Quantcast

Developer's guide

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Developer's guide

Wunder, John A.

Hi everyone,

 

One of the most important things we can do to encourage CEE adoption (hopefully something we all want to see) is to make it as easy as possible for new developers to start producing CEE events. To that end a couple board members (Raffy and Anton mostly, I did some editing) put together a “developer’s guide” that should give someone who wants to produce CEE events from their application a good place to start.

 

Note: the guide is not done! I’m sending it to the list so you can review it and make or suggest changes to improve it. It also doesn’t match the latest version of the posted specifications 100% since it incorporates the changes we’ve discussed over the past couple months.

 

So please look through it, see whether you think it’s useful, and either directly edit the document to make any changes you think would improve it or send comments to the list so we can make them. Also if you have any other ideas on developer resources let’s talk about them.

 

Thanks,

John


CEE Developers Guide.docx (92K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Developer's guide

Dana Epp
Tel: 1-604-824-9001
Toll free: 1-888-407-4285
Web: www.scorpionsoft.com

If I can chime in.

 

I have been a lurker for some time now, trying to learn the direction and use of CEE. In the New Year we plan to update our internal logging of our products to a centralized library which can fire to any SIEM source.

 

This document is timely. But does little to answer the questions I as an architect have to determine if the dev team should adopt it. Namely, which formats to use and why. As an example, you suggest using CEE JSON as its simpler. Real question is which format do CONSUMERS of the log item prefer? And what CONSUMERS are out there to begin with that are willing to accept CEE now (and in the future)? The assumption is that any CONSUMER will support both formats, but if its anything like CEF, we know CONSUMERS rarely agree on things (oh the fun of ArcSight). And your docs for CONSUMERS says to pick a format. Shouldn’t it be recommended to support both formats for more compatibility?

 

What would be useful is if the doc (or even a landing page on cee.mitre.org)  pointed to resources to allow developers to know what products act as CONSUMERS and which format(s) they prefer. Might even be nice if there is a web stub somewhere in the Cloud people can push log items through to ensure it complies with the expected formatting.

 

From the outside coming in, there is no compelling call to action that tells me HOW I should go about this, and just who is getting behind this to support it.

 

With that said, I am grateful that you are putting this together. This has been lacking for CEE. I am pleased to see the effort and hope my comments are taken in the light intended… a confused outsider looking in.

 

 

Regards,

Dana Epp [Microsoft Security MVP]

[hidden email]

888-407-4285 x704

 

cid:image001.gif@01C739B7.3F811110

 

From: Wunder, John A. [mailto:[hidden email]]
Sent: Wednesday, October 31, 2012 6:45 AM
To: [hidden email]
Subject: [CEE-DISCUSSION-LIST] Developer's guide

 

Hi everyone,

 

One of the most important things we can do to encourage CEE adoption (hopefully something we all want to see) is to make it as easy as possible for new developers to start producing CEE events. To that end a couple board members (Raffy and Anton mostly, I did some editing) put together a “developer’s guide” that should give someone who wants to produce CEE events from their application a good place to start.

 

Note: the guide is not done! I’m sending it to the list so you can review it and make or suggest changes to improve it. It also doesn’t match the latest version of the posted specifications 100% since it incorporates the changes we’ve discussed over the past couple months.

 

So please look through it, see whether you think it’s useful, and either directly edit the document to make any changes you think would improve it or send comments to the list so we can make them. Also if you have any other ideas on developer resources let’s talk about them.

 

Thanks,

John


 

This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Developer's guide

Fletcher, Boyd C IV Mr CIV OSD
In reply to this post by Wunder, John A.
are y'all planning on updating it for CEE XML?

 i'm not sure its appropriate to be discussing specific vendors products in a developers guide.

i think the signature_id should be changed to profile_id to avoid confusion when digital signature support is added.

The following statement is not technically correct and its an opinion. "JSON is simpler, more concise, and has a better balance of structure and readability than XML"  

JSON is not more compact than XML when in its binary form EXI, its certainly not more readable,  and is far less secure since it can't be validated against a schema for constraint validation.


On Oct 31, 2012, at 9:44 AM, "Wunder, John A." <[hidden email]> wrote:

> Hi everyone,
>  
> One of the most important things we can do to encourage CEE adoption (hopefully something we all want to see) is to make it as easy as possible for new developers to start producing CEE events. To that end a couple board members (Raffy and Anton mostly, I did some editing) put together a “developer’s guide” that should give someone who wants to produce CEE events from their application a good place to start.
>  
> Note: the guide is not done! I’m sending it to the list so you can review it and make or suggest changes to improve it. It also doesn’t match the latest version of the posted specifications 100% since it incorporates the changes we’ve discussed over the past couple months.
>  
> So please look through it, see whether you think it’s useful, and either directly edit the document to make any changes you think would improve it or send comments to the list so we can make them. Also if you have any other ideas on developer resources let’s talk about them.
>  
> Thanks,
> John
> <CEE Developers Guide.docx>
Loading...