be an instance where the authentication activity was successfully completed and the user was fully authenticated.

Tag	unknown
Type	statusTag
Title	Event Status Unknown
Description	The result state of an event occurrence was unknown. It was not known to the observer of the event whether or not the event successfully completed.