Specifications   Search
CEE™ Common Event Expression: A Unified Event Language for Interoperability
CEE Website is in "Archive" status — read the announcement
 

About CEE

Documents

FAQs

CEE Language

Current Release

Previous Releases

CEE Community

CEE Board

Discussion Archive

News & Events

Calendar

Search the Site

News & Events

Calendar

Additional Information

News & Events Archive

Privacy Policy

IMPORTANT:

Due to changing priorities, the U.S. Government organization that sponsored MITRE’s work on CEE has decided to stop funding development of CEE to focus on other priorities. Regaining funding is not anticipated. As a result, MITRE has stopped all work on CEE. The CEE Discussion Lists will no longer be active but past discussions will remain archived on Nabble, and this CEE website will be maintained as an archive for the CEE Community but will no longer be updated.

MITRE is open to transition opportunities for CEE — including transferring all CEE specifications, documents, source materials, etc.; transferring all CEE-related intellectual property rights; and pointing this website to a new hosting location — to an organization, group, or individual willing to continue logging standards development in a philosophy similar that of the CEE community. In the meantime and for informational purposes only, DMTF Cloud Audit and Project Lumberjack are active logging standardization efforts.

We thank all members of the CEE Community for your work in developing and refining CEE throughout the years. Please send any inquiries about transition opportunities for CEE, or other comments or concerns, to cee@mitre.org.

News and Events — 2012 Archive

September 12, 2012

CEE/Making Security Measurable Booth at IT Security Automation Conference 2012

MITRE hosted a CEE/Making Security Measurable booth at IT Security Automation Conference 2012 on October 3-5, 2012 at Baltimore Convention Center in Baltimore Inner Harbor, Maryland, USA.

Visit the CEE Calendar for information on this and other events.

CEE/Making Security Measurable Booth at 2012 Information Assurance Expo

MITRE hosted a CEE/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA.

Visit the CEE Calendar for information on this and other events.

BACK TO TOP

August 16, 2012

Four CEE Language Specifications Updated to Version 1.0-beta1

Version 1.0-beta1 of the CEE Language specification documents are now available on the CEE Web site. A detailed report is available that lists specific changes between Version 1.0-alpha and Version 1.0-beta1.

The following four community-developed specifications have been updated to Version 1.0-beta1:

  • CEE Overview Specification, Version 1.0-beta1 — Provides a high-level overview of CEE along with details on the overall architecture and introduces each of the CEE components including the CEE Profile, CEE Log Syntax, and the CEE Log Transport. The CEE Overview is the first in a collection of documents and specifications, whose combination provides the necessary pieces to create the complete CEE event log standard.
  • CEE Profile Specification, Version 1.0-beta1 — The CEE Profile allows for the improved interpretation and analysis of event data by allowing users to define how events are structured and what data they provide. The Profile consists of three components that provide a standardize field dictionary and base requirements for CEE-compatible events.
  • CEE Common Log Syntax (CLS) Specification, Version 1.0-beta1 — Describes the requirements for encoding and decoding for a Common Event Expression (CEE) Event, and provides encoding declarations for XML and JSON event records.
  • CEE Common Log Transport (CLT) Specification, Version 1.0-beta1 — Provides the technical support necessary for a secure and reliable log infrastructure. The CLT document defines a listing of requirements conformant log transports must meet. In addition, the CLT defines transport mappings, which define a standard methodology for transmitting encoded CEE Event Records over certain protocols.

We encourage community members to offer feedback on these documents on the CEE Email Discussion list. You may also contact us directly at cee@mitre.org.

CEE/Making Security Measurable Booth at 2012 Information Assurance Expo, August 27-30

MITRE will host a CEE/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Please visit us at Booth 217 and say hello!

Visit the CEE Calendar for information on this and other events.

BACK TO TOP

August 1, 2012

MITRE Hosts CEE/Making Security Measurable Booth at Black Hat Briefings 2012

MITRE hosted a CEE/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CEE Calendar for information on this and other events.

