Showing:

Annotations
Attributes
Diagrams
Facets
Instances

Table of Contents

Group by:

http://maec.mitre.org/XMLSchema/maec-bundle-4

Elements
Complex Types

No namespace

Attributes
Main schema maec_bundle_schema.xsd
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The following is a description of the elements, types, and attributes that compose Malware Attribute Enumeration and Characterization (MAEC) Bundle schema.
The MAEC Bundle Schema is maintained by The Mitre Corporation. For more information, including how to get involved in the project, please visit the MAEC website at http://maec.mitre.org.
This schema imports the CyBOX schema and object schemas. More info on CybOX can be found at http://cybox.mitre.org.
[ top ]
Element maecBundle:MAEC_Bundle
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The MAEC_Bundle element is the root element of this schema, and is of type BundleType. As such, it represents the characterization of a single malware instance, characterized in the top-level Subject_Details element, via its MAEC entities.
Diagram
Diagram maec_bundle_schema.tmp#BundleType_id maec_bundle_schema.tmp#BundleType_schema_version maec_bundle_schema.tmp#BundleType_defined_subject maec_bundle_schema.tmp#BundleType_content_type maec_bundle_schema.tmp#BundleType_timestamp maec_bundle_schema.tmp#BundleType_Malware_Instance_Object_Attributes maec_bundle_schema.tmp#BundleType_AV_Classifications maec_bundle_schema.tmp#BundleType_Process_Tree maec_bundle_schema.tmp#BundleType_Behaviors maec_bundle_schema.tmp#BundleType_Actions maec_bundle_schema.tmp#BundleType_Objects maec_bundle_schema.tmp#BundleType_Candidate_Indicators maec_bundle_schema.tmp#BundleType_Collections maec_bundle_schema.tmp#BundleType
Type maecBundle:BundleType
Instance
<maecBundle:MAEC_Bundle content_type="" defined_subject="" id="" schema_version="4.0.1" timestamp="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Malware_Instance_Object_Attributes>{0,1}</maecBundle:Malware_Instance_Object_Attributes>
  <maecBundle:AV_Classifications>{0,1}</maecBundle:AV_Classifications>
  <maecBundle:Process_Tree>{0,1}</maecBundle:Process_Tree>
  <maecBundle:Behaviors>{0,1}</maecBundle:Behaviors>
  <maecBundle:Actions>{0,1}</maecBundle:Actions>
  <maecBundle:Objects>{0,1}</maecBundle:Objects>
  <maecBundle:Candidate_Indicators>{0,1}</maecBundle:Candidate_Indicators>
  <maecBundle:Collections>{0,1}</maecBundle:Collections>
</maecBundle:MAEC_Bundle>
Attributes
QName Type Fixed Use Annotation
content_type maecBundle:BundleContentTypeEnum optional
The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.
defined_subject xs:boolean required
The required defined_subject field specifies whether the subject attributes of the malware instance characterized here are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes element) or elsewhere (such as a MAEC Subject in a MAEC Package).
id maecBundle:BundleIDPattern required
The required id field specifies a unique ID for this MAEC Bundle. The ID must follow the pattern defined in the BundleIDPattern simple type.
schema_version xs:string 4.0.1 required
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
timestamp xs:dateTime optional
The timestamp field specifies the date/time that the bundle was generated.
[ top ]
Element maecBundle:BundleType / maecBundle:Malware_Instance_Object_Attributes
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e. without an accompanying MAEC Package and with the defined_subject attribute set to 'True'.
Diagram
Diagram
Type ObjectType
[ top ]
Element maecBundle:BundleType / maecBundle:AV_Classifications
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.
Diagram
Diagram maec_bundle_schema.tmp#AVClassificationsType_AV_Classification maec_bundle_schema.tmp#AVClassificationsType
Type maecBundle:AVClassificationsType
Instance
<maecBundle:AV_Classifications xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:AV_Classification>{1,unbounded}</maecBundle:AV_Classification>
</maecBundle:AV_Classifications>
[ top ]
Element maecBundle:AVClassificationsType / maecBundle:AV_Classification
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AV_Classification field captures a single AV classication of the malware instance object.
Diagram
Diagram maec_bundle_schema.tmp#AVClassificationType_Engine_Version maec_bundle_schema.tmp#AVClassificationType_Definition_Version maec_bundle_schema.tmp#AVClassificationType_Classification_Name maec_bundle_schema.tmp#AVClassificationType
Type maecBundle:AVClassificationType
Instance
<maecBundle:AV_Classification xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Engine_Version>{0,1}</maecBundle:Engine_Version>
  <maecBundle:Definition_Version>{0,1}</maecBundle:Definition_Version>
  <maecBundle:Classification_Name>{0,1}</maecBundle:Classification_Name>
</maecBundle:AV_Classification>
[ top ]
Element maecBundle:AVClassificationType / maecBundle:Engine_Version
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Engine_Version field captures the version of the AV engine used by the AV scanner tool that assigned the classification to the malware instance object.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:AVClassificationType / maecBundle:Definition_Version
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Definition_Version field captures the version of the AV definitions used by the AV scanner tool that assigned the classification to the malware instance object.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:AVClassificationType / maecBundle:Classification_Name
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Classification_Name field captures the classification assigned to the malware instance object by the AV scanner tool characterized in the Company_Name and Product_Name fields.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:BundleType / maecBundle:Process_Tree
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.
Diagram
Diagram maec_bundle_schema.tmp#ProcessTreeType_Root_Process maec_bundle_schema.tmp#ProcessTreeType
Type maecBundle:ProcessTreeType
Instance
<maecBundle:Process_Tree xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Root_Process>{1,1}</maecBundle:Root_Process>
</maecBundle:Process_Tree>
[ top ]
Element maecBundle:ProcessTreeType / maecBundle:Root_Process
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Root_Process field captures the root process in the process tree.
Diagram
Diagram maec_bundle_schema.tmp#ProcessTreeNodeType_id maec_bundle_schema.tmp#ProcessTreeNodeType_parent_action_idref maec_bundle_schema.tmp#ProcessTreeNodeType_Initiated_Actions maec_bundle_schema.tmp#ProcessTreeNodeType_Spawned_Process maec_bundle_schema.tmp#ProcessTreeNodeType_Injected_Process maec_bundle_schema.tmp#ProcessTreeNodeType
Type maecBundle:ProcessTreeNodeType
Instance
<maecBundle:Root_Process xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Initiated_Actions>{0,1}</maecBundle:Initiated_Actions>
  <maecBundle:Spawned_Process>{0,unbounded}</maecBundle:Spawned_Process>
  <maecBundle:Injected_Process>{0,unbounded}</maecBundle:Injected_Process>
</maecBundle:Root_Process>
[ top ]
Element maecBundle:ProcessTreeNodeType / maecBundle:Initiated_Actions
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Initiated_Actions field captures, via references, the actions (found inside the top-level Actions element, or an Action Collection inside the top-level Collections element) initiated by the Process.
Diagram
Diagram maec_bundle_schema.tmp#ActionReferenceListType_Action_Reference maec_bundle_schema.tmp#ActionReferenceListType
Type maecBundle:ActionReferenceListType
Instance
<maecBundle:Initiated_Actions xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Action_Reference>{1,unbounded}</maecBundle:Action_Reference>
</maecBundle:Initiated_Actions>
[ top ]
Element maecBundle:ActionReferenceListType / maecBundle:Action_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Reference field specifies a reference to a single Action.
Diagram
Diagram
Type ActionReferenceType
[ top ]
Element maecBundle:ProcessTreeNodeType / maecBundle:Spawned_Process
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Spawned_Process field captures a single child process spawned by this process.
Diagram
Diagram maec_bundle_schema.tmp#ProcessTreeNodeType_id maec_bundle_schema.tmp#ProcessTreeNodeType_parent_action_idref maec_bundle_schema.tmp#ProcessTreeNodeType_Initiated_Actions maec_bundle_schema.tmp#ProcessTreeNodeType_Spawned_Process maec_bundle_schema.tmp#ProcessTreeNodeType_Injected_Process maec_bundle_schema.tmp#ProcessTreeNodeType
Type maecBundle:ProcessTreeNodeType
Instance
<maecBundle:Spawned_Process xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Initiated_Actions>{0,1}</maecBundle:Initiated_Actions>
  <maecBundle:Spawned_Process>{0,unbounded}</maecBundle:Spawned_Process>
  <maecBundle:Injected_Process>{0,unbounded}</maecBundle:Injected_Process>
</maecBundle:Spawned_Process>
[ top ]
Element maecBundle:ProcessTreeNodeType / maecBundle:Injected_Process
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Injected_Process field captures a single process that was injected by this process.
