Showing:

Annotations
Attributes
Diagrams
Facets
Identity Constraints
Source
Used by
Imported schema maec_bundle_schema.xsd
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The following is a description of the elements, types, and attributes that compose Malware Attribute Enumeration and Characterization (MAEC) Bundle schema.
The MAEC Bundle Schema is maintained by The Mitre Corporation. For more information, including how to get involved in the project, please visit the MAEC website at http://maec.mitre.org.
This schema imports the CyBOX schema and object schemas. More info on CybOX can be found at http://cybox.mitre.org.
Element maecBundle:ObjectReferenceListType / maecBundle:Object_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Object_Reference field specifies a reference to a single CybOX Object.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ObjectReferenceType_object_idref maec_bundle_schema_xsd.tmp#ObjectReferenceType
Type maecBundle:ObjectReferenceType
Attributes
QName Type Use Annotation
object_idref xs:QName required
The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.
Source
<xs:element maxOccurs="unbounded" name="Object_Reference" type="maecBundle:ObjectReferenceType">
  <xs:annotation>
    <xs:documentation>The Object_Reference field specifies a reference to a single CybOX Object.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BundleType / maecBundle:Malware_Instance_Object_Attributes
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.
Diagram
Diagram cybox_core_xsd.tmp#ObjectType_id cybox_core_xsd.tmp#ObjectType_idref cybox_core_xsd.tmp#ObjectType_has_changed cybox_core_xsd.tmp#ObjectType_State cybox_core_xsd.tmp#ObjectType_Description cybox_core_xsd.tmp#ObjectType_Properties cybox_core_xsd.tmp#ObjectType_Domain_Specific_Object_Properties cybox_core_xsd.tmp#ObjectType_Location cybox_core_xsd.tmp#ObjectType_Related_Objects cybox_core_xsd.tmp#ObjectType_Defined_Effect cybox_core_xsd.tmp#ObjectType_Discovery_Method cybox_core_xsd.tmp#ObjectType
Type cybox:ObjectType
Children cybox:Defined_Effect, cybox:Description, cybox:Discovery_Method, cybox:Domain_Specific_Object_Properties, cybox:Location, cybox:Properties, cybox:Related_Objects, cybox:State
Attributes
QName Type Use Annotation
has_changed xs:boolean optional
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
id xs:QName optional
The id field specifies a unique id for this Object.
idref xs:QName optional
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:element minOccurs="0" name="Malware_Instance_Object_Attributes" type="cybox:ObjectType">
  <xs:annotation>
    <xs:documentation>The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BundleType / maecBundle:AV_Classifications
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.
Diagram
Diagram maec_bundle_schema_xsd.tmp#AVClassificationsType_AV_Classification maec_bundle_schema_xsd.tmp#AVClassificationsType
Type maecBundle:AVClassificationsType
Children maecBundle:AV_Classification
Source
<xs:element minOccurs="0" name="AV_Classifications" type="maecBundle:AVClassificationsType">
  <xs:annotation>
    <xs:documentation>The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:AVClassificationsType / maecBundle:AV_Classification
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AV_Classification field captures a single AV classication of the malware instance object.
Diagram
Diagram cybox_common_xsd.tmp#ToolInformationType_id cybox_common_xsd.tmp#ToolInformationType_idref cybox_common_xsd.tmp#ToolInformationType_Name cybox_common_xsd.tmp#ToolInformationType_Type cybox_common_xsd.tmp#ToolInformationType_Description cybox_common_xsd.tmp#ToolInformationType_References cybox_common_xsd.tmp#ToolInformationType_Vendor cybox_common_xsd.tmp#ToolInformationType_Version cybox_common_xsd.tmp#ToolInformationType_Service_Pack cybox_common_xsd.tmp#ToolInformationType_Tool_Specific_Data cybox_common_xsd.tmp#ToolInformationType_Tool_Hashes cybox_common_xsd.tmp#ToolInformationType_Tool_Configuration cybox_common_xsd.tmp#ToolInformationType_Execution_Environment cybox_common_xsd.tmp#ToolInformationType_Errors cybox_common_xsd.tmp#ToolInformationType_Metadata cybox_common_xsd.tmp#ToolInformationType_Compensation_Model cybox_common_xsd.tmp#ToolInformationType maec_bundle_schema_xsd.tmp#AVClassificationType_Engine_Version maec_bundle_schema_xsd.tmp#AVClassificationType_Definition_Version maec_bundle_schema_xsd.tmp#AVClassificationType_Classification_Name maec_bundle_schema_xsd.tmp#AVClassificationType
Type maecBundle:AVClassificationType
Type hierarchy
Children cyboxCommon:Compensation_Model, cyboxCommon:Description, cyboxCommon:Errors, cyboxCommon:Execution_Environment, cyboxCommon:Metadata, cyboxCommon:Name, cyboxCommon:References, cyboxCommon:Service_Pack, cyboxCommon:Tool_Configuration, cyboxCommon:Tool_Hashes, cyboxCommon:Tool_Specific_Data, cyboxCommon:Type, cyboxCommon:Vendor, cyboxCommon:Version, maecBundle:Classification_Name, maecBundle:Definition_Version, maecBundle:Engine_Version
Attributes
QName Type Use Annotation
id xs:QName optional
The id field specifies a unique ID for this Tool.
idref xs:QName optional
The idref field specifies reference to a unique ID for this Tool.
When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.
Source
<xs:element maxOccurs="unbounded" name="AV_Classification" type="maecBundle:AVClassificationType">
  <xs:annotation>
    <xs:documentation>The AV_Classification field captures a single AV classication of the malware instance object.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:AVClassificationType / maecBundle:Engine_Version
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Engine_Version field captures the version of the AV engine used by the AV scanner tool that assigned the classification to the malware instance object.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Engine_Version" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Engine_Version field captures the version of the AV engine used by the AV scanner tool that assigned the classification to the malware instance object.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:AVClassificationType / maecBundle:Definition_Version
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Definition_Version field captures the version of the AV definitions used by the AV scanner tool that assigned the classification to the malware instance object.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Definition_Version" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Definition_Version field captures the version of the AV definitions used by the AV scanner tool that assigned the classification to the malware instance object.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:AVClassificationType / maecBundle:Classification_Name
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Classification_Name field captures the classification assigned to the malware instance object by the AV scanner tool characterized in the Company_Name and Product_Name fields.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Classification_Name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Classification_Name field captures the classification assigned to the malware instance object by the AV scanner tool characterized in the Company_Name and Product_Name fields.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BundleType / maecBundle:Process_Tree
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ProcessTreeType_Root_Process maec_bundle_schema_xsd.tmp#ProcessTreeType
Type maecBundle:ProcessTreeType
Children maecBundle:Root_Process
Source
<xs:element minOccurs="0" name="Process_Tree" type="maecBundle:ProcessTreeType">
  <xs:annotation>
    <xs:documentation>The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ProcessTreeType / maecBundle:Root_Process
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Root_Process field captures the root process in the process tree.
Diagram
Diagram cybox_common_xsd.tmp#ObjectPropertiesType_object_reference cybox_common_xsd.tmp#ObjectPropertiesType_Custom_Properties cybox_common_xsd.tmp#ObjectPropertiesType Process_Object_xsd.tmp#ProcessObjectType_is_hidden Process_Object_xsd.tmp#ProcessObjectType_PID Process_Object_xsd.tmp#ProcessObjectType_Name Process_Object_xsd.tmp#ProcessObjectType_Creation_Time Process_Object_xsd.tmp#ProcessObjectType_Parent_PID Process_Object_xsd.tmp#ProcessObjectType_Child_PID_List Process_Object_xsd.tmp#ProcessObjectType_Image_Info Process_Object_xsd.tmp#ProcessObjectType_Argument_List Process_Object_xsd.tmp#ProcessObjectType_Environment_Variable_List Process_Object_xsd.tmp#ProcessObjectType_Kernel_Time Process_Object_xsd.tmp#ProcessObjectType_Port_List Process_Object_xsd.tmp#ProcessObjectType_Network_Connection_List Process_Object_xsd.tmp#ProcessObjectType_Start_Time Process_Object_xsd.tmp#ProcessObjectType_Status Process_Object_xsd.tmp#ProcessObjectType_Username Process_Object_xsd.tmp#ProcessObjectType_User_Time Process_Object_xsd.tmp#ProcessObjectType_Extracted_Features Process_Object_xsd.tmp#ProcessObjectType maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_id maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_parent_action_idref maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_ordinal_position maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Initiated_Actions maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Spawned_Process maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Injected_Process maec_bundle_schema_xsd.tmp#ProcessTreeNodeType
Type maecBundle:ProcessTreeNodeType
Type hierarchy
Children ProcessObj:Argument_List, ProcessObj:Child_PID_List, ProcessObj:Creation_Time, ProcessObj:Environment_Variable_List, ProcessObj:Extracted_Features, ProcessObj:Image_Info, ProcessObj:Kernel_Time, ProcessObj:Name, ProcessObj:Network_Connection_List, ProcessObj:PID, ProcessObj:Parent_PID, ProcessObj:Port_List, ProcessObj:Start_Time, ProcessObj:Status, ProcessObj:User_Time, ProcessObj:Username, cyboxCommon:Custom_Properties, maecBundle:Initiated_Actions, maecBundle:Injected_Process, maecBundle:Spawned_Process
Attributes
QName Type Use Annotation
id xs:QName required
The required id field specifies a unique ID for the Process Node.
is_hidden xs:boolean optional
The is_hidden field specifies whether the process is hidden or not.
object_reference xs:QName optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.
parent_action_idref xs:QName optional
The parent_action_idref field specifies the id of the action that created or injected this process.
Source
<xs:element name="Root_Process" type="maecBundle:ProcessTreeNodeType">
  <xs:annotation>
    <xs:documentation>The Root_Process field captures the root process in the process tree.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ProcessTreeNodeType / maecBundle:Initiated_Actions
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Initiated_Actions field captures, via references, the actions (found inside the top-level Actions element, or an Action Collection inside the top-level Collections element) initiated by the Process.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ActionReferenceListType_Action_Reference maec_bundle_schema_xsd.tmp#ActionReferenceListType
Type maecBundle:ActionReferenceListType
Children maecBundle:Action_Reference
Source
<xs:element minOccurs="0" name="Initiated_Actions" type="maecBundle:ActionReferenceListType">
  <xs:annotation>
    <xs:documentation>The Initiated_Actions field captures, via references, the actions (found inside the top-level Actions element, or an Action Collection inside the top-level Collections element) initiated by the Process.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ActionReferenceListType / maecBundle:Action_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Reference field specifies a reference to a single Action.
Diagram
Diagram cybox_core_xsd.tmp#ActionReferenceType_action_id cybox_core_xsd.tmp#ActionReferenceType
Type cybox:ActionReferenceType
Attributes
QName Type Use Annotation
action_id xs:QName required
The action_id field refers to the id of the action being referenced.
Source
<xs:element maxOccurs="unbounded" name="Action_Reference" type="cybox:ActionReferenceType">
  <xs:annotation>
    <xs:documentation>The Action_Reference field specifies a reference to a single Action.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ProcessTreeNodeType / maecBundle:Spawned_Process
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Spawned_Process field captures a single child process spawned by this process.
Diagram
Diagram cybox_common_xsd.tmp#ObjectPropertiesType_object_reference cybox_common_xsd.tmp#ObjectPropertiesType_Custom_Properties cybox_common_xsd.tmp#ObjectPropertiesType Process_Object_xsd.tmp#ProcessObjectType_is_hidden Process_Object_xsd.tmp#ProcessObjectType_PID Process_Object_xsd.tmp#ProcessObjectType_Name Process_Object_xsd.tmp#ProcessObjectType_Creation_Time Process_Object_xsd.tmp#ProcessObjectType_Parent_PID Process_Object_xsd.tmp#ProcessObjectType_Child_PID_List Process_Object_xsd.tmp#ProcessObjectType_Image_Info Process_Object_xsd.tmp#ProcessObjectType_Argument_List Process_Object_xsd.tmp#ProcessObjectType_Environment_Variable_List Process_Object_xsd.tmp#ProcessObjectType_Kernel_Time Process_Object_xsd.tmp#ProcessObjectType_Port_List Process_Object_xsd.tmp#ProcessObjectType_Network_Connection_List Process_Object_xsd.tmp#ProcessObjectType_Start_Time Process_Object_xsd.tmp#ProcessObjectType_Status Process_Object_xsd.tmp#ProcessObjectType_Username Process_Object_xsd.tmp#ProcessObjectType_User_Time Process_Object_xsd.tmp#ProcessObjectType_Extracted_Features Process_Object_xsd.tmp#ProcessObjectType maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_id maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_parent_action_idref maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_ordinal_position maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Initiated_Actions maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Spawned_Process maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Injected_Process maec_bundle_schema_xsd.tmp#ProcessTreeNodeType
Type maecBundle:ProcessTreeNodeType
Type hierarchy
Children ProcessObj:Argument_List, ProcessObj:Child_PID_List, ProcessObj:Creation_Time, ProcessObj:Environment_Variable_List, ProcessObj:Extracted_Features, ProcessObj:Image_Info, ProcessObj:Kernel_Time, ProcessObj:Name, ProcessObj:Network_Connection_List, ProcessObj:PID, ProcessObj:Parent_PID, ProcessObj:Port_List, ProcessObj:Start_Time, ProcessObj:Status, ProcessObj:User_Time, ProcessObj:Username, cyboxCommon:Custom_Properties, maecBundle:Initiated_Actions, maecBundle:Injected_Process, maecBundle:Spawned_Process
Attributes
QName Type Use Annotation
id xs:QName required
The required id field specifies a unique ID for the Process Node.
is_hidden xs:boolean optional
The is_hidden field specifies whether the process is hidden or not.
object_reference xs:QName optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.
parent_action_idref xs:QName optional
The parent_action_idref field specifies the id of the action that created or injected this process.
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Spawned_Process" type="maecBundle:ProcessTreeNodeType">
  <xs:annotation>
    <xs:documentation>The Spawned_Process field captures a single child process spawned by this process.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ProcessTreeNodeType / maecBundle:Injected_Process
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Injected_Process field captures a single process that was injected by this process.
