MITRE is continuing work on the Common Event Expression (CEE) standard
in conjunction with the Editorial Board and various organizations.
The past months have been spent on the drafting and validation of a
proposal for the initial CEE Specification.
This specification was submitted to the Editorial Board last month.
MITRE is currently working at rolling in the comments received from
the Board, and expect to have a new draft for their review in the next
couple of weeks.
Once the Board has approved the specification, the specification will
be posted to the CEE Community for feedback. We expect this to occur
within the next month. Our goal is to have final proposal that the
community can agree to by the end of 2009.
MITRE in collaboration with industry and government offer the Common
Event Expression (CEET) Architectural Proposal for the Core
Components as the basis to standardize event logs from electronic
systems. This paper builds on the CEE proposal summarized in the
Common Event Expression Whitepaper by defining the core components'
architecture needed to enable collaborative efforts in the creation
of an open, practical, and industry-accepted event interoperability
standard for electronic systems.
This specification summarizes CEE and provides details on the
architecture of the core components including the data dictionary,
syntax specifications, and event taxonomies. This proposal is the
first in a collection of documents and specifications. The
combination of the documents and specifications provides the
necessary pieces to create a complete event log standard, which can
be mapped against the four components of CEE: Transport, Syntax,
Taxonomy, and Log Recommendations.
Some of you are probably familiar with the Security Content
Automation Protocol (SCAP) run by the National Institute of
Standards and Technology (NIST). In recent months, NIST has been
doing some investigation into leveraging CEE as part of a new suite
of standards surrounding event management. The working name for this
effort is EMAP -- Event Management Automation Protocol.
Currently, there is no public documentation concerning EMAP. If you
are interested in learning more, or would like to provide feedback on
EMAP, you should contact George Saylor ([hidden email]) or
myself ([hidden email]).
In addition to interest from NIST, we have already received several
offers to support initial CEE specifications from vendors interested
in CEE. We hope to start seeing initial products being able to
generate CEE compatible log records by the end of 2010.