Diagram
Diagram maec_bundle_schema.tmp#ProcessTreeNodeType_id maec_bundle_schema.tmp#ProcessTreeNodeType_parent_action_idref maec_bundle_schema.tmp#ProcessTreeNodeType_Initiated_Actions maec_bundle_schema.tmp#ProcessTreeNodeType_Spawned_Process maec_bundle_schema.tmp#ProcessTreeNodeType_Injected_Process maec_bundle_schema.tmp#ProcessTreeNodeType
Type maecBundle:ProcessTreeNodeType
Instance
<maecBundle:Injected_Process xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Initiated_Actions>{0,1}</maecBundle:Initiated_Actions>
  <maecBundle:Spawned_Process>{0,unbounded}</maecBundle:Spawned_Process>
  <maecBundle:Injected_Process>{0,unbounded}</maecBundle:Injected_Process>
</maecBundle:Injected_Process>
[ top ]
Element maecBundle:BundleType / maecBundle:Behaviors
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorListType_Behavior maec_bundle_schema.tmp#BehaviorListType
Type maecBundle:BehaviorListType
Instance
<maecBundle:Behaviors xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Behavior duration="" id="" ordinal_position="" status="">{1,unbounded}</maecBundle:Behavior>
</maecBundle:Behaviors>
[ top ]
Element maecBundle:BehaviorListType / maecBundle:Behavior
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior field specifies a single Behavior in the list.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorType_id maec_bundle_schema.tmp#BehaviorType_ordinal_position maec_bundle_schema.tmp#BehaviorType_status maec_bundle_schema.tmp#BehaviorType_duration maec_bundle_schema.tmp#BehaviorType_Purpose maec_bundle_schema.tmp#BehaviorType_Description maec_bundle_schema.tmp#BehaviorType_Discovery_Method maec_bundle_schema.tmp#BehaviorType_Action_Composition maec_bundle_schema.tmp#BehaviorType_Associated_Code maec_bundle_schema.tmp#BehaviorType_Relationships maec_bundle_schema.tmp#BehaviorType
Type maecBundle:BehaviorType
Instance
<maecBundle:Behavior duration="" id="" ordinal_position="" status="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Purpose>{0,1}</maecBundle:Purpose>
  <maecBundle:Description>{0,1}</maecBundle:Description>
  <maecBundle:Discovery_Method>{0,1}</maecBundle:Discovery_Method>
  <maecBundle:Action_Composition>{0,1}</maecBundle:Action_Composition>
  <maecBundle:Associated_Code>{0,1}</maecBundle:Associated_Code>
  <maecBundle:Relationships>{0,1}</maecBundle:Relationships>
</maecBundle:Behavior>
Attributes
QName Type Use Annotation
duration xs:duration optional
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
id maecBundle:BehaviorIDPattern required
The required id field specifies a unique ID for this Behavior. The ID must follow the pattern defined in the BehaviorIDPattern simple type.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.
status ActionStatusTypeEnum optional
The status field specifies the execution status of the Behavior being characterized.
[ top ]
Element maecBundle:BehaviorType / maecBundle:Purpose
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Purpose field specifies the intended purpose of the Behavior. Since a Behavior is not always successful, and may not be fully observed, this is meant as way to state the nature of the Behavior apart from its constituent actions.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorPurposeType_Description maec_bundle_schema.tmp#BehaviorPurposeType_Vulnerability_Exploit maec_bundle_schema.tmp#BehaviorPurposeType
Type maecBundle:BehaviorPurposeType
Instance
<maecBundle:Purpose xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Description>{0,1}</maecBundle:Description>
  <maecBundle:Vulnerability_Exploit known_vulnerability="">{0,1}</maecBundle:Vulnerability_Exploit>
</maecBundle:Purpose>
[ top ]
Element maecBundle:BehaviorPurposeType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field contains a prose text description of the purpose of the Behavior, whether it was successful or not.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:BehaviorPurposeType / maecBundle:Vulnerability_Exploit
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Vulnerability_Exploit field contains a CVE identifier for specifying a vulnerability that a Behavior may have attempted to exploit, and was either unsuccessful or the success of the exploitation is unknown.
Diagram
Diagram maec_bundle_schema.tmp#VulnerabilityExploitType_known_vulnerability maec_bundle_schema.tmp#VulnerabilityExploitType_CVE maec_bundle_schema.tmp#VulnerabilityExploitType_Targeted_Platforms maec_bundle_schema.tmp#VulnerabilityExploitType
Type maecBundle:VulnerabilityExploitType
Instance
<maecBundle:Vulnerability_Exploit known_vulnerability="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:CVE cve_id="">{0,1}</maecBundle:CVE>
  <maecBundle:Targeted_Platforms>{0,1}</maecBundle:Targeted_Platforms>
</maecBundle:Vulnerability_Exploit>
Attributes
QName Type Use Annotation
known_vulnerability xs:boolean optional
The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.
[ top ]
Element maecBundle:VulnerabilityExploitType / maecBundle:CVE
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CVE field specifies the CVE ID and description of the vulnerability targeted by the exploit, if available.
Diagram
Diagram maec_bundle_schema.tmp#CVEVulnerabilityType_cve_id maec_bundle_schema.tmp#CVEVulnerabilityType_Description maec_bundle_schema.tmp#CVEVulnerabilityType
Type maecBundle:CVEVulnerabilityType
Instance
<maecBundle:CVE cve_id="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Description>{0,1}</maecBundle:Description>
</maecBundle:CVE>
Attributes
QName Type Use Annotation
cve_id xs:string required
The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.
[ top ]
Element maecBundle:CVEVulnerabilityType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field specifies the textual description of the vulnerability referenced by the cve_id.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:VulnerabilityExploitType / maecBundle:Targeted_Platforms
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Targeted_Platforms field specifies the platforms(s) targeted by the vulnerability exploit.
Diagram
Diagram maec_bundle_schema.tmp#PlatformListType_Platform maec_bundle_schema.tmp#PlatformListType
Type maecBundle:PlatformListType
Instance
<maecBundle:Targeted_Platforms xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Platform>{1,unbounded}</maecBundle:Platform>
</maecBundle:Targeted_Platforms>
[ top ]
Element maecBundle:PlatformListType / maecBundle:Platform
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Platform field specifies a single platform in the list via a Common Platform Enumeration ID. It imports and uses the CPESpecificationType from the CybOX Common Types v1.0 draft.
Diagram
Diagram
Type PlatformSpecificationType
[ top ]
Element maecBundle:BehaviorType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field specifies a prose textual description of the Behavior.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:BehaviorType / maecBundle:Discovery_Method
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Discovery_Method field specifies the method used to discover the Behavior.
Diagram
Diagram
Type MeasureSourceType
[ top ]
Element maecBundle:BehaviorType / maecBundle:Action_Composition
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Composition field captures the Actions that compose the Behavior.
Diagram
Diagram maec_bundle_schema.tmp#BehavioralActionsType_Action_Collection maec_bundle_schema.tmp#BehavioralActionsType_Action maec_bundle_schema.tmp#BehavioralActionsType_Action_Reference maec_bundle_schema.tmp#BehavioralActionsType_Action_Equivalence_Reference maec_bundle_schema.tmp#BehavioralActionsType
Type maecBundle:BehavioralActionsType
Instance
<maecBundle:Action_Composition xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Action_Collection id="" name="">{1,1}</maecBundle:Action_Collection>
  <maecBundle:Action behavioral_ordering="">{1,1}</maecBundle:Action>
  <maecBundle:Action_Reference>{1,1}</maecBundle:Action_Reference>
  <maecBundle:Action_Equivalence_Reference action_equivalence_idref="" behavioral_ordering="">{1,1}</maecBundle:Action_Equivalence_Reference>
</maecBundle:Action_Composition>
[ top ]
Element maecBundle:BehavioralActionsType / maecBundle:Action_Collection
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Collection field specifies an Action Collection that is part of the behavioral composition.
Diagram
Diagram maec_bundle_schema.tmp#BaseCollectionType_name maec_bundle_schema.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema.tmp#BaseCollectionType_Description maec_bundle_schema.tmp#BaseCollectionType maec_bundle_schema.tmp#ActionCollectionType_id maec_bundle_schema.tmp#ActionCollectionType_Action_List maec_bundle_schema.tmp#ActionCollectionType
Type maecBundle:ActionCollectionType
Instance
<maecBundle:Action_Collection id="" name="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Affinity_Type>{0,1}</maecBundle:Affinity_Type>
  <maecBundle:Affinity_Degree>{0,1}</maecBundle:Affinity_Degree>
  <maecBundle:Description>{0,1}</maecBundle:Description>
  <maecBundle:Action_List>{1,1}</maecBundle:Action_List>
</maecBundle:Action_Collection>
Attributes
QName Type Use Annotation
id maecBundle:ActionCollIDPattern required
The id field specifies a unique ID for this Action Collection. The ID must follow the pattern defined in the ActionCollIDPattern simple type.
name xs:string optional
The name field specifies the name of the collection.
[ top ]
Element maecBundle:BaseCollectionType / maecBundle:Affinity_Type
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Affinity_Type field provides an abstract way of characterizing how the objects in a collection are related.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:BaseCollectionType / maecBundle:Affinity_Degree
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Affinity_Degree field is intended to provide an abstract way of characterizing the degree to which the objects in a collection are related.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:BaseCollectionType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field contains a textual description of the collection.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:ActionCollectionType / maecBundle:Action_List
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_List field specifies a list of Actions that make up the collection.
Diagram
Diagram maec_bundle_schema.tmp#ActionListType_Action maec_bundle_schema.tmp#ActionListType
Type maecBundle:ActionListType
Instance
<maecBundle:Action_List xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Action>{1,unbounded}</maecBundle:Action>
</maecBundle:Action_List>
[ top ]
Element maecBundle:ActionListType / maecBundle:Action
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action field specifies a single Action in the list.