Diagram
Diagram cybox_common_xsd.tmp#ObjectPropertiesType_object_reference cybox_common_xsd.tmp#ObjectPropertiesType_Custom_Properties cybox_common_xsd.tmp#ObjectPropertiesType Process_Object_xsd.tmp#ProcessObjectType_is_hidden Process_Object_xsd.tmp#ProcessObjectType_PID Process_Object_xsd.tmp#ProcessObjectType_Name Process_Object_xsd.tmp#ProcessObjectType_Creation_Time Process_Object_xsd.tmp#ProcessObjectType_Parent_PID Process_Object_xsd.tmp#ProcessObjectType_Child_PID_List Process_Object_xsd.tmp#ProcessObjectType_Image_Info Process_Object_xsd.tmp#ProcessObjectType_Argument_List Process_Object_xsd.tmp#ProcessObjectType_Environment_Variable_List Process_Object_xsd.tmp#ProcessObjectType_Kernel_Time Process_Object_xsd.tmp#ProcessObjectType_Port_List Process_Object_xsd.tmp#ProcessObjectType_Network_Connection_List Process_Object_xsd.tmp#ProcessObjectType_Start_Time Process_Object_xsd.tmp#ProcessObjectType_Status Process_Object_xsd.tmp#ProcessObjectType_Username Process_Object_xsd.tmp#ProcessObjectType_User_Time Process_Object_xsd.tmp#ProcessObjectType_Extracted_Features Process_Object_xsd.tmp#ProcessObjectType maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_id maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_parent_action_idref maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_ordinal_position maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Initiated_Actions maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Spawned_Process maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Injected_Process maec_bundle_schema_xsd.tmp#ProcessTreeNodeType
Type maecBundle:ProcessTreeNodeType
Type hierarchy
Children ProcessObj:Argument_List, ProcessObj:Child_PID_List, ProcessObj:Creation_Time, ProcessObj:Environment_Variable_List, ProcessObj:Extracted_Features, ProcessObj:Image_Info, ProcessObj:Kernel_Time, ProcessObj:Name, ProcessObj:Network_Connection_List, ProcessObj:PID, ProcessObj:Parent_PID, ProcessObj:Port_List, ProcessObj:Start_Time, ProcessObj:Status, ProcessObj:User_Time, ProcessObj:Username, cyboxCommon:Custom_Properties, maecBundle:Initiated_Actions, maecBundle:Injected_Process, maecBundle:Spawned_Process
Attributes
QName Type Use Annotation
id xs:QName required
The required id field specifies a unique ID for the Process Node.
is_hidden xs:boolean optional
The is_hidden field specifies whether the process is hidden or not.
object_reference xs:QName optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.
parent_action_idref xs:QName optional
The parent_action_idref field specifies the id of the action that created or injected this process.
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Injected_Process" type="maecBundle:ProcessTreeNodeType">
  <xs:annotation>
    <xs:documentation>The Injected_Process field captures a single process that was injected by this process.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BundleType / maecBundle:Capabilities
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityListType_Capability maec_bundle_schema_xsd.tmp#CapabilityListType_Capability_Reference maec_bundle_schema_xsd.tmp#CapabilityListType
Type maecBundle:CapabilityListType
Children maecBundle:Capability, maecBundle:Capability_Reference
Source
<xs:element minOccurs="0" name="Capabilities" type="maecBundle:CapabilityListType">
  <xs:annotation>
    <xs:documentation>The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityListType / maecBundle:Capability
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Capability field captures a single Capability in the list, and therefore represents a single Capability possessed by the malware instance.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityType_id maec_bundle_schema_xsd.tmp#CapabilityType_name maec_bundle_schema_xsd.tmp#CapabilityType_Description maec_bundle_schema_xsd.tmp#CapabilityType_Property maec_bundle_schema_xsd.tmp#CapabilityType_Strategic_Objective maec_bundle_schema_xsd.tmp#CapabilityType_Tactical_Objective maec_bundle_schema_xsd.tmp#CapabilityType_Behavior_Reference maec_bundle_schema_xsd.tmp#CapabilityType_Relationship maec_bundle_schema_xsd.tmp#CapabilityType
Type maecBundle:CapabilityType
Children maecBundle:Behavior_Reference, maecBundle:Description, maecBundle:Property, maecBundle:Relationship, maecBundle:Strategic_Objective, maecBundle:Tactical_Objective
Attributes
QName Type Use Annotation
id xs:QName required
The required id field specifies a unique ID for this MAEC Capability.
name maecVocabs:MalwareCapabilityEnum-1.0 optional
The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.
Source
<xs:element maxOccurs="1" minOccurs="1" name="Capability" type="maecBundle:CapabilityType">
  <xs:annotation>
    <xs:documentation>The Capability field captures a single Capability in the list, and therefore represents a single Capability possessed by the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field captures a basic textual description of the Capability.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field captures a basic textual description of the Capability.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityType / maecBundle:Property
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Property field permits the capture of a single property of the Capability, as a key/value pair. More than one property can be specified via multiple occurrences of this field.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityPropertyType_Name maec_bundle_schema_xsd.tmp#CapabilityPropertyType_Value maec_bundle_schema_xsd.tmp#CapabilityPropertyType
Type maecBundle:CapabilityPropertyType
Children maecBundle:Name, maecBundle:Value
Source
<xs:element minOccurs="0" name="Property" type="maecBundle:CapabilityPropertyType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Property field permits the capture of a single property of the Capability, as a key/value pair. More than one property can be specified via multiple occurrences of this field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityPropertyType / maecBundle:Name
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Name field specifies the name of the property being captured. The name can be either free form text or a standardized value from a vocabulary included in the MAEC Default Vocabularies schema. This field uses the ControlledVocabularyStringType from the imported CybOX Common schema.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType
Type cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element minOccurs="0" name="Name" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Name field specifies the name of the property being captured. The name can be either free form text or a standardized value from a vocabulary included in the MAEC Default Vocabularies schema. This field uses the ControlledVocabularyStringType from the imported CybOX Common schema.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityPropertyType / maecBundle:Value
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Value field specifies the value of the property being captured.
Diagram
Diagram cybox_common_xsd.tmp#BaseObjectPropertyGroup cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#BaseObjectPropertyType cybox_common_xsd.tmp#StringObjectPropertyType_datatype cybox_common_xsd.tmp#StringObjectPropertyType
Type cyboxCommon:StringObjectPropertyType
Type hierarchy
Attributes
QName Type Default Use Annotation
appears_random xs:boolean optional
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
datatype cyboxCommon:DatatypeEnum string optional
This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.
defanging_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
id xs:QName optional
The id field specifies a unique ID for this Object Property.
idref xs:QName optional
The idref field specifies a unique ID reference for this Object Property.
When idref is specified, the id attribute must not be specified, and any instance of this property should not hold content unless an extension of the property allows it.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
is_defanged xs:boolean optional
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
is_obfuscated xs:boolean optional
This field is optional and conveys whether the associated Object property has been obfuscated.
obfuscation_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.
observed_encoding xs:string optional
This field is optional and specifies the encoding of the string when it is/was observed. This may be different from the encoding used to represent the string within this element.
It is strongly recommended that character set names should be taken from the IANA character set registry (https://www.iana.org/assignments/character-sets/character-sets.xhtml).
This field is intended to be applicable only to fields which contain string values.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
refanging_transform xs:string optional
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
refanging_transform_type xs:string optional
This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
Source
<xs:element minOccurs="0" name="Value" type="cyboxCommon:StringObjectPropertyType">
  <xs:annotation>
    <xs:documentation>The Value field specifies the value of the property being captured.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityType / maecBundle:Strategic_Objective
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Strategic_Objective field captures a single Strategic Objective that the Capability attempts to achieve. It can be considered as a more granular way of capturing the Capabilities present in the malware instance.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_id maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Name maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Description maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Property maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Behavior_Reference maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Relationship maec_bundle_schema_xsd.tmp#CapabilityObjectiveType
Type maecBundle:CapabilityObjectiveType
Children maecBundle:Behavior_Reference, maecBundle:Description, maecBundle:Name, maecBundle:Property, maecBundle:Relationship
Attributes
QName Type Use Annotation
id xs:QName required
The required id field specifies a unique ID for this Capability Objective.
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Strategic_Objective" type="maecBundle:CapabilityObjectiveType">
  <xs:annotation>
    <xs:documentation>The Strategic_Objective field captures a single Strategic Objective that the Capability attempts to achieve. It can be considered as a more granular way of capturing the Capabilities present in the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityObjectiveType / maecBundle:Name
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Name field captures the name of the Capability Objective. There are several default vocabularies for this usage included in the MAEC Vocabularies schema. It uses the ControlledVocabularyStringType from the imported CybOX Common schema.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType
Type cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Name" minOccurs="0" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Name field captures the name of the Capability Objective. There are several default vocabularies for this usage included in the MAEC Vocabularies schema. It uses the ControlledVocabularyStringType from the imported CybOX Common schema.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityObjectiveType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field captures a basic textual description of the Capability Objective.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field captures a basic textual description of the Capability Objective.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityObjectiveType / maecBundle:Property
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Property field permits the capture of a single property of the Capability Objective, as a key/value pair. More than one property can be specified via multiple occurrences of this field.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityPropertyType_Name maec_bundle_schema_xsd.tmp#CapabilityPropertyType_Value maec_bundle_schema_xsd.tmp#CapabilityPropertyType
Type maecBundle:CapabilityPropertyType
Children maecBundle:Name, maecBundle:Value
Source
<xs:element minOccurs="0" name="Property" type="maecBundle:CapabilityPropertyType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Property field permits the capture of a single property of the Capability Objective, as a key/value pair. More than one property can be specified via multiple occurrences of this field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityObjectiveType / maecBundle:Behavior_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Reference field captures a reference to a Behavior that functions as an implementation of the Capability Objective.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorReferenceType_behavior_idref maec_bundle_schema_xsd.tmp#BehaviorReferenceType
Type maecBundle:BehaviorReferenceType
Attributes
QName Type Use Annotation
behavior_idref xs:QName required
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
Source
<xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Behavior_Reference field captures a reference to a Behavior that functions as an implementation of the Capability Objective.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityObjectiveType / maecBundle:Relationship
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Relationship field captures a relationship from the Capability Objective to one or more other Capability Objectives.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityObjectiveRelationshipType_Relationship_Type maec_bundle_schema_xsd.tmp#CapabilityObjectiveRelationshipType_Objective_Reference maec_bundle_schema_xsd.tmp#CapabilityObjectiveRelationshipType
Type maecBundle:CapabilityObjectiveRelationshipType
Children maecBundle:Objective_Reference, maecBundle:Relationship_Type
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Relationship" type="maecBundle:CapabilityObjectiveRelationshipType">
  <xs:annotation>
    <xs:documentation>The Relationship field captures a relationship from the Capability Objective to one or more other Capability Objectives.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityObjectiveRelationshipType / maecBundle:Relationship_Type
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Relationship_Type field captures the type of relationship being expressed between Objectives (either Strategic or Tactical).
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType
Type cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element minOccurs="0" name="Relationship_Type" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Relationship_Type field captures the type of relationship being expressed between Objectives (either Strategic or Tactical).</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityObjectiveRelationshipType / maecBundle:Objective_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Objective_Reference field references a single Capability Objective (either Strategic or Objective) in the relationship.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityObjectiveReferenceType_objective_idref maec_bundle_schema_xsd.tmp#CapabilityObjectiveReferenceType
Type maecBundle:CapabilityObjectiveReferenceType
Attributes
QName Type Use Annotation
objective_idref xs:QName required
The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.
Source
<xs:element maxOccurs="unbounded" minOccurs="1" name="Objective_Reference" type="maecBundle:CapabilityObjectiveReferenceType">
  <xs:annotation>
    <xs:documentation>The Objective_Reference field references a single Capability Objective (either Strategic or Objective) in the relationship.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityType / maecBundle:Tactical_Objective
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Tactical_Objective field captures a single Tactical Objective that the Capability attempts to achieve, typically in the context of a broader Strategic Objective. It can be considered as a way of expounding upon Strategic Objectives to capture the Capabilities of the malware instance in more detail.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_id maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Name maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Description maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Property maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Behavior_Reference maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Relationship maec_bundle_schema_xsd.tmp#CapabilityObjectiveType
Type maecBundle:CapabilityObjectiveType
Children maecBundle:Behavior_Reference, maecBundle:Description, maecBundle:Name, maecBundle:Property, maecBundle:Relationship
Attributes
QName Type Use Annotation
id xs:QName required
The required id field specifies a unique ID for this Capability Objective.
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Tactical_Objective" type="maecBundle:CapabilityObjectiveType">
  <xs:annotation>
    <xs:documentation>The Tactical_Objective field captures a single Tactical Objective that the Capability attempts to achieve, typically in the context of a broader Strategic Objective. It can be considered as a way of expounding upon Strategic Objectives to capture the Capabilities of the malware instance in more detail.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityType / maecBundle:Behavior_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Reference field captures a reference to a Behavior that serves as an implementation of the Capability. For Behaviors that serve as implementations of specific Strategic or Tactical Objectives, the Behavior_Reference field under the Strategic_Objective or Tactical_Objective fields should be used, respectively.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorReferenceType_behavior_idref maec_bundle_schema_xsd.tmp#BehaviorReferenceType
Type maecBundle:BehaviorReferenceType
Attributes
QName Type Use Annotation
behavior_idref xs:QName required
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
Source
<xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Behavior_Reference field captures a reference to a Behavior that serves as an implementation of the Capability. For Behaviors that serve as implementations of specific Strategic or Tactical Objectives, the Behavior_Reference field under the Strategic_Objective or Tactical_Objective fields should be used, respectively.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityType / maecBundle:Relationship
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Relationship field captures a relationship from the Capability to one or more other Capabilities.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityRelationshipType_Relationship_Type maec_bundle_schema_xsd.tmp#CapabilityRelationshipType_Capability_Reference maec_bundle_schema_xsd.tmp#CapabilityRelationshipType
Type maecBundle:CapabilityRelationshipType
Children maecBundle:Capability_Reference, maecBundle:Relationship_Type
Source
<xs:element minOccurs="0" name="Relationship" maxOccurs="unbounded" type="maecBundle:CapabilityRelationshipType">
  <xs:annotation>
    <xs:documentation>The Relationship field captures a relationship from the Capability to one or more other Capabilities.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityRelationshipType / maecBundle:Relationship_Type
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Relationship_Type field captures the type of relationship being expressed between Capabilities.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType
Type cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element minOccurs="0" name="Relationship_Type" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Relationship_Type field captures the type of relationship being expressed between Capabilities.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityRelationshipType / maecBundle:Capability_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Capability_Reference field references a single Capability in the relationship, via its ID.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityReferenceType_capability_idref maec_bundle_schema_xsd.tmp#CapabilityReferenceType
Type maecBundle:CapabilityReferenceType
Attributes
QName Type Use Annotation
capability_idref xs:QName required
The capability_idref field references the ID of a Capability contained inside the current MAEC document.
