MAEC Vocabularies

The MAEC Vocabularies represent a set of default controlled vocabularies for use in MAEC content and were created to take advantage of the extension mechanisms provided by the Cyber Observables eXpression (CybOX™) controlled vocabulary implementation. These vocabularies serve to capture the various enumerations used throughout the language. Some examples of vocabularies include those for capturing file Action names, child objectives of the persistence Capability, and Malware Subject -> Malware Subject relationships.

These vocabularies are broken out from the MAEC Bundle, MAEC Package, and MAEC Container schemas to support customized extension and replacement. However, it is expected that most MAEC authors will use the provided default vocabularies, and thus most tools that parse MAEC data should support those vocabularies where appropriate.

Back to top

Default Vocabularies

MAEC default vocabularies are referenced from MAEC elements by using the xsi:type extension mechanism to indicate the default vocabulary that is used in a particular element. For example, to specify the 'download file' Action name, one would use the 'NetworkActionVocab' default vocabulary, which includes this value:

<maecBundle:Action id="maec-example-act-1">
<cybox:Name xsi:type="maecVocabs:NetworkActionNameVocab-1.0">download file</cybox:Name>

</maecBundle:Action>

Please see the MAEC Language Specification, schema annotations, and/or examples included in the current release of the MAEC Language for additional information.

Back to top

Non-Default Vocabularies

To use a non-default vocabulary, one may similarly use the xsi:type extension mechanism to indicate the custom vocabulary that is used in a particular element. For example, to use a custom 'foo' vocabulary in the Action name example above, one would simply add the appropriate namespace ('xmlns:fooVocabs=http://foo/fooVocabulary-1' for the sake of this example) and schemalocation declarations to their MAEC document, and then reference and use it like any default vocabulary:

<maecBundle:Action id="maec-example-act-2">
<cybox:Name xsi:type="fooVocabs:fooVocabulary">some custom action</cybox:Name>

</maecBundle:Action>

Accordingly, any elements that use the controlled vocabulary implementation can also accept arbitrary values without the specification of any vocabulary, which may be useful in certain instances. This is achieved simply by not specifying the xsi:type extension mechanism on the element. To continue with the above examples, we could also specify a custom Action name that is not part of a vocabulary:

<maecBundle:Action id="maec-example-act-3">
<cybox:Name>another custom action</cybox:Name>

</maecBundle:Action>

Please see the MAEC Language Specification, schema annotations, and/or examples included in the current release of the MAEC Language for additional information.

Back to top

Feedback Requested

We encourage you to help build this growing, open-source industry effort by joining the MAEC Community and participating in the next version of the MAEC Language.

Back to top

Page Last Updated: April 25, 2014