Diagram
Diagram maec_bundle_schema.tmp#MalwareActionType_Implementation maec_bundle_schema.tmp#MalwareActionType
Type maecBundle:MalwareActionType
Instance
<maecBundle:Action xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Implementation id="" type="">{0,1}</maecBundle:Implementation>
</maecBundle:Action>
[ top ]
Element maecBundle:MalwareActionType / maecBundle:Implementation
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used.
Diagram
Diagram maec_bundle_schema.tmp#ActionImplementationType_id maec_bundle_schema.tmp#ActionImplementationType_type maec_bundle_schema.tmp#ActionImplementationType_Compatible_Platforms maec_bundle_schema.tmp#ActionImplementationType_API_Call maec_bundle_schema.tmp#ActionImplementationType_Code maec_bundle_schema.tmp#ActionImplementationType
Type maecBundle:ActionImplementationType
Instance
<maecBundle:Implementation id="" type="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Compatible_Platforms>{0,1}</maecBundle:Compatible_Platforms>
  <maecBundle:API_Call function_name="" normalized_function_name="">{0,1}</maecBundle:API_Call>
  <maecBundle:Code>{0,unbounded}</maecBundle:Code>
</maecBundle:Implementation>
Attributes
QName Type Use Annotation
id maecBundle:ActionImplementationIDPattern optional
The id field specifies a unique ID for this Action Implementation. The ID must follow the pattern defined in the ActionImpIDPattern simple type.
type maecBundle:ActionImplementationTypeEnum required
The required type field refers to the type of Action Implementation being characterized in this element.
[ top ]
Element maecBundle:ActionImplementationType / maecBundle:Compatible_Platforms
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Compatible_Platforms field specifies the specific platform(s) that the Action is compatible with, or in other words, capable of being successfully executed on.
Diagram
Diagram maec_bundle_schema.tmp#PlatformListType_Platform maec_bundle_schema.tmp#PlatformListType
Type maecBundle:PlatformListType
Instance
<maecBundle:Compatible_Platforms xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Platform>{1,unbounded}</maecBundle:Platform>
</maecBundle:Compatible_Platforms>
[ top ]
Element maecBundle:ActionImplementationType / maecBundle:API_Call
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The API_Call field allows for the characterization of a system-level API call that was used to implement the action. Software must make use of such calls to talk to 			hardware and perform system-specific functions.
Diagram
Diagram maec_bundle_schema.tmp#APICallType_function_name maec_bundle_schema.tmp#APICallType_normalized_function_name maec_bundle_schema.tmp#APICallType_Address maec_bundle_schema.tmp#APICallType_Return_Value maec_bundle_schema.tmp#APICallType_Parameters maec_bundle_schema.tmp#APICallType
Type maecBundle:APICallType
Instance
<maecBundle:API_Call function_name="" normalized_function_name="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Address>{0,1}</maecBundle:Address>
  <maecBundle:Return_Value>{0,1}</maecBundle:Return_Value>
  <maecBundle:Parameters>{0,1}</maecBundle:Parameters>
</maecBundle:API_Call>
Attributes
QName Type Use Annotation
function_name xs:string optional
The function_name field contains the exact name of the API function called, e.g. CreateFileEx.
normalized_function_name xs:string optional
The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.
[ top ]
Element maecBundle:APICallType / maecBundle:Address
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Address field contains the address of the API call in the binary.
Diagram
Diagram
Type xs:hexBinary
[ top ]
Element maecBundle:APICallType / maecBundle:Return_Value
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Return_Value field contains the return value of the API call.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:APICallType / maecBundle:Parameters
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Parameter field captures any name/value pairs of the parameters passed into the API call.
Diagram
Diagram maec_bundle_schema.tmp#ParameterListType_Parameter maec_bundle_schema.tmp#ParameterListType
Type maecBundle:ParameterListType
Instance
<maecBundle:Parameters xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Parameter name="" ordinal_position="" value="">{1,unbounded}</maecBundle:Parameter>
</maecBundle:Parameters>
[ top ]
Element maecBundle:ParameterListType / maecBundle:Parameter
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Parameter field specifies a single function parameter.
Diagram
Diagram maec_bundle_schema.tmp#ParameterType_ordinal_position maec_bundle_schema.tmp#ParameterType_name maec_bundle_schema.tmp#ParameterType_value maec_bundle_schema.tmp#ParameterType
Type maecBundle:ParameterType
Attributes
QName Type Use Annotation
name xs:string optional
The name field specifies the name of the parameter.
ordinal_position xs:positiveInteger optional
This field refers to the ordinal position of the parameter with respect to the function where it is used.
value xs:string optional
The value field specifies the actual value of the parameter.
[ top ]
Element maecBundle:ActionImplementationType / maecBundle:Code
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Code field contains any form of code that was used to implement the action.
Diagram
Diagram
Type CodeObjectType
[ top ]
Element maecBundle:BehavioralActionsType / maecBundle:Action
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action field specifies a single Action that is part of the behavioral composition.
Diagram
Diagram maec_bundle_schema.tmp#MalwareActionType_Implementation maec_bundle_schema.tmp#MalwareActionType maec_bundle_schema.tmp#BehavioralActionType_behavioral_ordering maec_bundle_schema.tmp#BehavioralActionType
Type maecBundle:BehavioralActionType
Instance
<maecBundle:Action behavioral_ordering="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Implementation id="" type="">{0,1}</maecBundle:Implementation>
</maecBundle:Action>
Attributes
QName Type Use Annotation
behavioral_ordering xs:positiveInteger optional
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
[ top ]
Element maecBundle:BehavioralActionsType / maecBundle:Action_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Reference field specifies a reference to a single Action that is part of the behavioral composition.
Diagram
Diagram maec_bundle_schema.tmp#BehavioralActionReferenceType_behavioral_ordering maec_bundle_schema.tmp#BehavioralActionReferenceType
Type maecBundle:BehavioralActionReferenceType
[ top ]
Element maecBundle:BehavioralActionsType / maecBundle:Action_Equivalence_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Equivalence_Reference field specifies a reference to a single Action Equivalence that is part of the behavioral composition.
Diagram
Diagram maec_bundle_schema.tmp#BehavioralActionEquivalenceReferenceType_action_equivalence_idref maec_bundle_schema.tmp#BehavioralActionEquivalenceReferenceType_behavioral_ordering maec_bundle_schema.tmp#BehavioralActionEquivalenceReferenceType
Type maecBundle:BehavioralActionEquivalenceReferenceType
Attributes
QName Type Use Annotation
action_equivalence_idref maecBundle:ActionEquivalenceIDREFPattern required
The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.
behavioral_ordering xs:positiveInteger optional
The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.
[ top ]
Element maecBundle:BehaviorType / maecBundle:Associated_Code
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Associated_Code field specifies any code snippets that may be associated with the Behavior.
Diagram
Diagram maec_bundle_schema.tmp#AssociatedCodeType_Code_Snippet maec_bundle_schema.tmp#AssociatedCodeType
Type maecBundle:AssociatedCodeType
Instance
<maecBundle:Associated_Code xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Code_Snippet>{1,unbounded}</maecBundle:Code_Snippet>
</maecBundle:Associated_Code>
[ top ]
Element maecBundle:AssociatedCodeType / maecBundle:Code_Snippet
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Code_Snippet field captures a single snippet of code, via the CybOX CodeObjectType.
Diagram
Diagram
Type CodeObjectType
[ top ]
Element maecBundle:BehaviorType / maecBundle:Relationships
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Relationships field specifies any relationships between this Behavior and any other Behaviors.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorRelationshipListType_Relationship maec_bundle_schema.tmp#BehaviorRelationshipListType
Type maecBundle:BehaviorRelationshipListType
Instance
<maecBundle:Relationships xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Relationship type="">{1,unbounded}</maecBundle:Relationship>
</maecBundle:Relationships>
[ top ]
Element maecBundle:BehaviorRelationshipListType / maecBundle:Relationship
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Relationship field specifies a single relationship between a single Behavior and one or more other Behaviors.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorRelationshipType_type maec_bundle_schema.tmp#BehaviorRelationshipType_Behavior_Reference maec_bundle_schema.tmp#BehaviorRelationshipType
Type maecBundle:BehaviorRelationshipType
Instance
<maecBundle:Relationship type="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Behavior_Reference behavior_idref="">{1,unbounded}</maecBundle:Behavior_Reference>
</maecBundle:Relationship>
Attributes
QName Type Use Annotation
type restriction of ActionRelationshipTypeEnum-1.0 optional
The type field specifies the nature of the relationship between Behaviors that is being captured.
[ top ]
Element maecBundle:BehaviorRelationshipType / maecBundle:Behavior_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Reference field specifies a reference to a single Behavior in the relationship.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorReferenceType_behavior_idref maec_bundle_schema.tmp#BehaviorReferenceType
Type maecBundle:BehaviorReferenceType
Attributes
QName Type Use Annotation
behavior_idref maecBundle:BehaviorIDREFPattern required
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
[ top ]
Element maecBundle:BundleType / maecBundle:Actions
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.
Diagram
Diagram maec_bundle_schema.tmp#ActionListType_Action maec_bundle_schema.tmp#ActionListType
Type maecBundle:ActionListType
Instance
<maecBundle:Actions xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Action>{1,unbounded}</maecBundle:Action>
</maecBundle:Actions>
[ top ]
Element maecBundle:BundleType / maecBundle:Objects
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance.