Source
<xs:element maxOccurs="unbounded" minOccurs="1" name="Capability_Reference" type="maecBundle:CapabilityReferenceType">
  <xs:annotation>
    <xs:documentation>The Capability_Reference field references a single Capability in the relationship, via its ID.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CapabilityListType / maecBundle:Capability_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Capability_Reference field references a single Capability defined elsewhere in the MAEC document, and therefore represents a single Capability possessed by the malware instance.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityReferenceType_capability_idref maec_bundle_schema_xsd.tmp#CapabilityReferenceType
Type maecBundle:CapabilityReferenceType
Attributes
QName Type Use Annotation
capability_idref xs:QName required
The capability_idref field references the ID of a Capability contained inside the current MAEC document.
Source
<xs:element name="Capability_Reference" type="maecBundle:CapabilityReferenceType">
  <xs:annotation>
    <xs:documentation>The Capability_Reference field references a single Capability defined elsewhere in the MAEC document, and therefore represents a single Capability possessed by the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BundleType / maecBundle:Behaviors
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorListType_Behavior maec_bundle_schema_xsd.tmp#BehaviorListType
Type maecBundle:BehaviorListType
Children maecBundle:Behavior
Source
<xs:element minOccurs="0" name="Behaviors" type="maecBundle:BehaviorListType">
  <xs:annotation>
    <xs:documentation>The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorListType / maecBundle:Behavior
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior field specifies a single Behavior in the list.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorType_id maec_bundle_schema_xsd.tmp#BehaviorType_ordinal_position maec_bundle_schema_xsd.tmp#BehaviorType_status maec_bundle_schema_xsd.tmp#BehaviorType_duration maec_bundle_schema_xsd.tmp#BehaviorType_Purpose maec_bundle_schema_xsd.tmp#BehaviorType_Description maec_bundle_schema_xsd.tmp#BehaviorType_Discovery_Method maec_bundle_schema_xsd.tmp#BehaviorType_Action_Composition maec_bundle_schema_xsd.tmp#BehaviorType_Associated_Code maec_bundle_schema_xsd.tmp#BehaviorType_Relationships maec_bundle_schema_xsd.tmp#BehaviorType
Type maecBundle:BehaviorType
Children maecBundle:Action_Composition, maecBundle:Associated_Code, maecBundle:Description, maecBundle:Discovery_Method, maecBundle:Purpose, maecBundle:Relationships
Attributes
QName Type Use Annotation
duration xs:duration optional
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
id xs:QName required
The required id field specifies a unique ID for this Behavior.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.
status cybox:ActionStatusTypeEnum optional
The status field specifies the execution status of the Behavior being characterized.
Source
<xs:element name="Behavior" type="maecBundle:BehaviorType" maxOccurs="unbounded" form="qualified" minOccurs="1">
  <xs:annotation>
    <xs:documentation>The Behavior field specifies a single Behavior in the list.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorType / maecBundle:Purpose
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Purpose field specifies the intended purpose of the Behavior. Since a Behavior is not always successful, and may not be fully observed, this is meant as way to state the nature of the Behavior apart from its constituent actions.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorPurposeType_Description maec_bundle_schema_xsd.tmp#BehaviorPurposeType_Vulnerability_Exploit maec_bundle_schema_xsd.tmp#BehaviorPurposeType
Type maecBundle:BehaviorPurposeType
Children maecBundle:Description, maecBundle:Vulnerability_Exploit
Source
<xs:element minOccurs="0" name="Purpose" type="maecBundle:BehaviorPurposeType">
  <xs:annotation>
    <xs:documentation>The Purpose field specifies the intended purpose of the Behavior. Since a Behavior is not always successful, and may not be fully observed, this is meant as way to state the nature of the Behavior apart from its constituent actions.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorPurposeType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field contains a prose text description of the purpose of the Behavior, whether it was successful or not.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field contains a prose text description of the purpose of the Behavior, whether it was successful or not.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorPurposeType / maecBundle:Vulnerability_Exploit
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Vulnerability_Exploit field characterizes any vulnerability that a Behavior may have attempted to exploit, whether or not the exploitation was successful (where success is not necessarily known).
Diagram
Diagram maec_bundle_schema_xsd.tmp#ExploitType_known_vulnerability maec_bundle_schema_xsd.tmp#ExploitType_CVE maec_bundle_schema_xsd.tmp#ExploitType_CWE_ID maec_bundle_schema_xsd.tmp#ExploitType_Targeted_Platforms maec_bundle_schema_xsd.tmp#ExploitType
Type maecBundle:ExploitType
Children maecBundle:CVE, maecBundle:CWE_ID, maecBundle:Targeted_Platforms
Attributes
QName Type Use Annotation
known_vulnerability xs:boolean optional
The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.
Source
<xs:element minOccurs="0" name="Vulnerability_Exploit" type="maecBundle:ExploitType">
  <xs:annotation>
    <xs:documentation>The Vulnerability_Exploit field characterizes any vulnerability that a Behavior may have attempted to exploit, whether or not the exploitation was successful (where success is not necessarily known).</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ExploitType / maecBundle:CVE
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CVE field specifies the CVE ID and description of the vulnerability targeted by the exploit, if available.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CVEVulnerabilityType_cve_id maec_bundle_schema_xsd.tmp#CVEVulnerabilityType_Description maec_bundle_schema_xsd.tmp#CVEVulnerabilityType
Type maecBundle:CVEVulnerabilityType
Children maecBundle:Description
Attributes
QName Type Use Annotation
cve_id xs:string required
The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.
Source
<xs:element minOccurs="0" name="CVE" type="maecBundle:CVEVulnerabilityType">
  <xs:annotation>
    <xs:documentation>The CVE field specifies the CVE ID and description of the vulnerability targeted by the exploit, if available.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CVEVulnerabilityType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field specifies the textual description of the vulnerability referenced by the cve_id.
Diagram
Diagram
Type xs:string
Source
<xs:element name="Description" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field specifies the textual description of the vulnerability referenced by the cve_id.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ExploitType / maecBundle:CWE_ID
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CWE_ID field captures the ID of the Common Weakness Enumeration (CWE) entry that represents the type of weakness targeted by the exploit. More than one such CWE ID can be specified by using multiple occurrences of this field.
Diagram
Diagram
Type xs:string
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="CWE_ID" type="xs:string">
  <xs:annotation>
    <xs:documentation>The CWE_ID field captures the ID of the Common Weakness Enumeration (CWE) entry that represents the type of weakness targeted by the exploit. More than one such CWE ID can be specified by using multiple occurrences of this field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ExploitType / maecBundle:Targeted_Platforms
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Targeted_Platforms field specifies the platforms(s) targeted by the vulnerability exploit.
Diagram
Diagram maec_bundle_schema_xsd.tmp#PlatformListType_Platform maec_bundle_schema_xsd.tmp#PlatformListType
Type maecBundle:PlatformListType
Children maecBundle:Platform
Source
<xs:element minOccurs="0" name="Targeted_Platforms" type="maecBundle:PlatformListType">
  <xs:annotation>
    <xs:documentation>The Targeted_Platforms field specifies the platforms(s) targeted by the vulnerability exploit.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:PlatformListType / maecBundle:Platform
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Platform field specifies a single Platform in the list via a common platform enumeration ID. It uses the PlatformSpecificationType type from the CybOX Common schema v2.0.1.
Diagram
Diagram cybox_common_xsd.tmp#PlatformSpecificationType_Description cybox_common_xsd.tmp#PlatformSpecificationType_Identifier cybox_common_xsd.tmp#PlatformSpecificationType
Type cyboxCommon:PlatformSpecificationType
Children cyboxCommon:Description, cyboxCommon:Identifier
Source
<xs:element maxOccurs="unbounded" name="Platform" type="cyboxCommon:PlatformSpecificationType">
  <xs:annotation>
    <xs:documentation>The Platform field specifies a single Platform in the list via a common platform enumeration ID. It uses the PlatformSpecificationType type from the CybOX Common schema v2.0.1.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field specifies a prose textual description of the Behavior.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field specifies a prose textual description of the Behavior.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorType / maecBundle:Discovery_Method
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Discovery_Method field specifies the method used to discover the Behavior.
Diagram
Diagram cybox_common_xsd.tmp#MeasureSourceType_class cybox_common_xsd.tmp#MeasureSourceType_source_type cybox_common_xsd.tmp#MeasureSourceType_name cybox_common_xsd.tmp#MeasureSourceType_sighting_count cybox_common_xsd.tmp#MeasureSourceType_Information_Source_Type cybox_common_xsd.tmp#MeasureSourceType_Tool_Type cybox_common_xsd.tmp#MeasureSourceType_Description cybox_common_xsd.tmp#MeasureSourceType_Contributors cybox_common_xsd.tmp#MeasureSourceType_Time cybox_common_xsd.tmp#MeasureSourceType_Observation_Location cybox_common_xsd.tmp#MeasureSourceType_Tools cybox_common_xsd.tmp#MeasureSourceType_Platform cybox_common_xsd.tmp#MeasureSourceType_System cybox_common_xsd.tmp#MeasureSourceType_Instance cybox_common_xsd.tmp#MeasureSourceType_Observable_Location cybox_common_xsd.tmp#MeasureSourceType
Type cyboxCommon:MeasureSourceType
Children cyboxCommon:Contributors, cyboxCommon:Description, cyboxCommon:Information_Source_Type, cyboxCommon:Instance, cyboxCommon:Observable_Location, cyboxCommon:Observation_Location, cyboxCommon:Platform, cyboxCommon:System, cyboxCommon:Time, cyboxCommon:Tool_Type, cyboxCommon:Tools
Attributes
QName Type Use Annotation
class cyboxCommon:SourceClassTypeEnum optional
The class field is optional and enables identification of the high-level class of this cyber observation source.
name xs:string optional
The name field is optional and enables the assignment of a relevant name to this Discovery Method.
sighting_count xs:positiveInteger optional
The sighting_count field specifies how many different identical instances of a given Observable may have been seen/sighted by the observation source.
source_type cyboxCommon:SourceTypeEnum optional
The source_type field is optional and enables identification of the broad type of this cyber observation source.
Source
<xs:element minOccurs="0" name="Discovery_Method" type="cyboxCommon:MeasureSourceType">
  <xs:annotation>
    <xs:documentation>The Discovery_Method field specifies the method used to discover the Behavior.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorType / maecBundle:Action_Composition
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Composition field captures the Actions that compose the Behavior.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehavioralActionsType_Action_Collection maec_bundle_schema_xsd.tmp#BehavioralActionsType_Action maec_bundle_schema_xsd.tmp#BehavioralActionsType_Action_Reference maec_bundle_schema_xsd.tmp#BehavioralActionsType_Action_Equivalence_Reference maec_bundle_schema_xsd.tmp#BehavioralActionsType
Type maecBundle:BehavioralActionsType
Children maecBundle:Action, maecBundle:Action_Collection, maecBundle:Action_Equivalence_Reference, maecBundle:Action_Reference
Source
<xs:element minOccurs="0" name="Action_Composition" type="maecBundle:BehavioralActionsType">
  <xs:annotation>
    <xs:documentation>The Action_Composition field captures the Actions that compose the Behavior.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehavioralActionsType / maecBundle:Action_Collection
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Collection field specifies an Action Collection that is part of the behavioral composition.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BaseCollectionType_name maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema_xsd.tmp#BaseCollectionType_Description maec_bundle_schema_xsd.tmp#BaseCollectionType maec_bundle_schema_xsd.tmp#ActionCollectionType_id maec_bundle_schema_xsd.tmp#ActionCollectionType_Action_List maec_bundle_schema_xsd.tmp#ActionCollectionType
Type maecBundle:ActionCollectionType
Type hierarchy
Children maecBundle:Action_List, maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description
Attributes
QName Type Use Annotation
id xs:QName required
The id field specifies a unique ID for this Action Collection.
name xs:string optional
The name field specifies the name of the collection.
Source
<xs:element minOccurs="1" name="Action_Collection" type="maecBundle:ActionCollectionType">
  <xs:annotation>
    <xs:documentation>The Action_Collection field specifies an Action Collection that is part of the behavioral composition.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BaseCollectionType / maecBundle:Affinity_Type
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Affinity_Type field provides an abstract way of characterizing how the objects in a collection are related.
Diagram
Diagram
Type xs:string
Source
<xs:element name="Affinity_Type" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Affinity_Type field provides an abstract way of characterizing how the objects in a collection are related.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BaseCollectionType / maecBundle:Affinity_Degree
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Affinity_Degree field is intended to provide an abstract way of characterizing the degree to which the objects in a collection are related.
Diagram
Diagram
Type xs:string
Source
<xs:element name="Affinity_Degree" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Affinity_Degree field is intended to provide an abstract way of characterizing the degree to which the objects in a collection are related.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BaseCollectionType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field contains a textual description of the collection.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field contains a textual description of the collection.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ActionCollectionType / maecBundle:Action_List
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_List field specifies a list of Actions that make up the collection.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ActionListType_Action maec_bundle_schema_xsd.tmp#ActionListType
Type maecBundle:ActionListType
Children maecBundle:Action
Source
<xs:element name="Action_List" type="maecBundle:ActionListType">
  <xs:annotation>
    <xs:documentation>The Action_List field specifies a list of Actions that make up the collection.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ActionListType / maecBundle:Action
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action field specifies a single Action in the list.
The recommended syntax for Action IDs is a dash-delimited format that starts with the word maec, followed by a unique string, followed by the three letter code 'act', and ending with an integer. The regular expression validating these IDs is: maec-[A-Za-z0-9_\-\.]+-act-[1-9][0-9]*.
