EMAP
Enabled
?
Maybe
Component
Type
Description
Product Capability
Proprietary Event
Data
No
Data Exchange
Format
Event Parser
Yes
Product Capability
Event Parsing
Rules
Yes
Data Exchange
Format
Standardized
Event Record
Yes
Data Exchange
Format
Event Store
Yes
Product Capability
* Components are broken apart for illustrative purposes. Vendors will likely group multiple
components into one tool.
EMAP
Component
EMAP
Enabled
?
Component
Type
Description
Event Correlation
Tool
Yes
Product Capability
Event Correlation
Rules
Yes
Data Exchange
Format
Event Results
Yes
Data Exchange
Format
Event Filtering
Tool
Yes
Product Capability
Event Filtering
Rules
Yes
Data Exchange
Format
Event
Aggregation Tool
Yes
Product Capability
Event
Aggregation
Rules
Yes
Data Exchange
Format
EMAP
Enabled
?
Maybe
Component
Type
Data Exchange
Format
Data Exchange
Format
Potentially out
of scope*
Event Type
Enumeration
Maybe
Potentially out
of scope*
Description
* These components may be fulfilled by other areas within the Security Automation
Program.
Step
Actor
Description
EMAP Component(s)
Malicious User
- Event Producer
- Standardized Event Record
Audit
Management
Analyst
Audit
Management
Analyst
Audit
Management
Analysis
10
Step
Actor
Description
EMAP Component(s)
Policy Writer
N/A
Technical Policy
Writer
Event
Management
Team
11
12
Step
Actor
Description
EMAP Component(s)
Federal Agency
- Event Producer
- Standardized Event Record
US-CERT
US-CERT
Federal
Agencies
13
14
Step
Actor
Description
EMAP Component(s)
Policy Writer
N/A
Technical Policy
Writer
Event
Management
Team
- Event Store
- Event Filtering Rules
- Event Filtering Tool
- Event Results
15
Actor
Event Producer
Intermediary
System
16
Forensic
Examiner
Description
EMAP Component(s)
- Event Producer
- Standardized Event Record
- Event Store
- Event Filtering Rules
- Event Filtering Tool
- Event Correlation Rules
- Event Correlation Tool
- Event Results
17
18
Step
Actor
Description
EMAP Component(s)
Event Management
Analyst
- Event Producer
- Event Parsing Rules
Event Management
Analyst
- Event Producer
- Event Parsing Rules
- Event Parser
Event Parser
Organization
19
20
21
* These requirements may be fulfilled by other areas within the Security Automation
Program.
Maybe
Description
Derived
Requirement
I, II
Proprietary Event
Data
No
N/A
Event Parser
Yes
I, II, III
Event Parsing
Rules
Yes
I, II, III
Standardized
Event Record
Yes
I, II
Event Store
Yes
I, II
22
EMAP
Enabled?
Description
Derived
Requirement
Yes
IV
Yes
IV
Event Results
Yes
VII
Yes
Yes
Yes
VI
Yes
VI
23
EMAP
Enabled
?
Maybe
Potentially out
of scope
Event Type
Enumeration
Maybe
Potentially out
of scope
24
Description
Derived
Requirement
VIII
IX
25
Specification
Acronym
Specification Name
Derived
Requirement
EMAP
Component
CEE
I, II
Standardized Event
Record
OEEL
III
CERE
IV, V, VI
ARF
VII
Event Results
???
VIII
Event Management
Policy
???
IX
* Specifications are only required for defining the data exchange components of generic
EMAP workflow.
26