Diagram
Diagram maec_bundle_schema.tmp#ObjectListType_Object maec_bundle_schema.tmp#ObjectListType
Type maecBundle:ObjectListType
Instance
<maecBundle:Objects xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Object>{1,unbounded}</maecBundle:Object>
</maecBundle:Objects>
[ top ]
Element maecBundle:ObjectListType / maecBundle:Object
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Object field specifies a single CybOX Object in the list. For use in MAEC, the id attribute at the top level of the Object must be utilized.
Diagram
Diagram
Type ObjectType
[ top ]
Element maecBundle:BundleType / maecBundle:Candidate_Indicators
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.
Diagram
Diagram maec_bundle_schema.tmp#CandidateIndicatorListType_Candidate_Indicator maec_bundle_schema.tmp#CandidateIndicatorListType
Type maecBundle:CandidateIndicatorListType
Instance
<maecBundle:Candidate_Indicators xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Candidate_Indicator creation_datetime="" id="" lastupdate_datetime="" version="">{1,unbounded}</maecBundle:Candidate_Indicator>
</maecBundle:Candidate_Indicators>
[ top ]
Element maecBundle:CandidateIndicatorListType / maecBundle:Candidate_Indicator
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Candidate_Indicator field specifies a single Candidate Indicator in the list.
Diagram
Diagram maec_bundle_schema.tmp#CandidateIndicatorType_id maec_bundle_schema.tmp#CandidateIndicatorType_creation_datetime maec_bundle_schema.tmp#CandidateIndicatorType_lastupdate_datetime maec_bundle_schema.tmp#CandidateIndicatorType_version maec_bundle_schema.tmp#CandidateIndicatorType_Importance maec_bundle_schema.tmp#CandidateIndicatorType_Numeric_Importance maec_bundle_schema.tmp#CandidateIndicatorType_Author maec_bundle_schema.tmp#CandidateIndicatorType_Description maec_bundle_schema.tmp#CandidateIndicatorType_Malware_Entity maec_bundle_schema.tmp#CandidateIndicatorType_Composition maec_bundle_schema.tmp#CandidateIndicatorType
Type maecBundle:CandidateIndicatorType
Instance
<maecBundle:Candidate_Indicator creation_datetime="" id="" lastupdate_datetime="" version="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Importance>{0,1}</maecBundle:Importance>
  <maecBundle:Numeric_Importance>{0,1}</maecBundle:Numeric_Importance>
  <maecBundle:Author>{0,1}</maecBundle:Author>
  <maecBundle:Description>{0,1}</maecBundle:Description>
  <maecBundle:Malware_Entity>{0,1}</maecBundle:Malware_Entity>
  <maecBundle:Composition operator="">{0,1}</maecBundle:Composition>
</maecBundle:Candidate_Indicator>
Attributes
QName Type Use Annotation
creation_datetime xs:dateTime optional
The creation_datetime field specifies the date/time that the Candidate Indicator was created.
id maecBundle:CandidateIndicatorIDPattern required
The id field specifies a unique ID for this Candidate Indicator. The ID must follow the pattern defined in the CandidateIndicatorIDPattern simple type.
lastupdate_datetime xs:dateTime optional
The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.
version xs:string optional
The version field specifies the version of the Candidate Indicator.
[ top ]
Element maecBundle:CandidateIndicatorType / maecBundle:Importance
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Importance field specifies the relative importance of the Candidate Indicator.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImportanceTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
Diagram
Diagram
Type ControlledVocabularyStringType
[ top ]
Element maecBundle:CandidateIndicatorType / maecBundle:Numeric_Importance
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Numeric_Importance field specifies the specific numeric importance of the Candidate Indicator.
Diagram
Diagram
Type xs:positiveInteger
[ top ]
Element maecBundle:CandidateIndicatorType / maecBundle:Author
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Author field specifies the author of the Candidate Indicator.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:CandidateIndicatorType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field provides a brief description of the Candidate Indicator.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:CandidateIndicatorType / maecBundle:Malware_Entity
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc.
Diagram
Diagram maec_bundle_schema.tmp#MalwareEntityType_Type maec_bundle_schema.tmp#MalwareEntityType_Name maec_bundle_schema.tmp#MalwareEntityType_Description maec_bundle_schema.tmp#MalwareEntityType
Type maecBundle:MalwareEntityType
Instance
<maecBundle:Malware_Entity xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Type>{0,1}</maecBundle:Type>
  <maecBundle:Name>{0,1}</maecBundle:Name>
  <maecBundle:Description>{0,1}</maecBundle:Description>
</maecBundle:Malware_Entity>
[ top ]
Element maecBundle:MalwareEntityType / maecBundle:Type
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Type field refers to the specific type of malware entity that the indicator or signature is written against.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareEntityTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
Diagram
Diagram
Type ControlledVocabularyStringType
[ top ]
Element maecBundle:MalwareEntityType / maecBundle:Name
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Name field refers to the name of the malware instance, malware family, or malware class that the indicator or signature is written against.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:MalwareEntityType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field is intended to provide a brief description of the entity that the indicator or signature is written against.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:CandidateIndicatorType / maecBundle:Composition
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle.
Diagram
Diagram maec_bundle_schema.tmp#CandidateIndicatorCompositionType_operator maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Behavior_Reference maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Action_Reference maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Object_Reference maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Sub_Composition maec_bundle_schema.tmp#CandidateIndicatorCompositionType
Type maecBundle:CandidateIndicatorCompositionType
Instance
<maecBundle:Composition operator="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Behavior_Reference behavior_idref="">{0,1}</maecBundle:Behavior_Reference>
  <maecBundle:Action_Reference>{0,1}</maecBundle:Action_Reference>
  <maecBundle:Object_Reference object_idref="">{0,1}</maecBundle:Object_Reference>
  <maecBundle:Sub_Composition operator="">{0,unbounded}</maecBundle:Sub_Composition>
</maecBundle:Composition>
Attributes
QName Type Use Annotation
operator OperatorTypeEnum optional
The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.
[ top ]
Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Behavior_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Reference field specifies a reference to a single Behavior in the Bundle that is part of the candidate indicator's composition.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorReferenceType_behavior_idref maec_bundle_schema.tmp#BehaviorReferenceType
Type maecBundle:BehaviorReferenceType
Attributes
QName Type Use Annotation
behavior_idref maecBundle:BehaviorIDREFPattern required
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
[ top ]
Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Action_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Reference field specifies a reference to a single Action in the Bundle that is part of the candidate indicator's composition.
Diagram
Diagram
Type ActionReferenceType
[ top ]
Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Object_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Object_Reference field specifies a reference to a single Object in the Bundle that is part of the candidate indicator's composition.
Diagram
Diagram maec_bundle_schema.tmp#ObjectReferenceType_object_idref maec_bundle_schema.tmp#ObjectReferenceType
Type maecBundle:ObjectReferenceType
Attributes
QName Type Use Annotation
object_idref xs:QName required
The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.
[ top ]
Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Sub_Composition
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Sub_Composition field captures any sub-compositions in this Candidate Indicator, for expressing more complex Candidate Indicators.
Diagram
Diagram maec_bundle_schema.tmp#CandidateIndicatorCompositionType_operator maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Behavior_Reference maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Action_Reference maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Object_Reference maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Sub_Composition maec_bundle_schema.tmp#CandidateIndicatorCompositionType
Type maecBundle:CandidateIndicatorCompositionType
Instance
<maecBundle:Sub_Composition operator="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Behavior_Reference behavior_idref="">{0,1}</maecBundle:Behavior_Reference>
  <maecBundle:Action_Reference>{0,1}</maecBundle:Action_Reference>
  <maecBundle:Object_Reference object_idref="">{0,1}</maecBundle:Object_Reference>
  <maecBundle:Sub_Composition operator="">{0,unbounded}</maecBundle:Sub_Composition>
</maecBundle:Sub_Composition>
Attributes
QName Type Use Annotation
operator OperatorTypeEnum optional
The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.
[ top ]
Element maecBundle:BundleType / maecBundle:Collections
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators.
Diagram
Diagram maec_bundle_schema.tmp#CollectionsType_Behavior_Collections maec_bundle_schema.tmp#CollectionsType_Action_Collections maec_bundle_schema.tmp#CollectionsType_Object_Collections maec_bundle_schema.tmp#CollectionsType_Candidate_Indicator_Collections maec_bundle_schema.tmp#CollectionsType
Type maecBundle:CollectionsType
Instance
<maecBundle:Collections xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Behavior_Collections>{0,1}</maecBundle:Behavior_Collections>
  <maecBundle:Action_Collections>{0,1}</maecBundle:Action_Collections>
  <maecBundle:Object_Collections>{0,1}</maecBundle:Object_Collections>
  <maecBundle:Candidate_Indicator_Collections>{0,1}</maecBundle:Candidate_Indicator_Collections>
</maecBundle:Collections>
[ top ]
Element maecBundle:CollectionsType / maecBundle:Behavior_Collections
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Collections field captures any collections of Behaviors in the Bundle.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorCollectionListType_Behavior_Collection maec_bundle_schema.tmp#BehaviorCollectionListType
Type maecBundle:BehaviorCollectionListType
Instance
<maecBundle:Behavior_Collections xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Behavior_Collection id="" name="">{1,unbounded}</maecBundle:Behavior_Collection>
</maecBundle:Behavior_Collections>
[ top ]
Element maecBundle:BehaviorCollectionListType / maecBundle:Behavior_Collection
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Collection field specifies a single collection of Behaviors in the Bundle.