Diagram
Diagram cybox_core_xsd.tmp#ActionType_id cybox_core_xsd.tmp#ActionType_idref cybox_core_xsd.tmp#ActionType_ordinal_position cybox_core_xsd.tmp#ActionType_action_status cybox_core_xsd.tmp#ActionType_context cybox_core_xsd.tmp#ActionType_timestamp cybox_core_xsd.tmp#ActionType_timestamp_precision cybox_core_xsd.tmp#ActionType_Type cybox_core_xsd.tmp#ActionType_Name cybox_core_xsd.tmp#ActionType_Description cybox_core_xsd.tmp#ActionType_Action_Aliases cybox_core_xsd.tmp#ActionType_Action_Arguments cybox_core_xsd.tmp#ActionType_Location cybox_core_xsd.tmp#ActionType_Discovery_Method cybox_core_xsd.tmp#ActionType_Associated_Objects cybox_core_xsd.tmp#ActionType_Relationships cybox_core_xsd.tmp#ActionType_Frequency cybox_core_xsd.tmp#ActionType maec_bundle_schema_xsd.tmp#MalwareActionType_Implementation maec_bundle_schema_xsd.tmp#MalwareActionType
Type maecBundle:MalwareActionType
Type hierarchy
Children cybox:Action_Aliases, cybox:Action_Arguments, cybox:Associated_Objects, cybox:Description, cybox:Discovery_Method, cybox:Frequency, cybox:Location, cybox:Name, cybox:Relationships, cybox:Type, maecBundle:Implementation
Attributes
QName Type Default Use Annotation
action_status cybox:ActionStatusTypeEnum optional
The action_status field enables description of the status of the action being described.
context cybox:ActionContextTypeEnum optional
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
id xs:QName optional
The id field specifies a unique id for this Action.
idref xs:QName optional
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
ordinal_position xs:positiveInteger optional
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
timestamp xs:dateTime optional
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
timestamp_precision cyboxCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Action" type="maecBundle:MalwareActionType" maxOccurs="unbounded" minOccurs="1">
  <xs:annotation>
    <xs:documentation>The Action field specifies a single Action in the list.</xs:documentation>
    <xs:documentation>The recommended syntax for Action IDs is a dash-delimited format that starts with the word maec, followed by a unique string, followed by the three letter code 'act', and ending with an integer. The regular expression validating these IDs is: maec-[A-Za-z0-9_\-\.]+-act-[1-9][0-9]*.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:MalwareActionType / maecBundle:Implementation
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ActionImplementationType_id maec_bundle_schema_xsd.tmp#ActionImplementationType_type maec_bundle_schema_xsd.tmp#ActionImplementationType_Compatible_Platforms maec_bundle_schema_xsd.tmp#ActionImplementationType_API_Call maec_bundle_schema_xsd.tmp#ActionImplementationType_Code maec_bundle_schema_xsd.tmp#ActionImplementationType
Type maecBundle:ActionImplementationType
Children maecBundle:API_Call, maecBundle:Code, maecBundle:Compatible_Platforms
Attributes
QName Type Use Annotation
id xs:QName optional
The id field specifies a unique ID for this Action Implementation.
type maecBundle:ActionImplementationTypeEnum required
The required type field refers to the type of Action Implementation being characterized in this element.
Source
<xs:element minOccurs="0" name="Implementation" type="maecBundle:ActionImplementationType">
  <xs:annotation>
    <xs:documentation>The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ActionImplementationType / maecBundle:Compatible_Platforms
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Compatible_Platforms field specifies the specific platform(s) that the Action is compatible with, or in other words, capable of being successfully executed on.
Diagram
Diagram maec_bundle_schema_xsd.tmp#PlatformListType_Platform maec_bundle_schema_xsd.tmp#PlatformListType
Type maecBundle:PlatformListType
Children maecBundle:Platform
Source
<xs:element name="Compatible_Platforms" type="maecBundle:PlatformListType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Compatible_Platforms field specifies the specific platform(s) that the Action is compatible with, or in other words, capable of being successfully executed on.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ActionImplementationType / maecBundle:API_Call
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The API_Call field allows for the characterization of a system-level API call that was used to implement the action. Software must make use of such calls to talk to 			hardware and perform system-specific functions.
Diagram
Diagram maec_bundle_schema_xsd.tmp#APICallType_function_name maec_bundle_schema_xsd.tmp#APICallType_normalized_function_name maec_bundle_schema_xsd.tmp#APICallType_Address maec_bundle_schema_xsd.tmp#APICallType_Return_Value maec_bundle_schema_xsd.tmp#APICallType_Parameters maec_bundle_schema_xsd.tmp#APICallType
Type maecBundle:APICallType
Children maecBundle:Address, maecBundle:Parameters, maecBundle:Return_Value
Attributes
QName Type Use Annotation
function_name xs:string optional
The function_name field contains the exact name of the API function called, e.g. CreateFileEx.
normalized_function_name xs:string optional
The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.
Source
<xs:element name="API_Call" maxOccurs="1" minOccurs="0" type="maecBundle:APICallType">
  <xs:annotation>
    <xs:documentation>The API_Call field allows for the characterization of a system-level API call that was used to implement the action. Software must make use of such calls to talk to hardware and perform system-specific functions.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:APICallType / maecBundle:Address
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Address field contains the address of the API call in the binary.
Diagram
Diagram
Type xs:hexBinary
Source
<xs:element name="Address" type="xs:hexBinary" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Address field contains the address of the API call in the binary.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:APICallType / maecBundle:Return_Value
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Return_Value field contains the return value of the API call.
Diagram
Diagram
Type xs:string
Source
<xs:element name="Return_Value" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Return_Value field contains the return value of the API call.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:APICallType / maecBundle:Parameters
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Parameter field captures any name/value pairs of the parameters passed into the API call.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ParameterListType_Parameter maec_bundle_schema_xsd.tmp#ParameterListType
Type maecBundle:ParameterListType
Children maecBundle:Parameter
Source
<xs:element minOccurs="0" name="Parameters" type="maecBundle:ParameterListType">
  <xs:annotation>
    <xs:documentation>The Parameter field captures any name/value pairs of the parameters passed into the API call.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ParameterListType / maecBundle:Parameter
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Parameter field specifies a single function parameter.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ParameterType_ordinal_position maec_bundle_schema_xsd.tmp#ParameterType_name maec_bundle_schema_xsd.tmp#ParameterType_value maec_bundle_schema_xsd.tmp#ParameterType
Type maecBundle:ParameterType
Attributes
QName Type Use Annotation
name xs:string optional
The name field specifies the name of the parameter.
ordinal_position xs:positiveInteger optional
This field refers to the ordinal position of the parameter with respect to the function where it is used.
value xs:string optional
The value field specifies the actual value of the parameter.
Source
<xs:element maxOccurs="unbounded" name="Parameter" type="maecBundle:ParameterType">
  <xs:annotation>
    <xs:documentation>The Parameter field specifies a single function parameter.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ActionImplementationType / maecBundle:Code
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Code field contains any form of code that was used to implement the action.
Diagram
Diagram cybox_common_xsd.tmp#ObjectPropertiesType_object_reference cybox_common_xsd.tmp#ObjectPropertiesType_Custom_Properties cybox_common_xsd.tmp#ObjectPropertiesType Code_Object_xsd.tmp#CodeObjectType_Description Code_Object_xsd.tmp#CodeObjectType_Type Code_Object_xsd.tmp#CodeObjectType_Purpose Code_Object_xsd.tmp#CodeObjectType_Code_Language Code_Object_xsd.tmp#CodeObjectType_Targeted_Platforms Code_Object_xsd.tmp#CodeObjectType_Processor_Family Code_Object_xsd.tmp#CodeObjectType_Discovery_Method Code_Object_xsd.tmp#CodeObjectType_Start_Address Code_Object_xsd.tmp#CodeObjectType_Code_Segment Code_Object_xsd.tmp#CodeObjectType_Code_Segment_XOR Code_Object_xsd.tmp#CodeObjectType_Digital_Signatures Code_Object_xsd.tmp#CodeObjectType_Extracted_Features Code_Object_xsd.tmp#CodeObjectType
Type CodeObj:CodeObjectType
Type hierarchy
Children CodeObj:Code_Language, CodeObj:Code_Segment, CodeObj:Code_Segment_XOR, CodeObj:Description, CodeObj:Digital_Signatures, CodeObj:Discovery_Method, CodeObj:Extracted_Features, CodeObj:Processor_Family, CodeObj:Purpose, CodeObj:Start_Address, CodeObj:Targeted_Platforms, CodeObj:Type, cyboxCommon:Custom_Properties
Attributes
QName Type Use Annotation
object_reference xs:QName optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:element name="Code" maxOccurs="unbounded" type="CodeObj:CodeObjectType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Code field contains any form of code that was used to implement the action.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehavioralActionsType / maecBundle:Action
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action field specifies a single Action that is part of the behavioral composition.
Diagram
Diagram cybox_core_xsd.tmp#ActionType_id cybox_core_xsd.tmp#ActionType_idref cybox_core_xsd.tmp#ActionType_ordinal_position cybox_core_xsd.tmp#ActionType_action_status cybox_core_xsd.tmp#ActionType_context cybox_core_xsd.tmp#ActionType_timestamp cybox_core_xsd.tmp#ActionType_timestamp_precision cybox_core_xsd.tmp#ActionType_Type cybox_core_xsd.tmp#ActionType_Name cybox_core_xsd.tmp#ActionType_Description cybox_core_xsd.tmp#ActionType_Action_Aliases cybox_core_xsd.tmp#ActionType_Action_Arguments cybox_core_xsd.tmp#ActionType_Location cybox_core_xsd.tmp#ActionType_Discovery_Method cybox_core_xsd.tmp#ActionType_Associated_Objects cybox_core_xsd.tmp#ActionType_Relationships cybox_core_xsd.tmp#ActionType_Frequency cybox_core_xsd.tmp#ActionType maec_bundle_schema_xsd.tmp#MalwareActionType_Implementation maec_bundle_schema_xsd.tmp#MalwareActionType maec_bundle_schema_xsd.tmp#BehavioralActionType_behavioral_ordering maec_bundle_schema_xsd.tmp#BehavioralActionType
Type maecBundle:BehavioralActionType
Type hierarchy
Children cybox:Action_Aliases, cybox:Action_Arguments, cybox:Associated_Objects, cybox:Description, cybox:Discovery_Method, cybox:Frequency, cybox:Location, cybox:Name, cybox:Relationships, cybox:Type, maecBundle:Implementation
Attributes
QName Type Default Use Annotation
action_status cybox:ActionStatusTypeEnum optional
The action_status field enables description of the status of the action being described.
behavioral_ordering xs:positiveInteger optional
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
context cybox:ActionContextTypeEnum optional
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
id xs:QName optional
The id field specifies a unique id for this Action.
idref xs:QName optional
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
ordinal_position xs:positiveInteger optional
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
timestamp xs:dateTime optional
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
timestamp_precision cyboxCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element minOccurs="1" name="Action" type="maecBundle:BehavioralActionType">
  <xs:annotation>
    <xs:documentation>The Action field specifies a single Action that is part of the behavioral composition.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehavioralActionsType / maecBundle:Action_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Reference field specifies a reference to a single Action that is part of the behavioral composition.
Diagram
Diagram cybox_core_xsd.tmp#ActionReferenceType_action_id cybox_core_xsd.tmp#ActionReferenceType maec_bundle_schema_xsd.tmp#BehavioralActionReferenceType_behavioral_ordering maec_bundle_schema_xsd.tmp#BehavioralActionReferenceType
Type maecBundle:BehavioralActionReferenceType
Type hierarchy
Attributes
QName Type Use Annotation
action_id xs:QName required
The action_id field refers to the id of the action being referenced.
behavioral_ordering xs:positiveInteger optional
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
Source
<xs:element name="Action_Reference" type="maecBundle:BehavioralActionReferenceType">
  <xs:annotation>
    <xs:documentation>The Action_Reference field specifies a reference to a single Action that is part of the behavioral composition.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehavioralActionsType / maecBundle:Action_Equivalence_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Equivalence_Reference field specifies a reference to a single Action Equivalence that is part of the behavioral composition.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehavioralActionEquivalenceReferenceType_action_equivalence_idref maec_bundle_schema_xsd.tmp#BehavioralActionEquivalenceReferenceType_behavioral_ordering maec_bundle_schema_xsd.tmp#BehavioralActionEquivalenceReferenceType
Type maecBundle:BehavioralActionEquivalenceReferenceType
Attributes
QName Type Use Annotation
action_equivalence_idref xs:QName required
The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.
behavioral_ordering xs:positiveInteger optional
The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.
Source
<xs:element name="Action_Equivalence_Reference" type="maecBundle:BehavioralActionEquivalenceReferenceType">
  <xs:annotation>
    <xs:documentation>The Action_Equivalence_Reference field specifies a reference to a single Action Equivalence that is part of the behavioral composition.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorType / maecBundle:Associated_Code
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Associated_Code field specifies any code snippets that may be associated with the Behavior.
Diagram
Diagram maec_bundle_schema_xsd.tmp#AssociatedCodeType_Code_Snippet maec_bundle_schema_xsd.tmp#AssociatedCodeType
Type maecBundle:AssociatedCodeType
Children maecBundle:Code_Snippet
Source
<xs:element minOccurs="0" name="Associated_Code" type="maecBundle:AssociatedCodeType">
  <xs:annotation>
    <xs:documentation>The Associated_Code field specifies any code snippets that may be associated with the Behavior.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:AssociatedCodeType / maecBundle:Code_Snippet
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Code_Snippet field captures a single snippet of code, via the CybOX CodeObjectType.
Diagram
Diagram cybox_common_xsd.tmp#ObjectPropertiesType_object_reference cybox_common_xsd.tmp#ObjectPropertiesType_Custom_Properties cybox_common_xsd.tmp#ObjectPropertiesType Code_Object_xsd.tmp#CodeObjectType_Description Code_Object_xsd.tmp#CodeObjectType_Type Code_Object_xsd.tmp#CodeObjectType_Purpose Code_Object_xsd.tmp#CodeObjectType_Code_Language Code_Object_xsd.tmp#CodeObjectType_Targeted_Platforms Code_Object_xsd.tmp#CodeObjectType_Processor_Family Code_Object_xsd.tmp#CodeObjectType_Discovery_Method Code_Object_xsd.tmp#CodeObjectType_Start_Address Code_Object_xsd.tmp#CodeObjectType_Code_Segment Code_Object_xsd.tmp#CodeObjectType_Code_Segment_XOR Code_Object_xsd.tmp#CodeObjectType_Digital_Signatures Code_Object_xsd.tmp#CodeObjectType_Extracted_Features Code_Object_xsd.tmp#CodeObjectType
Type CodeObj:CodeObjectType
Type hierarchy
Children CodeObj:Code_Language, CodeObj:Code_Segment, CodeObj:Code_Segment_XOR, CodeObj:Description, CodeObj:Digital_Signatures, CodeObj:Discovery_Method, CodeObj:Extracted_Features, CodeObj:Processor_Family, CodeObj:Purpose, CodeObj:Start_Address, CodeObj:Targeted_Platforms, CodeObj:Type, cyboxCommon:Custom_Properties
Attributes
QName Type Use Annotation
object_reference xs:QName optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:element maxOccurs="unbounded" name="Code_Snippet" type="CodeObj:CodeObjectType">
  <xs:annotation>
    <xs:documentation>The Code_Snippet field captures a single snippet of code, via the CybOX CodeObjectType.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorType / maecBundle:Relationships
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Relationships field specifies any relationships between this Behavior and any other Behaviors.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorRelationshipListType_Relationship maec_bundle_schema_xsd.tmp#BehaviorRelationshipListType
Type maecBundle:BehaviorRelationshipListType
Children maecBundle:Relationship
Source
<xs:element minOccurs="0" name="Relationships" type="maecBundle:BehaviorRelationshipListType">
  <xs:annotation>
    <xs:documentation>The Relationships field specifies any relationships between this Behavior and any other Behaviors.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorRelationshipListType / maecBundle:Relationship
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Relationship field specifies a single relationship between a single Behavior and one or more other Behaviors.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorRelationshipType_type maec_bundle_schema_xsd.tmp#BehaviorRelationshipType_Behavior_Reference maec_bundle_schema_xsd.tmp#BehaviorRelationshipType
Type maecBundle:BehaviorRelationshipType
Children maecBundle:Behavior_Reference
Attributes
QName Type Use Annotation
type restriction of cyboxVocabs:ActionRelationshipTypeEnum-1.0 optional
The type field specifies the nature of the relationship between Behaviors that is being captured.