CEE Briefing Slides from Security Automation Developer Days 2012 Now Available

Briefing presentation slides from the CEE-focused session at the Security Automation Developer Days 2012 conference on July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA are now available for download on the Events and Participation page on the Making Security Measurable Web site. Briefing slides from the 21 other presentations at the event are also included.

BACK TO TOP

July 2, 2012

MITRE to Host CEE/Making Security Measurable Booth at Black Hat Briefings 2012

MITRE will host a CEE/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Please visit us at Booth 216 and say hello!

Visit the CEE Calendar for information on this and other events.

BACK TO TOP

June 19, 2012

Registration Now Closed for MITRE’s Security Automation Developer Days 2012 on July 9-13

Registration is now closed for MITRE’s free Security Automation Developer Days 2012 conference scheduled for July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA. For the event agenda, lodging, and other conference details please visit the conference details page.

BACK TO TOP

June 4, 2012

Agenda Now Available for MITRE’s Security Automation Developer Days 2012 on July 9-13

The agenda for MITRE’s free Security Automation Developer Days 2012 conference scheduled for July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA is now available at https://register.mitre.org/devdays/agenda.pdf.

For registration, lodging, and other conference details visit the conference registration page. Please note that registration will close on June 15.

BACK TO TOP

May 11, 2012

Registration Now Open for Security Automation Developer Days 2012 on July 9-13

MITRE Corporation will host the fourth Security Automation Developer Days conference on July 9-13, 2012, at MITRE in Bedford, Massachusetts, USA. This five-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

The purpose of the event is for the community to discuss SCAP — and those existing standards upon which it is based including Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Open Vulnerability and Assessment Language (OVAL®), Extensible Configuration Checklist Description Format (XCCDF) — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging SCAP standards are addressed at this workshop.

MITRE first hosted Developer Days in 2005 and has been running them annually ever since. The model for these technical exchanges has since been adopted as the format used by the Security Automation community.

An agenda will be available soon. For registration, lodging, and other conference details, please visit: https://register.mitre.org/devdays/.

BACK TO TOP

April 24, 2012

CEE Main Topic of Article on NetworkWorld

CEE was the main topic of an April 12, 2012 article entitled "We Need Security Standards like MITRE’s Common Event Expression (CEE)" on NetworkWorld.com. In the article the author describes CEE as a "Complete standard for security event description and consumption [that] could help with security analytics and cloud computing adoption", and which is "extensible and could work in concert with other standards." The author also notes that CEE is a community effort, with MITRE as moderator and "Cisco, HP/ArcSight, McAfee, NIST, and Microsoft" also participating in the effort.

The author explains both the problems CEE aims to solve regarding the lack of standardization in the audit and event lifecycle that exist today, and how "CEE is designed to address this problem from cradle to grave by defining common event definitions, enumeration, classification, languages, transport protocols, etc. In other words, everything to event/log production to event/log consumption is covered."

The author concludes the article by stating: "Security standards like CEE can go a long way toward expediting common security data standards, wider data exchange, and deeper analysis. For that reason alone, the security technology industry should be much more engaged."

BACK TO TOP

April 5, 2012

MITRE Hosts CEE/Making Security Measurable Booth at InfoSec World 2012

MITRE hosted a CEE/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees learned how information security data standards such as CEE, CybOX, MAEC, CAPEC, CVE, CCE, CPE, CWE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CEE Calendar for information on this and other events.

BACK TO TOP

March 22, 2012

MITRE to Host CEE/Making Security Measurable Booth at InfoSec World 2012, April 2-4

MITRE will host a CEE/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees will learn how information security data standards such as CEE, CybOX, MAEC, CAPEC, CVE, CCE, CPE, CWE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CEE Team will be in attendance. Please stop by Booth 513 and say hello!