Diagram
Diagram maec_bundle_schema.tmp#BaseCollectionType_name maec_bundle_schema.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema.tmp#BaseCollectionType_Description maec_bundle_schema.tmp#BaseCollectionType maec_bundle_schema.tmp#BehaviorCollectionType_id maec_bundle_schema.tmp#BehaviorCollectionType_Purpose maec_bundle_schema.tmp#BehaviorCollectionType_Behavior_List maec_bundle_schema.tmp#BehaviorCollectionType
Type maecBundle:BehaviorCollectionType
Instance
<maecBundle:Behavior_Collection id="" name="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Affinity_Type>{0,1}</maecBundle:Affinity_Type>
  <maecBundle:Affinity_Degree>{0,1}</maecBundle:Affinity_Degree>
  <maecBundle:Description>{0,1}</maecBundle:Description>
  <maecBundle:Purpose>{0,1}</maecBundle:Purpose>
  <maecBundle:Behavior_List>{1,1}</maecBundle:Behavior_List>
</maecBundle:Behavior_Collection>
Attributes
QName Type Use Annotation
id maecBundle:BehaviorCollIDPattern required
The id field specifies a unique ID for this Behavior Collection. The ID must follow the pattern defined in the BehaviorCollIDPattern simple type.
name xs:string optional
The name field specifies the name of the collection.
[ top ]
Element maecBundle:BehaviorCollectionType / maecBundle:Purpose
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Purpose field states the intended purpose of the collection of Behaviors. Since Behaviors are not always successful, and may not be fully observed, this is meant as way of absracting the nature of the collection of Behaviors away  from its constituent Actions.
Diagram
Diagram
Type xs:string
[ top ]
Element maecBundle:BehaviorCollectionType / maecBundle:Behavior_List
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_List field specifies a list of Behaviors that make up the collection.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorListType_Behavior maec_bundle_schema.tmp#BehaviorListType
Type maecBundle:BehaviorListType
Instance
<maecBundle:Behavior_List xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Behavior duration="" id="" ordinal_position="" status="">{1,unbounded}</maecBundle:Behavior>
</maecBundle:Behavior_List>
[ top ]
Element maecBundle:CollectionsType / maecBundle:Action_Collections
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Collections field captures any collections of Actions in the Bundle.
Diagram
Diagram maec_bundle_schema.tmp#ActionCollectionListType_Action_Collection maec_bundle_schema.tmp#ActionCollectionListType
Type maecBundle:ActionCollectionListType
Instance
<maecBundle:Action_Collections xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Action_Collection id="" name="">{1,unbounded}</maecBundle:Action_Collection>
</maecBundle:Action_Collections>
[ top ]
Element maecBundle:ActionCollectionListType / maecBundle:Action_Collection
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Collection field specifies a single collection of Actions in the Bundle.
Diagram
Diagram maec_bundle_schema.tmp#BaseCollectionType_name maec_bundle_schema.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema.tmp#BaseCollectionType_Description maec_bundle_schema.tmp#BaseCollectionType maec_bundle_schema.tmp#ActionCollectionType_id maec_bundle_schema.tmp#ActionCollectionType_Action_List maec_bundle_schema.tmp#ActionCollectionType
Type maecBundle:ActionCollectionType
Instance
<maecBundle:Action_Collection id="" name="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Affinity_Type>{0,1}</maecBundle:Affinity_Type>
  <maecBundle:Affinity_Degree>{0,1}</maecBundle:Affinity_Degree>
  <maecBundle:Description>{0,1}</maecBundle:Description>
  <maecBundle:Action_List>{1,1}</maecBundle:Action_List>
</maecBundle:Action_Collection>
Attributes
QName Type Use Annotation
id maecBundle:ActionCollIDPattern required
The id field specifies a unique ID for this Action Collection. The ID must follow the pattern defined in the ActionCollIDPattern simple type.
name xs:string optional
The name field specifies the name of the collection.
[ top ]
Element maecBundle:CollectionsType / maecBundle:Object_Collections
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Objects_Collections field captures any collections of CybOX Objects in the Bundle.
Diagram
Diagram maec_bundle_schema.tmp#ObjectCollectionListType_Object_Collection maec_bundle_schema.tmp#ObjectCollectionListType
Type maecBundle:ObjectCollectionListType
Instance
<maecBundle:Object_Collections xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Object_Collection id="" name="">{1,unbounded}</maecBundle:Object_Collection>
</maecBundle:Object_Collections>
[ top ]
Element maecBundle:ObjectCollectionListType / maecBundle:Object_Collection
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Object_Collection field specifies a single collection of CybOX Objects.
Diagram
Diagram maec_bundle_schema.tmp#BaseCollectionType_name maec_bundle_schema.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema.tmp#BaseCollectionType_Description maec_bundle_schema.tmp#BaseCollectionType maec_bundle_schema.tmp#ObjectCollectionType_id maec_bundle_schema.tmp#ObjectCollectionType_Object_List maec_bundle_schema.tmp#ObjectCollectionType
Type maecBundle:ObjectCollectionType
Instance
<maecBundle:Object_Collection id="" name="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Affinity_Type>{0,1}</maecBundle:Affinity_Type>
  <maecBundle:Affinity_Degree>{0,1}</maecBundle:Affinity_Degree>
  <maecBundle:Description>{0,1}</maecBundle:Description>
  <maecBundle:Object_List>{1,1}</maecBundle:Object_List>
</maecBundle:Object_Collection>
Attributes
QName Type Use Annotation
id maecBundle:ObjectCollIDPattern required
The id attribute specifies a unique ID for this Object Collection. The ID must follow the pattern defined in the ObjectCollIDPattern simple type.
name xs:string optional
The name field specifies the name of the collection.
[ top ]
Element maecBundle:ObjectCollectionType / maecBundle:Object_List
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Object_List field specifies a list of Objects that make up the collection.
Diagram
Diagram maec_bundle_schema.tmp#ObjectListType_Object maec_bundle_schema.tmp#ObjectListType
Type maecBundle:ObjectListType
Instance
<maecBundle:Object_List xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Object>{1,unbounded}</maecBundle:Object>
</maecBundle:Object_List>
[ top ]
Element maecBundle:CollectionsType / maecBundle:Candidate_Indicator_Collections
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Candidate_Indicator_Collections field captures any collections of Candidate Indicators in the Bundle.
Diagram
Diagram maec_bundle_schema.tmp#CandidateIndicatorCollectionListType_Candidate_Indicator_Collection maec_bundle_schema.tmp#CandidateIndicatorCollectionListType
Type maecBundle:CandidateIndicatorCollectionListType
Instance
<maecBundle:Candidate_Indicator_Collections xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Candidate_Indicator_Collection id="" name="">{1,unbounded}</maecBundle:Candidate_Indicator_Collection>
</maecBundle:Candidate_Indicator_Collections>
[ top ]
Element maecBundle:CandidateIndicatorCollectionListType / maecBundle:Candidate_Indicator_Collection
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Candidate_Indicator_Collection field specifies a single collection of Candidate Indicators.
Diagram
Diagram maec_bundle_schema.tmp#BaseCollectionType_name maec_bundle_schema.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema.tmp#BaseCollectionType_Description maec_bundle_schema.tmp#BaseCollectionType maec_bundle_schema.tmp#CandidateIndicatorCollectionType_id maec_bundle_schema.tmp#CandidateIndicatorCollectionType_Candidate_Indicator_List maec_bundle_schema.tmp#CandidateIndicatorCollectionType
Type maecBundle:CandidateIndicatorCollectionType
Instance
<maecBundle:Candidate_Indicator_Collection id="" name="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Affinity_Type>{0,1}</maecBundle:Affinity_Type>
  <maecBundle:Affinity_Degree>{0,1}</maecBundle:Affinity_Degree>
  <maecBundle:Description>{0,1}</maecBundle:Description>
  <maecBundle:Candidate_Indicator_List>{1,1}</maecBundle:Candidate_Indicator_List>
</maecBundle:Candidate_Indicator_Collection>
Attributes
QName Type Use Annotation
id maecBundle:CandidateIndicatorCollIDPattern required
The id field specifies a unique ID for this Candidate Indicator Collection. The ID must follow the pattern defined in the CandidateIndicatorCollIDPattern simple type.
name xs:string optional
The name field specifies the name of the collection.
[ top ]
Element maecBundle:CandidateIndicatorCollectionType / maecBundle:Candidate_Indicator_List
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Candidate_Indicator_List field specifies a list of Candidate Indicators that make up the collection.
Diagram
Diagram maec_bundle_schema.tmp#CandidateIndicatorListType_Candidate_Indicator maec_bundle_schema.tmp#CandidateIndicatorListType
Type maecBundle:CandidateIndicatorListType
Instance
<maecBundle:Candidate_Indicator_List xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Candidate_Indicator creation_datetime="" id="" lastupdate_datetime="" version="">{1,unbounded}</maecBundle:Candidate_Indicator>
</maecBundle:Candidate_Indicator_List>
[ top ]
Element maecBundle:Action
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action element enables description/specification of a single malware action.