Source
<xs:element maxOccurs="unbounded" name="Relationship" type="maecBundle:BehaviorRelationshipType">
  <xs:annotation>
    <xs:documentation>The Relationship field specifies a single relationship between a single Behavior and one or more other Behaviors.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorRelationshipType / maecBundle:Behavior_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Reference field specifies a reference to a single Behavior in the relationship.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorReferenceType_behavior_idref maec_bundle_schema_xsd.tmp#BehaviorReferenceType
Type maecBundle:BehaviorReferenceType
Attributes
QName Type Use Annotation
behavior_idref xs:QName required
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
Source
<xs:element maxOccurs="unbounded" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior in the relationship.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BundleType / maecBundle:Actions
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ActionListType_Action maec_bundle_schema_xsd.tmp#ActionListType
Type maecBundle:ActionListType
Children maecBundle:Action
Source
<xs:element minOccurs="0" name="Actions" type="maecBundle:ActionListType">
  <xs:annotation>
    <xs:documentation>The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BundleType / maecBundle:Objects
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ObjectListType_Object maec_bundle_schema_xsd.tmp#ObjectListType
Type maecBundle:ObjectListType
Children maecBundle:Object
Source
<xs:element minOccurs="0" name="Objects" type="maecBundle:ObjectListType">
  <xs:annotation>
    <xs:documentation>The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ObjectListType / maecBundle:Object
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Object field specifies a single CybOX Object in the list. For use in MAEC, the id attribute at the top level of the Object must be utilized.
Diagram
Diagram cybox_core_xsd.tmp#ObjectType_id cybox_core_xsd.tmp#ObjectType_idref cybox_core_xsd.tmp#ObjectType_has_changed cybox_core_xsd.tmp#ObjectType_State cybox_core_xsd.tmp#ObjectType_Description cybox_core_xsd.tmp#ObjectType_Properties cybox_core_xsd.tmp#ObjectType_Domain_Specific_Object_Properties cybox_core_xsd.tmp#ObjectType_Location cybox_core_xsd.tmp#ObjectType_Related_Objects cybox_core_xsd.tmp#ObjectType_Defined_Effect cybox_core_xsd.tmp#ObjectType_Discovery_Method cybox_core_xsd.tmp#ObjectType
Type cybox:ObjectType
Children cybox:Defined_Effect, cybox:Description, cybox:Discovery_Method, cybox:Domain_Specific_Object_Properties, cybox:Location, cybox:Properties, cybox:Related_Objects, cybox:State
Attributes
QName Type Use Annotation
has_changed xs:boolean optional
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
id xs:QName optional
The id field specifies a unique id for this Object.
idref xs:QName optional
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:element maxOccurs="unbounded" name="Object" type="cybox:ObjectType">
  <xs:annotation>
    <xs:documentation>The Object field specifies a single CybOX Object in the list. For use in MAEC, the id attribute at the top level of the Object must be utilized.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BundleType / maecBundle:Candidate_Indicators
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CandidateIndicatorListType_Candidate_Indicator maec_bundle_schema_xsd.tmp#CandidateIndicatorListType
Type maecBundle:CandidateIndicatorListType
Children maecBundle:Candidate_Indicator
Source
<xs:element minOccurs="0" name="Candidate_Indicators" type="maecBundle:CandidateIndicatorListType">
  <xs:annotation>
    <xs:documentation>The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorListType / maecBundle:Candidate_Indicator
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Candidate_Indicator field specifies a single Candidate Indicator in the list.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CandidateIndicatorType_id maec_bundle_schema_xsd.tmp#CandidateIndicatorType_creation_datetime maec_bundle_schema_xsd.tmp#CandidateIndicatorType_lastupdate_datetime maec_bundle_schema_xsd.tmp#CandidateIndicatorType_version maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Importance maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Numeric_Importance maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Author maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Description maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Malware_Entity maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Composition maec_bundle_schema_xsd.tmp#CandidateIndicatorType
Type maecBundle:CandidateIndicatorType
Children maecBundle:Author, maecBundle:Composition, maecBundle:Description, maecBundle:Importance, maecBundle:Malware_Entity, maecBundle:Numeric_Importance
Attributes
QName Type Use Annotation
creation_datetime xs:dateTime optional
The creation_datetime field specifies the date/time that the Candidate Indicator was created.
id xs:QName required
The id field specifies a unique ID for this Candidate Indicator.
lastupdate_datetime xs:dateTime optional
The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.
version xs:string optional
The version field specifies the version of the Candidate Indicator.
Source
<xs:element maxOccurs="unbounded" name="Candidate_Indicator" type="maecBundle:CandidateIndicatorType">
  <xs:annotation>
    <xs:documentation>The Candidate_Indicator field specifies a single Candidate Indicator in the list.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorType / maecBundle:Importance
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Importance field specifies the relative importance of the Candidate Indicator.
This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is ImportanceTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType
Type cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element minOccurs="0" name="Importance" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Importance field specifies the relative importance of the Candidate Indicator.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is ImportanceTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorType / maecBundle:Numeric_Importance
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Numeric_Importance field specifies the specific numeric importance of the Candidate Indicator.
Diagram
Diagram
Type xs:positiveInteger
Source
<xs:element minOccurs="0" name="Numeric_Importance" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The Numeric_Importance field specifies the specific numeric importance of the Candidate Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorType / maecBundle:Author
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Author field specifies the author of the Candidate Indicator.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Author" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Author field specifies the author of the Candidate Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field provides a brief description of the Candidate Indicator.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field provides a brief description of the Candidate Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorType / maecBundle:Malware_Entity
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc.
Diagram
Diagram maec_bundle_schema_xsd.tmp#MalwareEntityType_Type maec_bundle_schema_xsd.tmp#MalwareEntityType_Name maec_bundle_schema_xsd.tmp#MalwareEntityType_Description maec_bundle_schema_xsd.tmp#MalwareEntityType
Type maecBundle:MalwareEntityType
Children maecBundle:Description, maecBundle:Name, maecBundle:Type
Source
<xs:element minOccurs="0" name="Malware_Entity" type="maecBundle:MalwareEntityType">
  <xs:annotation>
    <xs:documentation>The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:MalwareEntityType / maecBundle:Type
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Type field refers to the specific type of malware entity that the indicator or signature is written against.
This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is MalwareEntityTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
Diagram
Diagram cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#PatternableFieldType cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_name cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType_vocab_reference cybox_common_xsd.tmp#http___cybox.mitre.org_common-2_ControlledVocabularyStringType
Type cyboxCommon:ControlledVocabularyStringType
Type hierarchy
Attributes
QName Type Default Use Annotation
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
delimiter xs:string ##comma## optional
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
is_case_sensitive xs:boolean true optional
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element minOccurs="0" name="Type" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Type field refers to the specific type of malware entity that the indicator or signature is written against.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is MalwareEntityTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:MalwareEntityType / maecBundle:Name
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Name field refers to the name of the malware instance, malware family, or malware class that the indicator or signature is written against.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Name field refers to the name of the malware instance, malware family, or malware class that the indicator or signature is written against.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:MalwareEntityType / maecBundle:Description
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Description field is intended to provide a brief description of the entity that the indicator or signature is written against.
Diagram
Diagram
Type xs:string
Source
<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field is intended to provide a brief description of the entity that the indicator or signature is written against.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorType / maecBundle:Composition
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_operator maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Behavior_Reference maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Action_Reference maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Object_Reference maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Sub_Composition maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType
Type maecBundle:CandidateIndicatorCompositionType
Children maecBundle:Action_Reference, maecBundle:Behavior_Reference, maecBundle:Object_Reference, maecBundle:Sub_Composition
Attributes
QName Type Use Annotation
operator cybox:OperatorTypeEnum optional
The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.
Source
<xs:element minOccurs="0" name="Composition" type="maecBundle:CandidateIndicatorCompositionType">
  <xs:annotation>
    <xs:documentation>The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Behavior_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Reference field specifies a reference to a single Behavior in the Bundle that is part of the candidate indicator's composition.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorReferenceType_behavior_idref maec_bundle_schema_xsd.tmp#BehaviorReferenceType
Type maecBundle:BehaviorReferenceType
Attributes
QName Type Use Annotation
behavior_idref xs:QName required
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
Source
<xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType">
  <xs:annotation>
    <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Action_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Reference field specifies a reference to a single Action in the Bundle that is part of the candidate indicator's composition.
Diagram
Diagram cybox_core_xsd.tmp#ActionReferenceType_action_id cybox_core_xsd.tmp#ActionReferenceType
Type cybox:ActionReferenceType
Attributes
QName Type Use Annotation
action_id xs:QName required
The action_id field refers to the id of the action being referenced.
Source
<xs:element minOccurs="0" name="Action_Reference" type="cybox:ActionReferenceType">
  <xs:annotation>
    <xs:documentation>The Action_Reference field specifies a reference to a single Action in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Object_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Object_Reference field specifies a reference to a single Object in the Bundle that is part of the candidate indicator's composition.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ObjectReferenceType_object_idref maec_bundle_schema_xsd.tmp#ObjectReferenceType
Type maecBundle:ObjectReferenceType
Attributes
QName Type Use Annotation
object_idref xs:QName required
The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.
Source
<xs:element minOccurs="0" name="Object_Reference" type="maecBundle:ObjectReferenceType">
  <xs:annotation>
    <xs:documentation>The Object_Reference field specifies a reference to a single Object in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Sub_Composition
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Sub_Composition field captures any sub-compositions in this Candidate Indicator, for expressing more complex Candidate Indicators.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_operator maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Behavior_Reference maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Action_Reference maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Object_Reference maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Sub_Composition maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType
Type maecBundle:CandidateIndicatorCompositionType
Children maecBundle:Action_Reference, maecBundle:Behavior_Reference, maecBundle:Object_Reference, maecBundle:Sub_Composition
Attributes
QName Type Use Annotation
operator cybox:OperatorTypeEnum optional
The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Sub_Composition" type="maecBundle:CandidateIndicatorCompositionType">
  <xs:annotation>
    <xs:documentation>The Sub_Composition field captures any sub-compositions in this Candidate Indicator, for expressing more complex Candidate Indicators.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BundleType / maecBundle:Collections
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CollectionsType_Behavior_Collections maec_bundle_schema_xsd.tmp#CollectionsType_Action_Collections maec_bundle_schema_xsd.tmp#CollectionsType_Object_Collections maec_bundle_schema_xsd.tmp#CollectionsType_Candidate_Indicator_Collections maec_bundle_schema_xsd.tmp#CollectionsType
Type maecBundle:CollectionsType
Children maecBundle:Action_Collections, maecBundle:Behavior_Collections, maecBundle:Candidate_Indicator_Collections, maecBundle:Object_Collections
Source
<xs:element minOccurs="0" name="Collections" type="maecBundle:CollectionsType">
  <xs:annotation>
    <xs:documentation>The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CollectionsType / maecBundle:Behavior_Collections
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Collections field captures any collections of Behaviors in the Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorCollectionListType_Behavior_Collection maec_bundle_schema_xsd.tmp#BehaviorCollectionListType
Type maecBundle:BehaviorCollectionListType
Children maecBundle:Behavior_Collection
Source
<xs:element minOccurs="0" name="Behavior_Collections" type="maecBundle:BehaviorCollectionListType">
  <xs:annotation>
    <xs:documentation>The Behavior_Collections field captures any collections of Behaviors in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorCollectionListType / maecBundle:Behavior_Collection
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Collection field specifies a single collection of Behaviors in the Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BaseCollectionType_name maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema_xsd.tmp#BaseCollectionType_Description maec_bundle_schema_xsd.tmp#BaseCollectionType maec_bundle_schema_xsd.tmp#BehaviorCollectionType_id maec_bundle_schema_xsd.tmp#BehaviorCollectionType_Purpose maec_bundle_schema_xsd.tmp#BehaviorCollectionType_Behavior_List maec_bundle_schema_xsd.tmp#BehaviorCollectionType
Type maecBundle:BehaviorCollectionType
Type hierarchy
Children maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Behavior_List, maecBundle:Description, maecBundle:Purpose
Attributes
QName Type Use Annotation
id xs:QName required
The id field specifies a unique ID for this Behavior Collection.
name xs:string optional
The name field specifies the name of the collection.
Source
<xs:element maxOccurs="unbounded" name="Behavior_Collection" type="maecBundle:BehaviorCollectionType">
  <xs:annotation>
    <xs:documentation>The Behavior_Collection field specifies a single collection of Behaviors in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorCollectionType / maecBundle:Purpose
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Purpose field states the intended purpose of the collection of Behaviors. Since Behaviors are not always successful, and may not be fully observed, this is meant as way of absracting the nature of the collection of Behaviors away  from its constituent Actions.
