Version 2.1 (Archive)

This page provides information on the current release of the MAEC Language. All information about the current release is included in this centralized location.

All items in this release remain open for discussion and any comments or feedback is greatly appreciated on MITRE’s Handshake collaboration Web site and/or the MAEC Discussion List. Please see the schema or schema documentation below for more information.

Version 2.1 of the MAEC core schema represents a minor update to Version 2.0 and is focused primarily on integrating the Version 1.0 (Draft) Cyber Observables Expression (CybOX™) Schema in order to permit increased expressiveness and consistency in MAEC, particularly with regards to the representation of MAEC Actions and Objects. It also includes a number of fixes and revisions to existing elements and types. Please see the summary changes below for more information.


Includes downloads for the Version 2.1 Schemas, Version 2.1 Example Files, Version 2.1 Schematron Rules, and related documentation.


  • Complete Schema — has all documentation embedded.
  • Documentation html — element dictionaries, which users can elect to view in a browser or save.
  • All files zip — all the files in a section zipped together to allow for one simple download.
  • xsd/xml/sch — a user can either right click to download the file or left click to open the file in their default viewer.

MAEC Schema Downloads

File Name Complete Schema Documentation Schematron
MAEC Core xsd html sch

MAEC Example Content Downloads

File Name XML
All Files zip
Static Malware Triage xml
Dynamic Malware Triage xml
Manual Malware Analysis xml
Back to top

Previous Version Differences Report

The biggest change is that Cyber Observables Expression (CybOX™) v0.7 has now been replaced with CybOX v1.0 and its related component schemas. This provides additional expressivity and eliminates the element/attribute duplication issues encountered in MAEC 2.0. As a result of the CybOX v1.0 integration, the following schema changes were made:

  • In the ObjectType:
    • This type is deprecated and removed as of this release. Its usage has been replaced completely with the CybOX ObjectType, which now fully supports all of the constructs necessary for Malware object expression.
    • The AV_Detections element has been refactored as the AVClassificationsType complex type, which extends the abstract CybOX DomainSpecificObjectAttributesType, and as a result can be plugged into the Domain_Specific_Object_Attributes element in the CybOX ObjectType.
    • The Code_Snippets element, used for defining code associated or extracted from the object, has been replaced with the CybOX Code Object. This object can be used along with an another object (the parent) and an object relationship type of ‘Contained_Within’ to express an identical relationship.
    • The Detected_By element, used for specifying the tool or signature that discovered the object, has been replaced with the Discovery_Method element in the CybOX ObjectType.
  • In the ActionType:
    • The id and idref attributes have been removed. The CybOX attributes for this type should be now be used, but with the corresponding MAEC ID syntax of ‘maec-namespace-act-integer’, validated with the following regular expression: ^maec-[A-Za-z0-9_\-\.]+-act-[1-9][0-9]*$. This is to differentiate MAEC actions, associated specifically with malware, from generic CybOX objects.
    • The AssociatedObjects element has now been removed since the MAEC ObjectType has been deprecated.
  • In the BehaviorType:
    • Inside the Associated_Code element, the base type of the Code_Snippet element has been changed to the CodeObjectType from the CybOX Code Object.
  • All ObjectType based or related types have been removed, since they are defunct with the removal of the MAEC ObjectType. This includes the following:
    • RelatedObjectType
    • StateChangeEffectType
    • StatefulMeasureType
    • ObservableType
  • The following types were removed as a result of the switch to the CybOX Code Object:
    • ProgrammingLanguageEnum
    • MalcodeTypeEnum
    • ProcessorTypeEnum

The following changes were made to further MAEC’s expressivity or to fix issues with regards to ambiguity or consistency:

  • All anonymously defined complex types (i.e. those defined inside another element, without a global type) have been turned into global complex types for the sake of consistency and to better facilitate further revisions.
  • Some missing annotations were added, and many annotations were redacted for clarity.
  • In the BundleType:
    • The schema_version attribute was changed to a fixed value of 2.1 to account for the current version number.
  • In the BehaviorType:
    • The idref attribute was removed and replaced with a Behavior_Reference element specifically for referencing existing behaviors. This was done to remove any ambiguity regarding whether a complete behavior or reference was expected in certain MAEC elements; now a behavior may only be referenced with this element.
    • The id attribute has been made required for proper validation in terms of ensuring that unique ID’s are used for these types in MAEC Bundles.
    • Inside the Actions element, an Action_Reference element of type CybOX ActionReferenceType was added, in order to unambiguously specify references to actions that compose the behavior. As such, the idref element on the CybOX Action should not be used in MAEC Bundles.
    • The Vulnerability_Exploit element inside the Purpose element was refactored to include a list of platforms that may be targeted by the vulnerability exploit, through a new Targeted_Platforms element. This is achieved via reference to a Common Platform Enumeration (CPE) identifier, and permits the specification of the platforms that are targeted by a vulnerability exploitation behavior, which is particularly useful when a unique identifier for the vulnerability (i.e. CVE) has not yet been issued.
    • Inside the Relationships/Relationship element, the Behavior element was replaced with the Behavior_Reference element, to unambiguously state that the relationship between behaviors must be specified via a reference.
  • In the ActionType:
    • Inside the Implementation element, the Platform element has been replaced with a Compatible_Platforms element, for more accurately specifying the possible platforms that an action may be compatible with (e.g. capable of being successfully executed on), rather than a single platform.
    • The id attribute is required for use inside MAEC bundles. While this cannot be enforced at the schema level, it is achieved using the embedded Schematron rules or the provided Schematron schema (sch) file.
  • In the AnalysisType:
    • The idref attribute was removed since Analyses are not capable of being referenced in MAEC Bundles.
    • The id attribute has been made required for proper validation in terms of ensuring that unique ID’s are used for these types in MAEC Bundles.
    • Inside the Findings/Behaviors and Actions elements, the Behavior and Action elements have been replaced with Behavior_Reference and Action_Reference, to unambiguously specify that behaviors and actions corresponding to an analysis finding must be specified via reference.
  • In the AnalysisSubjectType:
    • An Object_Reference element has been added to the choice selector, for unambiguously specifying a reference to an object in the MAEC Bundle that is the subject of the analysis. As such, the idref attribute on the Object element may no longer be used for this purpose.
  • In the IndicatorType:
    • The id attribute has been made required for proper validation in terms of ensuring that unique ID’s are used for these types in MAEC Bundles.
    • The type of the Observables element has been changed to the CybOX ObservableCompositionType, for more directly specifying the observables that compose the indicator.
  • In the TargetType:
    • The type attribute has been made optional since this enumeration was not exhaustive and there may be cases where the nature of the indicator target is complex and/or not readily apparent.
    • The Targeted_Behaviors, Targeted_Actions, and Targeted_Objects elements have been replaced with new types that represent lists of corresponding entity references (e.g. ActionReferenceListType). This was done to remove any ambiguity that these entities must be supplied via reference.
  • The ObjectReferenceType was added as a means of unambiguously specifying a reference to a CybOX object in a MAEC Bundle.
  • For all collection types (ActionCollectionType, BehaviorCollectionType, ObjectCollectionType, and IndicatorCollectionType):
    • The id attribute has been made required, for proper validation in terms of ensuring that unique ID’s are used for these types in MAEC Bundles.
    • The references to embedded entities and entity collections have been replaced with a list complex type (e.g. ActionListType for actions), for reuse in other schema locations.
Back to top

Page Last Updated: April 25, 2013