Diagram
Diagram maec_bundle_schema.tmp#MalwareActionType_Implementation maec_bundle_schema.tmp#MalwareActionType
Type maecBundle:MalwareActionType
Instance
<maecBundle:Action xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Implementation id="" type="">{0,1}</maecBundle:Implementation>
</maecBundle:Action>
[ top ]
Element maecBundle:Behavior
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior element enables description/specification of a single malware behavior.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorType_id maec_bundle_schema.tmp#BehaviorType_ordinal_position maec_bundle_schema.tmp#BehaviorType_status maec_bundle_schema.tmp#BehaviorType_duration maec_bundle_schema.tmp#BehaviorType_Purpose maec_bundle_schema.tmp#BehaviorType_Description maec_bundle_schema.tmp#BehaviorType_Discovery_Method maec_bundle_schema.tmp#BehaviorType_Action_Composition maec_bundle_schema.tmp#BehaviorType_Associated_Code maec_bundle_schema.tmp#BehaviorType_Relationships maec_bundle_schema.tmp#BehaviorType
Type maecBundle:BehaviorType
Instance
<maecBundle:Behavior duration="" id="" ordinal_position="" status="" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4">
  <maecBundle:Purpose>{0,1}</maecBundle:Purpose>
  <maecBundle:Description>{0,1}</maecBundle:Description>
  <maecBundle:Discovery_Method>{0,1}</maecBundle:Discovery_Method>
  <maecBundle:Action_Composition>{0,1}</maecBundle:Action_Composition>
  <maecBundle:Associated_Code>{0,1}</maecBundle:Associated_Code>
  <maecBundle:Relationships>{0,1}</maecBundle:Relationships>
</maecBundle:Behavior>
Attributes
QName Type Use Annotation
duration xs:duration optional
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
id maecBundle:BehaviorIDPattern required
The required id field specifies a unique ID for this Behavior. The ID must follow the pattern defined in the BehaviorIDPattern simple type.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.
status ActionStatusTypeEnum optional
The status field specifies the execution status of the Behavior being characterized.
[ top ]
Element maecBundle:BehaviorReferenceListType / maecBundle:Behavior_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Reference field specifies a reference to a single Behavior.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorReferenceType_behavior_idref maec_bundle_schema.tmp#BehaviorReferenceType
Type maecBundle:BehaviorReferenceType
Attributes
QName Type Use Annotation
behavior_idref maecBundle:BehaviorIDREFPattern required
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
[ top ]
Element maecBundle:ObjectReferenceListType / maecBundle:Object_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Object_Reference field specifies a reference to a single CybOX Object.
Diagram
Diagram maec_bundle_schema.tmp#ObjectReferenceType_object_idref maec_bundle_schema.tmp#ObjectReferenceType
Type maecBundle:ObjectReferenceType
Attributes
QName Type Use Annotation
object_idref xs:QName required
The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.
[ top ]
Complex Type maecBundle:BundleType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BundleType serves as the high-level construct which encapsulates all Bundle elements, and represents some characterized analysis data (from any arbitrary set of analyses) for a single malware instance in terms of its MAEC Components (e.g., Behaviors, Actions, Objects, etc.).
Diagram
Diagram maec_bundle_schema.tmp#BundleType_id maec_bundle_schema.tmp#BundleType_schema_version maec_bundle_schema.tmp#BundleType_defined_subject maec_bundle_schema.tmp#BundleType_content_type maec_bundle_schema.tmp#BundleType_timestamp maec_bundle_schema.tmp#BundleType_Malware_Instance_Object_Attributes maec_bundle_schema.tmp#BundleType_AV_Classifications maec_bundle_schema.tmp#BundleType_Process_Tree maec_bundle_schema.tmp#BundleType_Behaviors maec_bundle_schema.tmp#BundleType_Actions maec_bundle_schema.tmp#BundleType_Objects maec_bundle_schema.tmp#BundleType_Candidate_Indicators maec_bundle_schema.tmp#BundleType_Collections
Attributes
QName Type Fixed Use Annotation
content_type maecBundle:BundleContentTypeEnum optional
The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.
defined_subject xs:boolean required
The required defined_subject field specifies whether the subject attributes of the malware instance characterized here are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes element) or elsewhere (such as a MAEC Subject in a MAEC Package).
id maecBundle:BundleIDPattern required
The required id field specifies a unique ID for this MAEC Bundle. The ID must follow the pattern defined in the BundleIDPattern simple type.
schema_version xs:string 4.0.1 required
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
timestamp xs:dateTime optional
The timestamp field specifies the date/time that the bundle was generated.
[ top ]
Complex Type maecBundle:AVClassificationsType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AVClassificationsType captures any Anti-Virus (AV) tool classifications for an Object.
Diagram
Diagram maec_bundle_schema.tmp#AVClassificationsType_AV_Classification
[ top ]
Complex Type maecBundle:AVClassificationType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AVClassificationType captures information on AV scanner classifications for the malware instance object captured in the Bundle or Package.
Diagram
Diagram maec_bundle_schema.tmp#AVClassificationType_Engine_Version maec_bundle_schema.tmp#AVClassificationType_Definition_Version maec_bundle_schema.tmp#AVClassificationType_Classification_Name
Type extension of ToolInformationType
[ top ]
Complex Type maecBundle:ProcessTreeType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ProcessTreeType captures the process tree for the malware instance, including the parent process and processes spawned by it, along with any Actions initiated by each.
Diagram
Diagram maec_bundle_schema.tmp#ProcessTreeType_Root_Process
[ top ]
Complex Type maecBundle:ProcessTreeNodeType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ProcessTreeNodeType captures a single process, or node, in the process tree. It imports and extends the ProcessObjectType from the CybOX Process Object.
Diagram
Diagram maec_bundle_schema.tmp#ProcessTreeNodeType_id maec_bundle_schema.tmp#ProcessTreeNodeType_parent_action_idref maec_bundle_schema.tmp#ProcessTreeNodeType_Initiated_Actions maec_bundle_schema.tmp#ProcessTreeNodeType_Spawned_Process maec_bundle_schema.tmp#ProcessTreeNodeType_Injected_Process
Type extension of ProcessObjectType
[ top ]
Complex Type maecBundle:ActionReferenceListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionReferenceListType captures a list of Action References.
Diagram
Diagram maec_bundle_schema.tmp#ActionReferenceListType_Action_Reference
[ top ]
Simple Type maecBundle:ProcessTreeNodeIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ProcessTreeNodeIDPattern defines the format for acceptable Process Tree Node ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the four letter code 'pro', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-pro-[1-9][0-9]*)
[ top ]
Simple Type maecBundle:ActionIDREFPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionIDREFPattern defines the format for acceptable Action idrefs. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'act', and ending with an integer.
Diagram
Diagram
Type restriction of xs:string
Facets
pattern maec-[A-Za-z0-9_\-\.]+-act-[1-9][0-9]*
[ top ]
Complex Type maecBundle:BehaviorListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorListType captures a list of Behaviors.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorListType_Behavior
[ top ]
Complex Type maecBundle:BehaviorType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorType is one of the foundational MAEC types, and serves as a method for the characterization of malicious behaviors found or observed in malware. Behaviors can be thought of as representing the purpose behind groups of MAEC Actions, and are therefore representative of distinct portions of higher-level malware functionality. Thus, while a malware instance may perform some multitude of Actions, it is likely that these Actions represent only a few distinct behaviors. Some examples include vulnerability exploitation, email address harvesting, the disabling of a security service, etc.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorType_id maec_bundle_schema.tmp#BehaviorType_ordinal_position maec_bundle_schema.tmp#BehaviorType_status maec_bundle_schema.tmp#BehaviorType_duration maec_bundle_schema.tmp#BehaviorType_Purpose maec_bundle_schema.tmp#BehaviorType_Description maec_bundle_schema.tmp#BehaviorType_Discovery_Method maec_bundle_schema.tmp#BehaviorType_Action_Composition maec_bundle_schema.tmp#BehaviorType_Associated_Code maec_bundle_schema.tmp#BehaviorType_Relationships
Attributes
QName Type Use Annotation
duration xs:duration optional
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
id maecBundle:BehaviorIDPattern required
The required id field specifies a unique ID for this Behavior. The ID must follow the pattern defined in the BehaviorIDPattern simple type.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.
status ActionStatusTypeEnum optional
The status field specifies the execution status of the Behavior being characterized.
[ top ]
Complex Type maecBundle:BehaviorPurposeType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorPurposeType captures the purpose behind a malware Behavior.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorPurposeType_Description maec_bundle_schema.tmp#BehaviorPurposeType_Vulnerability_Exploit
[ top ]
Complex Type maecBundle:VulnerabilityExploitType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The VulnerabilityExploitType characterizes any vulnerability that may be exploited by malware through a Behavior.
Diagram
Diagram maec_bundle_schema.tmp#VulnerabilityExploitType_known_vulnerability maec_bundle_schema.tmp#VulnerabilityExploitType_CVE maec_bundle_schema.tmp#VulnerabilityExploitType_Targeted_Platforms
Attributes
QName Type Use Annotation
known_vulnerability xs:boolean optional
The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.
[ top ]
Complex Type maecBundle:CVEVulnerabilityType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CVEVulnerabilityType provides a way of referencing specific vulnerabilities that malware exploits or attempts to exploit via a Common Vulnerabilities and Exposures (CVE) identifier. For more information on CVE please see http://cve.mitre.org.