Diagram
Diagram
Type xs:string
Source
<xs:element name="Purpose" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Purpose field states the intended purpose of the collection of Behaviors. Since Behaviors are not always successful, and may not be fully observed, this is meant as way of absracting the nature of the collection of Behaviors away from its constituent Actions.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:BehaviorCollectionType / maecBundle:Behavior_List
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_List field specifies a list of Behaviors that make up the collection.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorListType_Behavior maec_bundle_schema_xsd.tmp#BehaviorListType
Type maecBundle:BehaviorListType
Children maecBundle:Behavior
Source
<xs:element name="Behavior_List" type="maecBundle:BehaviorListType">
  <xs:annotation>
    <xs:documentation>The Behavior_List field specifies a list of Behaviors that make up the collection.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CollectionsType / maecBundle:Action_Collections
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Collections field captures any collections of Actions in the Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ActionCollectionListType_Action_Collection maec_bundle_schema_xsd.tmp#ActionCollectionListType
Type maecBundle:ActionCollectionListType
Children maecBundle:Action_Collection
Source
<xs:element minOccurs="0" name="Action_Collections" type="maecBundle:ActionCollectionListType">
  <xs:annotation>
    <xs:documentation>The Action_Collections field captures any collections of Actions in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ActionCollectionListType / maecBundle:Action_Collection
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action_Collection field specifies a single collection of Actions in the Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BaseCollectionType_name maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema_xsd.tmp#BaseCollectionType_Description maec_bundle_schema_xsd.tmp#BaseCollectionType maec_bundle_schema_xsd.tmp#ActionCollectionType_id maec_bundle_schema_xsd.tmp#ActionCollectionType_Action_List maec_bundle_schema_xsd.tmp#ActionCollectionType
Type maecBundle:ActionCollectionType
Type hierarchy
Children maecBundle:Action_List, maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description
Attributes
QName Type Use Annotation
id xs:QName required
The id field specifies a unique ID for this Action Collection.
name xs:string optional
The name field specifies the name of the collection.
Source
<xs:element maxOccurs="unbounded" name="Action_Collection" type="maecBundle:ActionCollectionType">
  <xs:annotation>
    <xs:documentation>The Action_Collection field specifies a single collection of Actions in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CollectionsType / maecBundle:Object_Collections
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Objects_Collections field captures any collections of CybOX Objects in the Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ObjectCollectionListType_Object_Collection maec_bundle_schema_xsd.tmp#ObjectCollectionListType
Type maecBundle:ObjectCollectionListType
Children maecBundle:Object_Collection
Source
<xs:element minOccurs="0" name="Object_Collections" type="maecBundle:ObjectCollectionListType">
  <xs:annotation>
    <xs:documentation>The Objects_Collections field captures any collections of CybOX Objects in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ObjectCollectionListType / maecBundle:Object_Collection
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Object_Collection field specifies a single collection of CybOX Objects.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BaseCollectionType_name maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema_xsd.tmp#BaseCollectionType_Description maec_bundle_schema_xsd.tmp#BaseCollectionType maec_bundle_schema_xsd.tmp#ObjectCollectionType_id maec_bundle_schema_xsd.tmp#ObjectCollectionType_Object_List maec_bundle_schema_xsd.tmp#ObjectCollectionType
Type maecBundle:ObjectCollectionType
Type hierarchy
Children maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description, maecBundle:Object_List
Attributes
QName Type Use Annotation
id xs:QName required
The id attribute specifies a unique ID for this Object Collection.
name xs:string optional
The name field specifies the name of the collection.
Source
<xs:element maxOccurs="unbounded" name="Object_Collection" type="maecBundle:ObjectCollectionType">
  <xs:annotation>
    <xs:documentation>The Object_Collection field specifies a single collection of CybOX Objects.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:ObjectCollectionType / maecBundle:Object_List
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Object_List field specifies a list of Objects that make up the collection.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ObjectListType_Object maec_bundle_schema_xsd.tmp#ObjectListType
Type maecBundle:ObjectListType
Children maecBundle:Object
Source
<xs:element name="Object_List" type="maecBundle:ObjectListType">
  <xs:annotation>
    <xs:documentation>The Object_List field specifies a list of Objects that make up the collection.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CollectionsType / maecBundle:Candidate_Indicator_Collections
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Candidate_Indicator_Collections field captures any collections of Candidate Indicators in the Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CandidateIndicatorCollectionListType_Candidate_Indicator_Collection maec_bundle_schema_xsd.tmp#CandidateIndicatorCollectionListType
Type maecBundle:CandidateIndicatorCollectionListType
Children maecBundle:Candidate_Indicator_Collection
Source
<xs:element minOccurs="0" name="Candidate_Indicator_Collections" type="maecBundle:CandidateIndicatorCollectionListType">
  <xs:annotation>
    <xs:documentation>The Candidate_Indicator_Collections field captures any collections of Candidate Indicators in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorCollectionListType / maecBundle:Candidate_Indicator_Collection
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Candidate_Indicator_Collection field specifies a single collection of Candidate Indicators.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BaseCollectionType_name maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema_xsd.tmp#BaseCollectionType_Description maec_bundle_schema_xsd.tmp#BaseCollectionType maec_bundle_schema_xsd.tmp#CandidateIndicatorCollectionType_id maec_bundle_schema_xsd.tmp#CandidateIndicatorCollectionType_Candidate_Indicator_List maec_bundle_schema_xsd.tmp#CandidateIndicatorCollectionType
Type maecBundle:CandidateIndicatorCollectionType
Type hierarchy
Children maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Candidate_Indicator_List, maecBundle:Description
Attributes
QName Type Use Annotation
id xs:QName required
The id field specifies a unique ID for this Candidate Indicator Collection.
name xs:string optional
The name field specifies the name of the collection.
Source
<xs:element maxOccurs="unbounded" name="Candidate_Indicator_Collection" type="maecBundle:CandidateIndicatorCollectionType">
  <xs:annotation>
    <xs:documentation>The Candidate_Indicator_Collection field specifies a single collection of Candidate Indicators.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:CandidateIndicatorCollectionType / maecBundle:Candidate_Indicator_List
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Candidate_Indicator_List field specifies a list of Candidate Indicators that make up the collection.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CandidateIndicatorListType_Candidate_Indicator maec_bundle_schema_xsd.tmp#CandidateIndicatorListType
Type maecBundle:CandidateIndicatorListType
Children maecBundle:Candidate_Indicator
Source
<xs:element name="Candidate_Indicator_List" type="maecBundle:CandidateIndicatorListType">
  <xs:annotation>
    <xs:documentation>The Candidate_Indicator_List field specifies a list of Candidate Indicators that make up the collection.</xs:documentation>
  </xs:annotation>
</xs:element>
Element maecBundle:MAEC_Bundle
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The MAEC_Bundle element is the root element of this schema, and is of type BundleType. As such, it represents the characterization of a single malware instance, characterized in the top-level Subject_Details element, via its MAEC entities.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BundleType_id maec_bundle_schema_xsd.tmp#BundleType_schema_version maec_bundle_schema_xsd.tmp#BundleType_defined_subject maec_bundle_schema_xsd.tmp#BundleType_content_type maec_bundle_schema_xsd.tmp#BundleType_timestamp maec_bundle_schema_xsd.tmp#BundleType_Malware_Instance_Object_Attributes maec_bundle_schema_xsd.tmp#BundleType_AV_Classifications maec_bundle_schema_xsd.tmp#BundleType_Process_Tree maec_bundle_schema_xsd.tmp#BundleType_Capabilities maec_bundle_schema_xsd.tmp#BundleType_Behaviors maec_bundle_schema_xsd.tmp#BundleType_Actions maec_bundle_schema_xsd.tmp#BundleType_Objects maec_bundle_schema_xsd.tmp#BundleType_Candidate_Indicators maec_bundle_schema_xsd.tmp#BundleType_Collections maec_bundle_schema_xsd.tmp#BundleType
Type maecBundle:BundleType
Children maecBundle:AV_Classifications, maecBundle:Actions, maecBundle:Behaviors, maecBundle:Candidate_Indicators, maecBundle:Capabilities, maecBundle:Collections, maecBundle:Malware_Instance_Object_Attributes, maecBundle:Objects, maecBundle:Process_Tree
Attributes
QName Type Fixed Use Annotation
content_type maecBundle:BundleContentTypeEnum optional
The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.
defined_subject xs:boolean required
The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).
id xs:QName required
The required id field specifies a unique ID for this MAEC Bundle.
schema_version xs:string 4.1 required
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
timestamp xs:dateTime optional
The timestamp field specifies the date/time that the bundle was generated.
Source
<xs:element name="MAEC_Bundle" type="maecBundle:BundleType">
  <xs:annotation>
    <xs:documentation>The MAEC_Bundle element is the root element of this schema, and is of type BundleType. As such, it represents the characterization of a single malware instance, characterized in the top-level Subject_Details element, via its MAEC entities.</xs:documentation>
  </xs:annotation>
  <xs:unique name="unique-bundle-id">
    <xs:selector xpath=".//*"/>
    <xs:field xpath="@id"/>
  </xs:unique>
</xs:element>
Element maecBundle:Action
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Action element enables description/specification of a single malware action.
Diagram
Diagram cybox_core_xsd.tmp#ActionType_id cybox_core_xsd.tmp#ActionType_idref cybox_core_xsd.tmp#ActionType_ordinal_position cybox_core_xsd.tmp#ActionType_action_status cybox_core_xsd.tmp#ActionType_context cybox_core_xsd.tmp#ActionType_timestamp cybox_core_xsd.tmp#ActionType_timestamp_precision cybox_core_xsd.tmp#ActionType_Type cybox_core_xsd.tmp#ActionType_Name cybox_core_xsd.tmp#ActionType_Description cybox_core_xsd.tmp#ActionType_Action_Aliases cybox_core_xsd.tmp#ActionType_Action_Arguments cybox_core_xsd.tmp#ActionType_Location cybox_core_xsd.tmp#ActionType_Discovery_Method cybox_core_xsd.tmp#ActionType_Associated_Objects cybox_core_xsd.tmp#ActionType_Relationships cybox_core_xsd.tmp#ActionType_Frequency cybox_core_xsd.tmp#ActionType maec_bundle_schema_xsd.tmp#MalwareActionType_Implementation maec_bundle_schema_xsd.tmp#MalwareActionType
Type maecBundle:MalwareActionType
Type hierarchy
Children cybox:Action_Aliases, cybox:Action_Arguments, cybox:Associated_Objects, cybox:Description, cybox:Discovery_Method, cybox:Frequency, cybox:Location, cybox:Name, cybox:Relationships, cybox:Type, maecBundle:Implementation
Attributes
QName Type Default Use Annotation
action_status cybox:ActionStatusTypeEnum optional
The action_status field enables description of the status of the action being described.
context cybox:ActionContextTypeEnum optional
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
id xs:QName optional
The id field specifies a unique id for this Action.
idref xs:QName optional
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
ordinal_position xs:positiveInteger optional
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
timestamp xs:dateTime optional
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
timestamp_precision cyboxCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Action" type="maecBundle:MalwareActionType">
  <xs:annotation>
    <xs:documentation>The Action element enables description/specification of a single malware action.</xs:documentation>
  </xs:annotation>
  <xs:unique name="unique-action-id">
    <xs:selector xpath=".//*"/>
    <xs:field xpath="@id"/>
  </xs:unique>
</xs:element>
Element maecBundle:Behavior
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior element enables description/specification of a single malware behavior.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorType_id maec_bundle_schema_xsd.tmp#BehaviorType_ordinal_position maec_bundle_schema_xsd.tmp#BehaviorType_status maec_bundle_schema_xsd.tmp#BehaviorType_duration maec_bundle_schema_xsd.tmp#BehaviorType_Purpose maec_bundle_schema_xsd.tmp#BehaviorType_Description maec_bundle_schema_xsd.tmp#BehaviorType_Discovery_Method maec_bundle_schema_xsd.tmp#BehaviorType_Action_Composition maec_bundle_schema_xsd.tmp#BehaviorType_Associated_Code maec_bundle_schema_xsd.tmp#BehaviorType_Relationships maec_bundle_schema_xsd.tmp#BehaviorType
Type maecBundle:BehaviorType
Children maecBundle:Action_Composition, maecBundle:Associated_Code, maecBundle:Description, maecBundle:Discovery_Method, maecBundle:Purpose, maecBundle:Relationships
Attributes
QName Type Use Annotation
duration xs:duration optional
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
id xs:QName required
The required id field specifies a unique ID for this Behavior.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.
status cybox:ActionStatusTypeEnum optional
The status field specifies the execution status of the Behavior being characterized.
Source
<xs:element name="Behavior" type="maecBundle:BehaviorType">
  <xs:annotation>
    <xs:documentation>The Behavior element enables description/specification of a single malware behavior.</xs:documentation>
  </xs:annotation>
  <xs:unique name="unique-behavior-id">
    <xs:selector xpath=".//*"/>
    <xs:field xpath="@id"/>
  </xs:unique>
</xs:element>
Element maecBundle:BehaviorReferenceListType / maecBundle:Behavior_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The Behavior_Reference field specifies a reference to a single Behavior.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorReferenceType_behavior_idref maec_bundle_schema_xsd.tmp#BehaviorReferenceType
Type maecBundle:BehaviorReferenceType
Attributes
QName Type Use Annotation
behavior_idref xs:QName required
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
Source
<xs:element maxOccurs="unbounded" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType">
  <xs:annotation>
    <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior.</xs:documentation>
  </xs:annotation>
</xs:element>
Complex Type maecBundle:BundleReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BundleReferenceType serves as a method for linking to Bundles embedded in other locations.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BundleReferenceType_bundle_idref
Used by
Attributes
QName Type Use Annotation
bundle_idref xs:QName required
The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.
Source
<xs:complexType name="BundleReferenceType">
  <xs:annotation>
    <xs:documentation>The BundleReferenceType serves as a method for linking to Bundles embedded in other locations.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="bundle_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:ObjectReferenceListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectReferenceListType captures a list of references to CybOX Objects.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ObjectReferenceListType_Object_Reference
Used by
Children maecBundle:Object_Reference
Source
<xs:complexType name="ObjectReferenceListType">
  <xs:annotation>
    <xs:documentation>The ObjectReferenceListType captures a list of references to CybOX Objects.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Object_Reference" type="maecBundle:ObjectReferenceType">
      <xs:annotation>
        <xs:documentation>The Object_Reference field specifies a reference to a single CybOX Object.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:ObjectReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectReferenceType serves as a method for linking to CybOX Objects embedded in the MAEC Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ObjectReferenceType_object_idref
Used by
Attributes
QName Type Use Annotation
object_idref xs:QName required
The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.
