Version 4.0.1 (Archive)

This page provides information on the version 4.0.1 release of the MAEC Language. All information about the new version is included in this centralized location. Join the MAEC Community to participate in the next version of MAEC.


The MAEC Language Specification provides an overview and detailed description of the data model used in the MAEC Language, along with information on relevant use cases, MAEC's versioning policy, and other related information. Please submit any comments or questions about the current versions of the MAEC Language Specification document(s) to Along with any comments please specify the exact version of the document that is being commented on. Track Changes has been enabled in the Word document and annotated documents are appreciated. If you would like to submit an annotated document please simply attach it to your email to the maec-discussion-list. You may also submit comments directly to

MAEC Language Specification:


Includes downloads for the Version 4.0.1 Schemas, Version 4.0.1 Example Files, Version 4.0.1 Schematron Rules, and related documentation.


  • Complete Schema — has all documentation embedded.
  • Documentation html — element dictionaries, which users can elect to view in a browser or save.
  • All files zip — all the files in a section zipped together to allow for one simple download.
  • xsd/xml/sch — a user can either right click to download the file or left click to open the file in their default viewer.

MAEC Schema Downloads

File Name Schema Version Complete Schema Documentation Schematron
All Files n/a zip n/a n/a
All Files (offline, with examples and documentation) n/a zip n/a n/a
MAEC Bundle 4.0.1 xsd html sch | xsl
MAEC Package 2.0.1 xsd html n/a
MAEC Container 2.0.1 xsd html n/a
MAEC Default Vocabularies 1.0.1 xsd html n/a
Back to top

Release Notes

The major highlights of Version 4.0.1 are listed below:

  • Updated schemaLocation attributes to reflect the import and usage of the Cyber Observables eXpression (CybOX) v2.0.1.
  • Updated Schematron schema (sch) file to use the correct MAEC namespace.
  • Modified the "Package Dynamic Triage" and "Package Manual Analysis" examples to use Action Collections organized by class (e.g., File Actions, Process Actions, etc.). Previously, all Actions in these examples were defined under the top-level Actions element.

For more information please see the detailed Release Notes or schema annotations contained in the links above.


Example content for MAEC Version 4.0.1 is included below. Additional examples for this release that illustrate the use of MAEC Bundles, Packages, and Containers, as well as the capture of specific malware-related attributes (e.g., clustering information, AV classifications, etc.), are available on the Examples – Version 4.0.1 (Archive) page.

MAEC Example Content

File Name XML
All Files zip
Bundle Artifact xml
Bundle AV Classifications xml
Bundle Candidate Indicator xml
Bundle Dynamic Triage Tool Output xml
Bundle Network Behavior xml
Bundle Malicious Webpage xml
Bundle Object Re-use xml
Container Multiple Package xml
Package Action Equivalency xml
Package Clustering xml
Package Dynamic Triage xml
Package Manual Analysis xml
Package Multi-Partite Malware xml
Package Multiple Analysis xml
Package Static Triage xml


27 September 2013

Status Reports

Status updates are included below. You may also review the MAEC Community Discussion Archive for discussions about Version 4.0.1.

The MAEC Language Specification is now available for community review and comment. Please submit feedback to the MAEC Community Discussion email list, and/or directly to
Version 4.0.1 of the MAEC Language is now available. The release includes updates to reflect the import and usage of the Cyber Observables eXpression (CybOX) v2.0.1.
Back to top

Page Last Updated: February 11, 2014