Visit the CEE Calendar for information on this and other events.

BACK TO TOP

March 9, 2012

Photos from CEE/Making Security Measurable Booth at RSA 2012

MITRE hosted a CEE/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 - March 2, 2012. Attendees learned how information security data standards such as CEE, CybOX, CAPEC, MAEC, CVE, CCE, CPE, CWE, CWSS, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Making Security Measurable booth photos:

Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012

Visit the CEE Calendar for information on this and other events.

BACK TO TOP

February 29, 2012

New Open-Source "LumberJack" Project to Improve Creation and Standardize Content of Event Logs by Implementing CEE

Led by Red Hat, Inc. and hosted by Red Hat’s Fedora, "LumberJack" is a new project to create an open-source implementation based upon the concepts and specifications proposed by Common Event Expression (CEE™). By implementing CEE, LumberJack aims to improve the creation and standardize the content of event logs for developers and users, while also providing a foundation to help build better utilities.

Visit the LumberJack wiki at https://fedorahosted.org/lumberjack/.

For those interested in actively participating in this community effort, please sign-up for the email discussion list at https://fedorahosted.org/mailman/admin/lumberjack-developers.

LumberJack is currently supported by: Red Hat, Inc.; Adiscon GmbH, maintainers of rsyslog; and BalaBit IT Security, maintainers of Syslog-NG.

BACK TO TOP

February 21, 2012

Four CEE Language Specifications Updated to Version 1.0-alpha

Version 1.0-alpha of the CEE Language specification documents are now available on the CEE Web site. The following four community-developed specifications have been updated to Version 1.0α:

  • CEE Architecture Overview Specification, Version 1.0α — provides a high-level overview of CEE along with details on the overall architecture and introduces each of the CEE components including the CEE Profile, CEE Log Syntax, and the CEE Log Transport. The CEE Overview is the first in a collection of documents and specifications, whose combination provides the necessary pieces to create the complete CEE event log standard.
  • CEE Profile Specification, Version 1.0α — allows for the improved interpretation and analysis of event data by allowing users to define how events are structured and what data they provide. The Profile consists of three components that provide a standardize field dictionary, event taxonomy, and base requirements for CEE-compatible events.

    Once available, community-developed CEE Profiles will be free to download and use from the CEE Web site.

  • CEE Log Syntax (CLS) Specification, Version 1.0α — describes the requirements for encoding and decoding for a Common Event Expression (CEE) Event, and provides encoding declarations for XML and JSON event records.
  • CEE Log Transport (CLT) Specification, Version 1.0α — provides the technical support necessary for a secure and reliable log infrastructure. The CLT Specification defines a listing of requirements conformant log transports must meet. In addition, the CLT defines transport mappings, which define a standard methodology for transmitting encoded CEE Event Records over certain protocols.

We encourage community members to offer feedback on these documents on the CEE Email Discussion list. You may also contact us directly at cee@mitre.org.

CEE/Making Security Measurable Booth at RSA 2012, February 27 - March 2

MITRE is hosting a CEE/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 - March 2, 2012. Attendees will learn how information security data standards such as CEE, CybOX, CAPEC, MAEC, CVE, CCE, CPE, CWE, CWSS, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CEE Team will be in attendance. Please stop by Booth 2617 and say hello!

Visit the CEE Calendar for information on this and other events.

BACK TO TOP

January 4, 2012

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2012

MITRE has announced its initial Making Security Measurable calendar of events for 2012. Details regarding MITRE’s scheduled participation at these events are noted on the CEE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events may be added throughout the year. Visit the CEE Calendar for information or contact cee@mitre.org to have MITRE present a briefing or participate in a panel discussion about CEE, CybOX, CVE, CCE, CPE, CAPEC, CWE, MAEC, OVAL, Software Assurance, and/or Making Security Measurable at your event.

BACK TO TOP

Page Last Updated: May 14, 2013