Source
<xs:complexType name="ObjectReferenceType">
  <xs:annotation>
    <xs:documentation>The ObjectReferenceType serves as a method for linking to CybOX Objects embedded in the MAEC Bundle.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="object_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:BundleType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BundleType serves as the high-level construct which encapsulates all Bundle elements, and represents some characterized analysis data (from any arbitrary set of analyses) for a single malware instance in terms of its MAEC Components (e.g., Behaviors, Actions, Objects, etc.).
Diagram
Diagram maec_bundle_schema_xsd.tmp#BundleType_id maec_bundle_schema_xsd.tmp#BundleType_schema_version maec_bundle_schema_xsd.tmp#BundleType_defined_subject maec_bundle_schema_xsd.tmp#BundleType_content_type maec_bundle_schema_xsd.tmp#BundleType_timestamp maec_bundle_schema_xsd.tmp#BundleType_Malware_Instance_Object_Attributes maec_bundle_schema_xsd.tmp#BundleType_AV_Classifications maec_bundle_schema_xsd.tmp#BundleType_Process_Tree maec_bundle_schema_xsd.tmp#BundleType_Capabilities maec_bundle_schema_xsd.tmp#BundleType_Behaviors maec_bundle_schema_xsd.tmp#BundleType_Actions maec_bundle_schema_xsd.tmp#BundleType_Objects maec_bundle_schema_xsd.tmp#BundleType_Candidate_Indicators maec_bundle_schema_xsd.tmp#BundleType_Collections
Used by
Children maecBundle:AV_Classifications, maecBundle:Actions, maecBundle:Behaviors, maecBundle:Candidate_Indicators, maecBundle:Capabilities, maecBundle:Collections, maecBundle:Malware_Instance_Object_Attributes, maecBundle:Objects, maecBundle:Process_Tree
Attributes
QName Type Fixed Use Annotation
content_type maecBundle:BundleContentTypeEnum optional
The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.
defined_subject xs:boolean required
The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).
id xs:QName required
The required id field specifies a unique ID for this MAEC Bundle.
schema_version xs:string 4.1 required
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
timestamp xs:dateTime optional
The timestamp field specifies the date/time that the bundle was generated.
Source
<xs:complexType name="BundleType">
  <xs:annotation>
    <xs:documentation>The BundleType serves as the high-level construct which encapsulates all Bundle elements, and represents some characterized analysis data (from any arbitrary set of analyses) for a single malware instance in terms of its MAEC Components (e.g., Behaviors, Actions, Objects, etc.).</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Malware_Instance_Object_Attributes" type="cybox:ObjectType">
      <xs:annotation>
        <xs:documentation>The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="AV_Classifications" type="maecBundle:AVClassificationsType">
      <xs:annotation>
        <xs:documentation>The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Process_Tree" type="maecBundle:ProcessTreeType">
      <xs:annotation>
        <xs:documentation>The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Capabilities" type="maecBundle:CapabilityListType">
      <xs:annotation>
        <xs:documentation>The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Behaviors" type="maecBundle:BehaviorListType">
      <xs:annotation>
        <xs:documentation>The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Actions" type="maecBundle:ActionListType">
      <xs:annotation>
        <xs:documentation>The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Objects" type="maecBundle:ObjectListType">
      <xs:annotation>
        <xs:documentation>The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Candidate_Indicators" type="maecBundle:CandidateIndicatorListType">
      <xs:annotation>
        <xs:documentation>The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Collections" type="maecBundle:CollectionsType">
      <xs:annotation>
        <xs:documentation>The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" use="required" type="xs:QName">
    <xs:annotation>
      <xs:documentation>The required id field specifies a unique ID for this MAEC Bundle.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="schema_version" type="xs:string" use="required" fixed="4.1">
    <xs:annotation>
      <xs:documentation>The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="defined_subject" type="xs:boolean" use="required">
    <xs:annotation>
      <xs:documentation>The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="content_type" type="maecBundle:BundleContentTypeEnum">
    <xs:annotation>
      <xs:documentation>The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>The timestamp field specifies the date/time that the bundle was generated.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:AVClassificationsType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AVClassificationsType captures any Anti-Virus (AV) tool classifications for an Object.
Diagram
Diagram maec_bundle_schema_xsd.tmp#AVClassificationsType_AV_Classification
Used by
Children maecBundle:AV_Classification
Source
<xs:complexType name="AVClassificationsType">
  <xs:annotation>
    <xs:documentation>The AVClassificationsType captures any Anti-Virus (AV) tool classifications for an Object.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="AV_Classification" type="maecBundle:AVClassificationType">
      <xs:annotation>
        <xs:documentation>The AV_Classification field captures a single AV classication of the malware instance object.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:AVClassificationType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AVClassificationType captures information on AV scanner classifications for the malware instance object captured in the Bundle or Package.
Diagram
Diagram cybox_common_xsd.tmp#ToolInformationType_id cybox_common_xsd.tmp#ToolInformationType_idref cybox_common_xsd.tmp#ToolInformationType_Name cybox_common_xsd.tmp#ToolInformationType_Type cybox_common_xsd.tmp#ToolInformationType_Description cybox_common_xsd.tmp#ToolInformationType_References cybox_common_xsd.tmp#ToolInformationType_Vendor cybox_common_xsd.tmp#ToolInformationType_Version cybox_common_xsd.tmp#ToolInformationType_Service_Pack cybox_common_xsd.tmp#ToolInformationType_Tool_Specific_Data cybox_common_xsd.tmp#ToolInformationType_Tool_Hashes cybox_common_xsd.tmp#ToolInformationType_Tool_Configuration cybox_common_xsd.tmp#ToolInformationType_Execution_Environment cybox_common_xsd.tmp#ToolInformationType_Errors cybox_common_xsd.tmp#ToolInformationType_Metadata cybox_common_xsd.tmp#ToolInformationType_Compensation_Model cybox_common_xsd.tmp#ToolInformationType maec_bundle_schema_xsd.tmp#AVClassificationType_Engine_Version maec_bundle_schema_xsd.tmp#AVClassificationType_Definition_Version maec_bundle_schema_xsd.tmp#AVClassificationType_Classification_Name
Type extension of cyboxCommon:ToolInformationType
Type hierarchy
Used by
Children cyboxCommon:Compensation_Model, cyboxCommon:Description, cyboxCommon:Errors, cyboxCommon:Execution_Environment, cyboxCommon:Metadata, cyboxCommon:Name, cyboxCommon:References, cyboxCommon:Service_Pack, cyboxCommon:Tool_Configuration, cyboxCommon:Tool_Hashes, cyboxCommon:Tool_Specific_Data, cyboxCommon:Type, cyboxCommon:Vendor, cyboxCommon:Version, maecBundle:Classification_Name, maecBundle:Definition_Version, maecBundle:Engine_Version
Attributes
QName Type Use Annotation
id xs:QName optional
The id field specifies a unique ID for this Tool.
idref xs:QName optional
The idref field specifies reference to a unique ID for this Tool.
When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.
Source
<xs:complexType name="AVClassificationType">
  <xs:annotation>
    <xs:documentation>The AVClassificationType captures information on AV scanner classifications for the malware instance object captured in the Bundle or Package.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cyboxCommon:ToolInformationType">
      <xs:sequence>
        <xs:element minOccurs="0" name="Engine_Version" type="xs:string">
          <xs:annotation>
            <xs:documentation>The Engine_Version field captures the version of the AV engine used by the AV scanner tool that assigned the classification to the malware instance object.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element minOccurs="0" name="Definition_Version" type="xs:string">
          <xs:annotation>
            <xs:documentation>The Definition_Version field captures the version of the AV definitions used by the AV scanner tool that assigned the classification to the malware instance object.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element minOccurs="0" name="Classification_Name" type="xs:string">
          <xs:annotation>
            <xs:documentation>The Classification_Name field captures the classification assigned to the malware instance object by the AV scanner tool characterized in the Company_Name and Product_Name fields.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type maecBundle:ProcessTreeType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ProcessTreeType captures the process tree for the malware instance, including the parent process and processes spawned by it, along with any Actions initiated by each.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ProcessTreeType_Root_Process
Used by
Children maecBundle:Root_Process
Source
<xs:complexType name="ProcessTreeType">
  <xs:annotation>
    <xs:documentation>The ProcessTreeType captures the process tree for the malware instance, including the parent process and processes spawned by it, along with any Actions initiated by each.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Root_Process" type="maecBundle:ProcessTreeNodeType">
      <xs:annotation>
        <xs:documentation>The Root_Process field captures the root process in the process tree.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:ProcessTreeNodeType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ProcessTreeNodeType captures a single process, or node, in the process tree. It imports and extends the ProcessObjectType from the CybOX Process Object.
Diagram
Diagram cybox_common_xsd.tmp#ObjectPropertiesType_object_reference cybox_common_xsd.tmp#ObjectPropertiesType_Custom_Properties cybox_common_xsd.tmp#ObjectPropertiesType Process_Object_xsd.tmp#ProcessObjectType_is_hidden Process_Object_xsd.tmp#ProcessObjectType_PID Process_Object_xsd.tmp#ProcessObjectType_Name Process_Object_xsd.tmp#ProcessObjectType_Creation_Time Process_Object_xsd.tmp#ProcessObjectType_Parent_PID Process_Object_xsd.tmp#ProcessObjectType_Child_PID_List Process_Object_xsd.tmp#ProcessObjectType_Image_Info Process_Object_xsd.tmp#ProcessObjectType_Argument_List Process_Object_xsd.tmp#ProcessObjectType_Environment_Variable_List Process_Object_xsd.tmp#ProcessObjectType_Kernel_Time Process_Object_xsd.tmp#ProcessObjectType_Port_List Process_Object_xsd.tmp#ProcessObjectType_Network_Connection_List Process_Object_xsd.tmp#ProcessObjectType_Start_Time Process_Object_xsd.tmp#ProcessObjectType_Status Process_Object_xsd.tmp#ProcessObjectType_Username Process_Object_xsd.tmp#ProcessObjectType_User_Time Process_Object_xsd.tmp#ProcessObjectType_Extracted_Features Process_Object_xsd.tmp#ProcessObjectType maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_id maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_parent_action_idref maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_ordinal_position maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Initiated_Actions maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Spawned_Process maec_bundle_schema_xsd.tmp#ProcessTreeNodeType_Injected_Process
Type extension of ProcessObj:ProcessObjectType
Type hierarchy
Used by
Children ProcessObj:Argument_List, ProcessObj:Child_PID_List, ProcessObj:Creation_Time, ProcessObj:Environment_Variable_List, ProcessObj:Extracted_Features, ProcessObj:Image_Info, ProcessObj:Kernel_Time, ProcessObj:Name, ProcessObj:Network_Connection_List, ProcessObj:PID, ProcessObj:Parent_PID, ProcessObj:Port_List, ProcessObj:Start_Time, ProcessObj:Status, ProcessObj:User_Time, ProcessObj:Username, cyboxCommon:Custom_Properties, maecBundle:Initiated_Actions, maecBundle:Injected_Process, maecBundle:Spawned_Process
Attributes
QName Type Use Annotation
id xs:QName required
The required id field specifies a unique ID for the Process Node.
is_hidden xs:boolean optional
The is_hidden field specifies whether the process is hidden or not.
object_reference xs:QName optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.
parent_action_idref xs:QName optional
The parent_action_idref field specifies the id of the action that created or injected this process.
Source
<xs:complexType name="ProcessTreeNodeType">
  <xs:annotation>
    <xs:documentation>The ProcessTreeNodeType captures a single process, or node, in the process tree. It imports and extends the ProcessObjectType from the CybOX Process Object.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="ProcessObj:ProcessObjectType">
      <xs:sequence>
        <xs:element minOccurs="0" name="Initiated_Actions" type="maecBundle:ActionReferenceListType">
          <xs:annotation>
            <xs:documentation>The Initiated_Actions field captures, via references, the actions (found inside the top-level Actions element, or an Action Collection inside the top-level Collections element) initiated by the Process.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element maxOccurs="unbounded" minOccurs="0" name="Spawned_Process" type="maecBundle:ProcessTreeNodeType">
          <xs:annotation>
            <xs:documentation>The Spawned_Process field captures a single child process spawned by this process.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element maxOccurs="unbounded" minOccurs="0" name="Injected_Process" type="maecBundle:ProcessTreeNodeType">
          <xs:annotation>
            <xs:documentation>The Injected_Process field captures a single process that was injected by this process.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="id" type="xs:QName" use="required">
        <xs:annotation>
          <xs:documentation>The required id field specifies a unique ID for the Process Node.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
      <xs:attribute name="parent_action_idref" type="xs:QName">
        <xs:annotation>
          <xs:documentation>The parent_action_idref field specifies the id of the action that created or injected this process.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
      <xs:attribute name="ordinal_position" type="xs:positiveInteger">
        <xs:annotation>
          <xs:documentation>The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type maecBundle:ActionReferenceListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionReferenceListType captures a list of Action References.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ActionReferenceListType_Action_Reference
Used by
Children maecBundle:Action_Reference
Source
<xs:complexType name="ActionReferenceListType">
  <xs:annotation>
    <xs:documentation>The ActionReferenceListType captures a list of Action References.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Action_Reference" type="cybox:ActionReferenceType">
      <xs:annotation>
        <xs:documentation>The Action_Reference field specifies a reference to a single Action.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:CapabilityListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityListType captures a list of Capabilities.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityListType_Capability maec_bundle_schema_xsd.tmp#CapabilityListType_Capability_Reference
Used by
Children maecBundle:Capability, maecBundle:Capability_Reference
Source
<xs:complexType name="CapabilityListType">
  <xs:annotation>
    <xs:documentation>The CapabilityListType captures a list of Capabilities.</xs:documentation>
  </xs:annotation>
  <xs:choice maxOccurs="unbounded">
    <xs:element maxOccurs="1" minOccurs="1" name="Capability" type="maecBundle:CapabilityType">
      <xs:annotation>
        <xs:documentation>The Capability field captures a single Capability in the list, and therefore represents a single Capability possessed by the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Capability_Reference" type="maecBundle:CapabilityReferenceType">
      <xs:annotation>
        <xs:documentation>The Capability_Reference field references a single Capability defined elsewhere in the MAEC document, and therefore represents a single Capability possessed by the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:choice>
</xs:complexType>
Complex Type maecBundle:CapabilityType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityType captures details of a Capability that may be implemented in the malware instance, along with its child Strategic and Tactical Objectives.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityType_id maec_bundle_schema_xsd.tmp#CapabilityType_name maec_bundle_schema_xsd.tmp#CapabilityType_Description maec_bundle_schema_xsd.tmp#CapabilityType_Property maec_bundle_schema_xsd.tmp#CapabilityType_Strategic_Objective maec_bundle_schema_xsd.tmp#CapabilityType_Tactical_Objective maec_bundle_schema_xsd.tmp#CapabilityType_Behavior_Reference maec_bundle_schema_xsd.tmp#CapabilityType_Relationship
Used by
Children maecBundle:Behavior_Reference, maecBundle:Description, maecBundle:Property, maecBundle:Relationship, maecBundle:Strategic_Objective, maecBundle:Tactical_Objective
Attributes
QName Type Use Annotation
id xs:QName required
The required id field specifies a unique ID for this MAEC Capability.
name maecVocabs:MalwareCapabilityEnum-1.0 optional
The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.