Diagram
Diagram maec_bundle_schema.tmp#CVEVulnerabilityType_cve_id maec_bundle_schema.tmp#CVEVulnerabilityType_Description
Attributes
QName Type Use Annotation
cve_id xs:string required
The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.
[ top ]
Complex Type maecBundle:PlatformListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The PlatformListType captures a list of software or hardware platforms.
Diagram
Diagram maec_bundle_schema.tmp#PlatformListType_Platform
[ top ]
Complex Type maecBundle:BehavioralActionsType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionsType is intended to capture the Actions or Action Collections that make up a Behavior.
Diagram
Diagram maec_bundle_schema.tmp#BehavioralActionsType_Action_Collection maec_bundle_schema.tmp#BehavioralActionsType_Action maec_bundle_schema.tmp#BehavioralActionsType_Action_Reference maec_bundle_schema.tmp#BehavioralActionsType_Action_Equivalence_Reference
[ top ]
Complex Type maecBundle:ActionCollectionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionCollectionType provides a method for characterizing collections of actions. This can be useful for organizing actions that may be related and where the exact relationship is unknown, as well as actions whose associated behavior has not yet been established.
Diagram
Diagram maec_bundle_schema.tmp#BaseCollectionType_name maec_bundle_schema.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema.tmp#BaseCollectionType_Description maec_bundle_schema.tmp#BaseCollectionType maec_bundle_schema.tmp#ActionCollectionType_id maec_bundle_schema.tmp#ActionCollectionType_Action_List
Type extension of maecBundle:BaseCollectionType
Attributes
QName Type Use Annotation
id maecBundle:ActionCollIDPattern required
The id field specifies a unique ID for this Action Collection. The ID must follow the pattern defined in the ActionCollIDPattern simple type.
name xs:string optional
The name field specifies the name of the collection.
[ top ]
Complex Type maecBundle:BaseCollectionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BaseCollectionType is the base type for other MAEC collection types.
Diagram
Diagram maec_bundle_schema.tmp#BaseCollectionType_name maec_bundle_schema.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema.tmp#BaseCollectionType_Description
Attributes
QName Type Use Annotation
name xs:string optional
The name field specifies the name of the collection.
[ top ]
Complex Type maecBundle:ActionListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionListType captures a list of Actions.
Diagram
Diagram maec_bundle_schema.tmp#ActionListType_Action
[ top ]
Complex Type maecBundle:MalwareActionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The MalwareActionType is one of the foundational MAEC types, and serves as a method for the characterization of actions found or observed in malware. Actions can be thought of as system state changes and similar operations that represent the fundamental low-level operation of malware. Some examples include the creation of a file, deletion of a registry key, and the sending of some  data on a socket. It imports and extends the CybOX ActionType. For MAEC, the id attribute is required and must follow the proper syntax: A dash-delimited format is used with the id or idref starting with the word maec followed by a unique string, followed by the three letter code 'act', and ending with an integer.
Diagram
Diagram maec_bundle_schema.tmp#MalwareActionType_Implementation
Type extension of ActionType
[ top ]
Complex Type maecBundle:ActionImplementationType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionImplementationType serves as a method for the characterization of Action Implementations. Currently supported are implementations achieved through API function calls and abstractly defined code.
Diagram
Diagram maec_bundle_schema.tmp#ActionImplementationType_id maec_bundle_schema.tmp#ActionImplementationType_type maec_bundle_schema.tmp#ActionImplementationType_Compatible_Platforms maec_bundle_schema.tmp#ActionImplementationType_API_Call maec_bundle_schema.tmp#ActionImplementationType_Code
Attributes
QName Type Use Annotation
id maecBundle:ActionImplementationIDPattern optional
The id field specifies a unique ID for this Action Implementation. The ID must follow the pattern defined in the ActionImpIDPattern simple type.
type maecBundle:ActionImplementationTypeEnum required
The required type field refers to the type of Action Implementation being characterized in this element.
[ top ]
Complex Type maecBundle:APICallType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The APICallType provides a method for the  characterization of API calls, including functions and their parameters.
Diagram
Diagram maec_bundle_schema.tmp#APICallType_function_name maec_bundle_schema.tmp#APICallType_normalized_function_name maec_bundle_schema.tmp#APICallType_Address maec_bundle_schema.tmp#APICallType_Return_Value maec_bundle_schema.tmp#APICallType_Parameters
Attributes
QName Type Use Annotation
function_name xs:string optional
The function_name field contains the exact name of the API function called, e.g. CreateFileEx.
normalized_function_name xs:string optional
The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.
[ top ]
Complex Type maecBundle:ParameterListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ParametersType captures a list of function parameters.
Diagram
Diagram maec_bundle_schema.tmp#ParameterListType_Parameter
[ top ]
Complex Type maecBundle:ParameterType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ParameterType characterizes function parameters.
Diagram
Diagram maec_bundle_schema.tmp#ParameterType_ordinal_position maec_bundle_schema.tmp#ParameterType_name maec_bundle_schema.tmp#ParameterType_value
Attributes
QName Type Use Annotation
name xs:string optional
The name field specifies the name of the parameter.
ordinal_position xs:positiveInteger optional
This field refers to the ordinal position of the parameter with respect to the function where it is used.
value xs:string optional
The value field specifies the actual value of the parameter.
[ top ]
Simple Type maecBundle:ActionImplementationIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionImpIDPattern defines the format for acceptable Action Implementation ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'imp', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-imp-[1-9][0-9]*)
[ top ]
Simple Type maecBundle:ActionImplementationTypeEnum
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionImplementationTypeEnum represents an enumeration of action implementation types.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration api call
The api call value specifies that the action was implemented using some particular API call, details of which may be captured in the API_Call element.
enumeration code
The Code value specifies that the action was implemented using some particular code snippet, details of which may be captured in the Code element
[ top ]
Simple Type maecBundle:ActionCollIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionCollIDPattern defines the format for acceptable Action Collection ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the four letter code 'actc', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-actc-[1-9][0-9]*)
[ top ]
Complex Type maecBundle:BehavioralActionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionType defines an Action that can be used as part of a Behavior.
Diagram
Diagram maec_bundle_schema.tmp#MalwareActionType_Implementation maec_bundle_schema.tmp#MalwareActionType maec_bundle_schema.tmp#BehavioralActionType_behavioral_ordering
Type extension of maecBundle:MalwareActionType
Attributes
QName Type Use Annotation
behavioral_ordering xs:positiveInteger optional
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
[ top ]
Complex Type maecBundle:BehavioralActionReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionReferenceType defines an action reference that can be used as part of a Behavior.
Diagram
Diagram maec_bundle_schema.tmp#BehavioralActionReferenceType_behavioral_ordering
Type extension of ActionReferenceType
[ top ]
Complex Type maecBundle:BehavioralActionEquivalenceReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionEquivalenceReferenceType defines an Action Equivalence reference that can be used as part of a Behavior. Since the Action Equivalency equates two or more actions to a single one, this can be thought of as specifying one of the aforementioned Actions as part of the composition of the Behavior.
Diagram
Diagram maec_bundle_schema.tmp#BehavioralActionEquivalenceReferenceType_action_equivalence_idref maec_bundle_schema.tmp#BehavioralActionEquivalenceReferenceType_behavioral_ordering
Attributes
QName Type Use Annotation
action_equivalence_idref maecBundle:ActionEquivalenceIDREFPattern required
The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.
behavioral_ordering xs:positiveInteger optional
The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.
[ top ]
Simple Type maecBundle:ActionEquivalenceIDREFPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionEquivalenceIDREFPattern defines the format for acceptable MAEC Action Equivalency idrefs. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the five letter code 'acteq', and ending with an integer.
Diagram
Diagram
Type restriction of xs:IDREF
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-acteq-[1-9][0-9]*)
[ top ]
Complex Type maecBundle:AssociatedCodeType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AssociatedCodeType serves as generic way of specifying any code snippets associated with a MAEC entity, such as a Behavior.
Diagram
Diagram maec_bundle_schema.tmp#AssociatedCodeType_Code_Snippet
[ top ]
Complex Type maecBundle:BehaviorRelationshipListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorRelationshipListType captures any relationships between a Behavior and other Behaviors.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorRelationshipListType_Relationship
[ top ]
Complex Type maecBundle:BehaviorRelationshipType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorRelationshipType provides a method for the characterization of relationships between Behaviors.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorRelationshipType_type maec_bundle_schema.tmp#BehaviorRelationshipType_Behavior_Reference
Attributes
QName Type Use Annotation
type restriction of ActionRelationshipTypeEnum-1.0 optional
The type field specifies the nature of the relationship between Behaviors that is being captured.
[ top ]
Complex Type maecBundle:BehaviorReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorReferenceType serves as a method for referencing existing behaviors contained in the Bundle.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorReferenceType_behavior_idref
Attributes
QName Type Use Annotation
behavior_idref maecBundle:BehaviorIDREFPattern required
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
[ top ]
Simple Type maecBundle:BehaviorIDREFPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorIDPattern defines the format for acceptable Behavior idrefs. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'bhv', and ending with an integer.
Diagram
Diagram
Type restriction of xs:IDREF
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-bhv-[1-9][0-9]*)
[ top ]
Simple Type maecBundle:BehaviorIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorIDPattern defines the format for acceptable Behavior ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'bhv', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-bhv-[1-9][0-9]*)
[ top ]
Complex Type maecBundle:ObjectListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectListType captures a list of CybOX Objects.
