MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual 411
8.0 APPENDIX C – Common Event Expression (CEE)
Events will be categorized using a taxonomy based on the Common Event Expression (CEE) event
profile (1). These events will be encoded using JavaScript Object Notation (JSON), and placed into the
standard message body of a syslog message.
From the CEE website:
Common Event Expression (CEE™) improves the audit process and the ability of users to effectively
interpret and analyze event log and audit data. This is accomplished by defining an extensible unified
event structure, which users and developers can leverage to describe, encode, and exchange their CEE
Event Records (2).
CEE defines the structure of event messages via an XML schema referred to as the CEE Core Profile. The
Core Profile consists of 3 reusable components: (2)
Event Taxonomy — provides a listing of Event Tags that can be used to classify and identify events.
The taxonomy supports common event categorization methods and identification of records that
pertain to similar types of events.
Field Dictionary — a listing of event record fields and field value types used to represent common
event data. Selected fields and value types become associated with properties of a specific event
instance.
CEE Event Schema — defines the structure of an event record, including the minimum set of
required fields. Event Extensions provide a mechanism for capturing additional data about an event.
One of the key features of the CEE Core Profile is that it can be extended by an organization so that they
can add additional taxonomy categories and fields that describe vendor specific events.
8.1 Event Taxonomy
The CEE Core Profile defines the following taxonomy categories:
Action — The primary type of action that was undertaken as part of the event. The status or result of
the action should be detailed in the status field.
Domain — The environment or domain of the event. Typical event domains include network (net),
operating system (os), and application (app).
Object — The type of object that is targeted or otherwise affected by the event
Service — The service the event involves. The service field value provides context to the event action
or more precision to the event domain.
Status — The end result or status of the event action identified by the action field.
Subject — The type of object that initiated or started the event action identified by the action field.
With the exception of ‘subject’, the Core Profile defines valid values for each of these categories, some
examples of the values include “access, copy, clone, encrypt” for action values, and “error, failure,
ongoing, success” for status values.
All taxonomy fields are optional, however if given they must contain exactly one non-null value.
8.2 Event Field Dictionary
The Core Profile defines a selection of common fields that may be used in event logs. Like the taxonomy
categories, this dictionary can be extended by vendors by using a custom profile. All of the defined fields
are optional with the exception of the following 3 mandatory fields that must be in every logged event:
- host – Hostname of the event source.
- pname – Process name that generated the event.
To Next Page
Loading...
Need help?
General