Diagram
Diagram maec_bundle_schema.tmp#ObjectListType_Object
[ top ]
Complex Type maecBundle:CandidateIndicatorListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorListType captures a list of Candidate Indicators.
Diagram
Diagram maec_bundle_schema.tmp#CandidateIndicatorListType_Candidate_Indicator
[ top ]
Complex Type maecBundle:CandidateIndicatorType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorType provides a way of defining a MAEC entity-based Candidate Indicator, which specifies the particular components that may signify the presence of the malware instance on a host system or network.
Diagram
Diagram maec_bundle_schema.tmp#CandidateIndicatorType_id maec_bundle_schema.tmp#CandidateIndicatorType_creation_datetime maec_bundle_schema.tmp#CandidateIndicatorType_lastupdate_datetime maec_bundle_schema.tmp#CandidateIndicatorType_version maec_bundle_schema.tmp#CandidateIndicatorType_Importance maec_bundle_schema.tmp#CandidateIndicatorType_Numeric_Importance maec_bundle_schema.tmp#CandidateIndicatorType_Author maec_bundle_schema.tmp#CandidateIndicatorType_Description maec_bundle_schema.tmp#CandidateIndicatorType_Malware_Entity maec_bundle_schema.tmp#CandidateIndicatorType_Composition
Attributes
QName Type Use Annotation
creation_datetime xs:dateTime optional
The creation_datetime field specifies the date/time that the Candidate Indicator was created.
id maecBundle:CandidateIndicatorIDPattern required
The id field specifies a unique ID for this Candidate Indicator. The ID must follow the pattern defined in the CandidateIndicatorIDPattern simple type.
lastupdate_datetime xs:dateTime optional
The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.
version xs:string optional
The version field specifies the version of the Candidate Indicator.
[ top ]
Complex Type maecBundle:MalwareEntityType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The MalwareEntityType provides a mechanism for characterizing the particular entity that an indicator or signature is written against, whether it is a particular malware instance, family, etc.
Diagram
Diagram maec_bundle_schema.tmp#MalwareEntityType_Type maec_bundle_schema.tmp#MalwareEntityType_Name maec_bundle_schema.tmp#MalwareEntityType_Description
[ top ]
Complex Type maecBundle:CandidateIndicatorCompositionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorCompositionType captures the composition of a Candidate Indicator, via references to any corresponding MAEC entities contained in the Bundle.
Diagram
Diagram maec_bundle_schema.tmp#CandidateIndicatorCompositionType_operator maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Behavior_Reference maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Action_Reference maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Object_Reference maec_bundle_schema.tmp#CandidateIndicatorCompositionType_Sub_Composition
Attributes
QName Type Use Annotation
operator OperatorTypeEnum optional
The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.
[ top ]
Complex Type maecBundle:ObjectReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectReferenceType serves as a method for linking to CybOX Objects embedded in the MAEC Bundle.
Diagram
Diagram maec_bundle_schema.tmp#ObjectReferenceType_object_idref
Attributes
QName Type Use Annotation
object_idref xs:QName required
The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.
[ top ]
Simple Type maecBundle:CandidateIndicatorIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorIDPattern simple type defines the format for acceptable Candidate Indicator IDs. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'ind', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-ind-[1-9][0-9]*)
[ top ]
Complex Type maecBundle:CollectionsType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CollectionsType captures the various types of MAEC entity collections.
Diagram
Diagram maec_bundle_schema.tmp#CollectionsType_Behavior_Collections maec_bundle_schema.tmp#CollectionsType_Action_Collections maec_bundle_schema.tmp#CollectionsType_Object_Collections maec_bundle_schema.tmp#CollectionsType_Candidate_Indicator_Collections
[ top ]
Complex Type maecBundle:BehaviorCollectionListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorCollectionListType captures a list of Behaviors Collections.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorCollectionListType_Behavior_Collection
[ top ]
Complex Type maecBundle:BehaviorCollectionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorCollectionType provides a mechanism for characterizing collections of behaviors.
Diagram
Diagram maec_bundle_schema.tmp#BaseCollectionType_name maec_bundle_schema.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema.tmp#BaseCollectionType_Description maec_bundle_schema.tmp#BaseCollectionType maec_bundle_schema.tmp#BehaviorCollectionType_id maec_bundle_schema.tmp#BehaviorCollectionType_Purpose maec_bundle_schema.tmp#BehaviorCollectionType_Behavior_List
Type extension of maecBundle:BaseCollectionType
Attributes
QName Type Use Annotation
id maecBundle:BehaviorCollIDPattern required
The id field specifies a unique ID for this Behavior Collection. The ID must follow the pattern defined in the BehaviorCollIDPattern simple type.
name xs:string optional
The name field specifies the name of the collection.
[ top ]
Simple Type maecBundle:BehaviorCollIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorCollIDPattern defines the format for acceptable Behavior Collection ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the four letter code 'bhvc', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-bhvc-[1-9][0-9]*)
[ top ]
Complex Type maecBundle:ActionCollectionListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionCollectionListType captures a list of Actions Collections.
Diagram
Diagram maec_bundle_schema.tmp#ActionCollectionListType_Action_Collection
[ top ]
Complex Type maecBundle:ObjectCollectionListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectCollectionListType captures a list of Object Collections.
Diagram
Diagram maec_bundle_schema.tmp#ObjectCollectionListType_Object_Collection
[ top ]
Complex Type maecBundle:ObjectCollectionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectCollectionType provides a mechanism for characterizing collections of Objects. For instance, it can be used to group all of the Objects that are associated with a specific behavior.
Diagram
Diagram maec_bundle_schema.tmp#BaseCollectionType_name maec_bundle_schema.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema.tmp#BaseCollectionType_Description maec_bundle_schema.tmp#BaseCollectionType maec_bundle_schema.tmp#ObjectCollectionType_id maec_bundle_schema.tmp#ObjectCollectionType_Object_List
Type extension of maecBundle:BaseCollectionType
Attributes
QName Type Use Annotation
id maecBundle:ObjectCollIDPattern required
The id attribute specifies a unique ID for this Object Collection. The ID must follow the pattern defined in the ObjectCollIDPattern simple type.
name xs:string optional
The name field specifies the name of the collection.
[ top ]
Simple Type maecBundle:ObjectCollIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectCollIDPattern simple type defines the format for acceptable Object Collection ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the four letter code 'objc', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-objc-[1-9][0-9]*)
[ top ]
Complex Type maecBundle:CandidateIndicatorCollectionListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorCollectionListType captures a list of Candidate Indicators.
Diagram
Diagram maec_bundle_schema.tmp#CandidateIndicatorCollectionListType_Candidate_Indicator_Collection
[ top ]
Complex Type maecBundle:CandidateIndicatorCollectionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorCollectionType provides a mechanism for characterizing collections of Candidate Indicators.
Diagram
Diagram maec_bundle_schema.tmp#BaseCollectionType_name maec_bundle_schema.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema.tmp#BaseCollectionType_Description maec_bundle_schema.tmp#BaseCollectionType maec_bundle_schema.tmp#CandidateIndicatorCollectionType_id maec_bundle_schema.tmp#CandidateIndicatorCollectionType_Candidate_Indicator_List
Type extension of maecBundle:BaseCollectionType
Attributes
QName Type Use Annotation
id maecBundle:CandidateIndicatorCollIDPattern required
The id field specifies a unique ID for this Candidate Indicator Collection. The ID must follow the pattern defined in the CandidateIndicatorCollIDPattern simple type.
name xs:string optional
The name field specifies the name of the collection.
[ top ]
Simple Type maecBundle:CandidateIndicatorCollIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The IndicatorCollIDPattern simple type defines the format for acceptable Candidate Indicator Collection IDs. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the four letter code 'indc', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-indc-[1-9][0-9]*)
[ top ]
Simple Type maecBundle:BundleIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BundleIDPattern defines the format for acceptable Bundle ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'bnd', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-bnd-[1-9][0-9]*)
[ top ]
Simple Type maecBundle:BundleContentTypeEnum
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BundleContentTypeEnum is a non-exhaustive enumeration of the general types of content that a Bundle can contain.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration dynamic analysis tool output
The dynamic analysis tool output value specifies that the Bundle primarily captures some form of dynamic analysis tool output, such as from a sandbox.
enumeration static analysis tool output
The static analysis tool output value specifies that the Bundle primarily captures some form of static analysis tool output, such as from a packer detection tool.
enumeration manual analysis output
The manual analysis output value specifies that the Bundle primarily captures some form of manual analysis output, which may or may not involve the use of tools.
enumeration extracted from subject
The extracted from subject value specifies that the Bundle primarily captures some data that extracted from the Malware Subject, such as some PE Header fields.
enumeration mixed
The mixed value specifies that the Bundle captures some mixed forms of analysis or tool output for the Malware Subject, such as both dynamic and static analysis tool output.
enumeration other
The other value specifies that the Bundle captures some other form of analysis or tool output that is not represented by the other enumeration values.
[ top ]
Complex Type maecBundle:BehaviorReferenceListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorReferenceListType captures a list of Behavior References.
Diagram
Diagram maec_bundle_schema.tmp#BehaviorReferenceListType_Behavior_Reference
[ top ]
Complex Type maecBundle:ObjectReferenceListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectReferenceListType captures a list of references to CybOX Objects.
Diagram