Source
<xs:complexType name="CapabilityType">
  <xs:annotation>
    <xs:documentation>The CapabilityType captures details of a Capability that may be implemented in the malware instance, along with its child Strategic and Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field captures a basic textual description of the Capability.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Property" type="maecBundle:CapabilityPropertyType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Property field permits the capture of a single property of the Capability, as a key/value pair. More than one property can be specified via multiple occurrences of this field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="0" name="Strategic_Objective" type="maecBundle:CapabilityObjectiveType">
      <xs:annotation>
        <xs:documentation>The Strategic_Objective field captures a single Strategic Objective that the Capability attempts to achieve. It can be considered as a more granular way of capturing the Capabilities present in the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="0" name="Tactical_Objective" type="maecBundle:CapabilityObjectiveType">
      <xs:annotation>
        <xs:documentation>The Tactical_Objective field captures a single Tactical Objective that the Capability attempts to achieve, typically in the context of a broader Strategic Objective. It can be considered as a way of expounding upon Strategic Objectives to capture the Capabilities of the malware instance in more detail.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Behavior_Reference field captures a reference to a Behavior that serves as an implementation of the Capability. For Behaviors that serve as implementations of specific Strategic or Tactical Objectives, the Behavior_Reference field under the Strategic_Objective or Tactical_Objective fields should be used, respectively.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Relationship" maxOccurs="unbounded" type="maecBundle:CapabilityRelationshipType">
      <xs:annotation>
        <xs:documentation>The Relationship field captures a relationship from the Capability to one or more other Capabilities.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" use="required" type="xs:QName">
    <xs:annotation>
      <xs:documentation>The required id field specifies a unique ID for this MAEC Capability.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="name" type="maecVocabs:MalwareCapabilityEnum-1.0">
    <xs:annotation>
      <xs:documentation>The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:CapabilityPropertyType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityPropertyType captures a single property of a Capability or Capability Objective.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityPropertyType_Name maec_bundle_schema_xsd.tmp#CapabilityPropertyType_Value
Used by
Children maecBundle:Name, maecBundle:Value
Source
<xs:complexType name="CapabilityPropertyType">
  <xs:annotation>
    <xs:documentation>The CapabilityPropertyType captures a single property of a Capability or Capability Objective.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Name" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Name field specifies the name of the property being captured. The name can be either free form text or a standardized value from a vocabulary included in the MAEC Default Vocabularies schema. This field uses the ControlledVocabularyStringType from the imported CybOX Common schema.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Value" type="cyboxCommon:StringObjectPropertyType">
      <xs:annotation>
        <xs:documentation>The Value field specifies the value of the property being captured.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:CapabilityObjectiveType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityObjectiveType captures details of a Capability Strategic or Tactical Objective.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_id maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Name maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Description maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Property maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Behavior_Reference maec_bundle_schema_xsd.tmp#CapabilityObjectiveType_Relationship
Used by
Children maecBundle:Behavior_Reference, maecBundle:Description, maecBundle:Name, maecBundle:Property, maecBundle:Relationship
Attributes
QName Type Use Annotation
id xs:QName required
The required id field specifies a unique ID for this Capability Objective.
Source
<xs:complexType name="CapabilityObjectiveType">
  <xs:annotation>
    <xs:documentation>The CapabilityObjectiveType captures details of a Capability Strategic or Tactical Objective.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Name" minOccurs="0" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Name field captures the name of the Capability Objective. There are several default vocabularies for this usage included in the MAEC Vocabularies schema. It uses the ControlledVocabularyStringType from the imported CybOX Common schema.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field captures a basic textual description of the Capability Objective.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Property" type="maecBundle:CapabilityPropertyType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Property field permits the capture of a single property of the Capability Objective, as a key/value pair. More than one property can be specified via multiple occurrences of this field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Behavior_Reference field captures a reference to a Behavior that functions as an implementation of the Capability Objective.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="0" name="Relationship" type="maecBundle:CapabilityObjectiveRelationshipType">
      <xs:annotation>
        <xs:documentation>The Relationship field captures a relationship from the Capability Objective to one or more other Capability Objectives.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" use="required" type="xs:QName">
    <xs:annotation>
      <xs:documentation>The required id field specifies a unique ID for this Capability Objective.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:BehaviorReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorReferenceType serves as a method for referencing existing behaviors contained in the Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorReferenceType_behavior_idref
Used by
Attributes
QName Type Use Annotation
behavior_idref xs:QName required
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
Source
<xs:complexType name="BehaviorReferenceType">
  <xs:annotation>
    <xs:documentation>The BehaviorReferenceType serves as a method for referencing existing behaviors contained in the Bundle.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="behavior_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:CapabilityObjectiveRelationshipType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityObjectiveRelationshipType captures a relationship between a Strategic or Tactical Objective and one or more other Strategic or Tactical Objectives.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityObjectiveRelationshipType_Relationship_Type maec_bundle_schema_xsd.tmp#CapabilityObjectiveRelationshipType_Objective_Reference
Used by
Children maecBundle:Objective_Reference, maecBundle:Relationship_Type
Source
<xs:complexType name="CapabilityObjectiveRelationshipType">
  <xs:annotation>
    <xs:documentation>The CapabilityObjectiveRelationshipType captures a relationship between a Strategic or Tactical Objective and one or more other Strategic or Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Relationship_Type" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Relationship_Type field captures the type of relationship being expressed between Objectives (either Strategic or Tactical).</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="1" name="Objective_Reference" type="maecBundle:CapabilityObjectiveReferenceType">
      <xs:annotation>
        <xs:documentation>The Objective_Reference field references a single Capability Objective (either Strategic or Objective) in the relationship.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:CapabilityObjectiveReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityObjectiveReferenceType serves as a method for referencing existing Capability Objectives (either Strategic or Tactical) contained in the Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityObjectiveReferenceType_objective_idref
Used by
Attributes
QName Type Use Annotation
objective_idref xs:QName required
The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.
Source
<xs:complexType name="CapabilityObjectiveReferenceType">
  <xs:annotation>
    <xs:documentation>The CapabilityObjectiveReferenceType serves as a method for referencing existing Capability Objectives (either Strategic or Tactical) contained in the Bundle.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="objective_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:CapabilityRelationshipType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityObjectiveRelationshipType captures a relationship between a Capability and one or more other Capabilitys.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityRelationshipType_Relationship_Type maec_bundle_schema_xsd.tmp#CapabilityRelationshipType_Capability_Reference
Used by
Children maecBundle:Capability_Reference, maecBundle:Relationship_Type
Source
<xs:complexType name="CapabilityRelationshipType">
  <xs:annotation>
    <xs:documentation>The CapabilityObjectiveRelationshipType captures a relationship between a Capability and one or more other Capabilitys.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Relationship_Type" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Relationship_Type field captures the type of relationship being expressed between Capabilities.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="1" name="Capability_Reference" type="maecBundle:CapabilityReferenceType">
      <xs:annotation>
        <xs:documentation>The Capability_Reference field references a single Capability in the relationship, via its ID.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:CapabilityReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CapabilityReferenceType serves as a method for referencing existing Capabilities contained in the MAEC document.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CapabilityReferenceType_capability_idref
Used by
Attributes
QName Type Use Annotation
capability_idref xs:QName required
The capability_idref field references the ID of a Capability contained inside the current MAEC document.
Source
<xs:complexType name="CapabilityReferenceType">
  <xs:annotation>
    <xs:documentation>The CapabilityReferenceType serves as a method for referencing existing Capabilities contained in the MAEC document.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="capability_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The capability_idref field references the ID of a Capability contained inside the current MAEC document.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:BehaviorListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorListType captures a list of Behaviors.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorListType_Behavior
Used by
Children maecBundle:Behavior
Source
<xs:complexType name="BehaviorListType">
  <xs:annotation>
    <xs:documentation>The BehaviorListType captures a list of Behaviors.</xs:documentation>
  </xs:annotation>
  <xs:sequence maxOccurs="1">
    <xs:element name="Behavior" type="maecBundle:BehaviorType" maxOccurs="unbounded" form="qualified" minOccurs="1">
      <xs:annotation>
        <xs:documentation>The Behavior field specifies a single Behavior in the list.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:BehaviorType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorType is one of the foundational MAEC types, and serves as a method for the characterization of malicious behaviors found or observed in malware. Behaviors can be thought of as representing the purpose behind groups of MAEC Actions, and are therefore representative of distinct portions of higher-level malware functionality. Thus, while a malware instance may perform some multitude of Actions, it is likely that these Actions represent only a few distinct behaviors. Some examples include vulnerability exploitation, email address harvesting, the disabling of a security service, etc.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorType_id maec_bundle_schema_xsd.tmp#BehaviorType_ordinal_position maec_bundle_schema_xsd.tmp#BehaviorType_status maec_bundle_schema_xsd.tmp#BehaviorType_duration maec_bundle_schema_xsd.tmp#BehaviorType_Purpose maec_bundle_schema_xsd.tmp#BehaviorType_Description maec_bundle_schema_xsd.tmp#BehaviorType_Discovery_Method maec_bundle_schema_xsd.tmp#BehaviorType_Action_Composition maec_bundle_schema_xsd.tmp#BehaviorType_Associated_Code maec_bundle_schema_xsd.tmp#BehaviorType_Relationships
Used by
Children maecBundle:Action_Composition, maecBundle:Associated_Code, maecBundle:Description, maecBundle:Discovery_Method, maecBundle:Purpose, maecBundle:Relationships
Attributes
QName Type Use Annotation
duration xs:duration optional
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
id xs:QName required
The required id field specifies a unique ID for this Behavior.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.
status cybox:ActionStatusTypeEnum optional
The status field specifies the execution status of the Behavior being characterized.
Source
<xs:complexType name="BehaviorType">
  <xs:annotation>
    <xs:documentation>The BehaviorType is one of the foundational MAEC types, and serves as a method for the characterization of malicious behaviors found or observed in malware. Behaviors can be thought of as representing the purpose behind groups of MAEC Actions, and are therefore representative of distinct portions of higher-level malware functionality. Thus, while a malware instance may perform some multitude of Actions, it is likely that these Actions represent only a few distinct behaviors. Some examples include vulnerability exploitation, email address harvesting, the disabling of a security service, etc.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Purpose" type="maecBundle:BehaviorPurposeType">
      <xs:annotation>
        <xs:documentation>The Purpose field specifies the intended purpose of the Behavior. Since a Behavior is not always successful, and may not be fully observed, this is meant as way to state the nature of the Behavior apart from its constituent actions.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field specifies a prose textual description of the Behavior.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Discovery_Method" type="cyboxCommon:MeasureSourceType">
      <xs:annotation>
        <xs:documentation>The Discovery_Method field specifies the method used to discover the Behavior.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Action_Composition" type="maecBundle:BehavioralActionsType">
      <xs:annotation>
        <xs:documentation>The Action_Composition field captures the Actions that compose the Behavior.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Associated_Code" type="maecBundle:AssociatedCodeType">
      <xs:annotation>
        <xs:documentation>The Associated_Code field specifies any code snippets that may be associated with the Behavior.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Relationships" type="maecBundle:BehaviorRelationshipListType">
      <xs:annotation>
        <xs:documentation>The Relationships field specifies any relationships between this Behavior and any other Behaviors.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" use="required" type="xs:QName">
    <xs:annotation>
      <xs:documentation>The required id field specifies a unique ID for this Behavior.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="ordinal_position" type="xs:positiveInteger">
    <xs:annotation>
      <xs:documentation>The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="status" type="cybox:ActionStatusTypeEnum">
    <xs:annotation>
      <xs:documentation>The status field specifies the execution status of the Behavior being characterized.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="duration" type="xs:duration">
    <xs:annotation>
      <xs:documentation>The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:BehaviorPurposeType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorPurposeType captures the purpose behind a malware Behavior.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorPurposeType_Description maec_bundle_schema_xsd.tmp#BehaviorPurposeType_Vulnerability_Exploit
Used by
Children maecBundle:Description, maecBundle:Vulnerability_Exploit
Source
<xs:complexType name="BehaviorPurposeType">
  <xs:annotation>
    <xs:documentation>The BehaviorPurposeType captures the purpose behind a malware Behavior.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field contains a prose text description of the purpose of the Behavior, whether it was successful or not.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Vulnerability_Exploit" type="maecBundle:ExploitType">
      <xs:annotation>
        <xs:documentation>The Vulnerability_Exploit field characterizes any vulnerability that a Behavior may have attempted to exploit, whether or not the exploitation was successful (where success is not necessarily known).</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:ExploitType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ExploitType characterizes any exploitable weakness that may be targeted for exploitation by a malware instance through a Behavior. Most commonly, this refers to a known and identifiable vulnerability, but it may also refer to one or more weaknesses.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ExploitType_known_vulnerability maec_bundle_schema_xsd.tmp#ExploitType_CVE maec_bundle_schema_xsd.tmp#ExploitType_CWE_ID maec_bundle_schema_xsd.tmp#ExploitType_Targeted_Platforms
Used by
Children maecBundle:CVE, maecBundle:CWE_ID, maecBundle:Targeted_Platforms
Attributes
QName Type Use Annotation
known_vulnerability xs:boolean optional
The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.
Source
<xs:complexType name="ExploitType">
  <xs:annotation>
    <xs:documentation>The ExploitType characterizes any exploitable weakness that may be targeted for exploitation by a malware instance through a Behavior. Most commonly, this refers to a known and identifiable vulnerability, but it may also refer to one or more weaknesses.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="CVE" type="maecBundle:CVEVulnerabilityType">
      <xs:annotation>
        <xs:documentation>The CVE field specifies the CVE ID and description of the vulnerability targeted by the exploit, if available.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="0" name="CWE_ID" type="xs:string">
      <xs:annotation>
        <xs:documentation>The CWE_ID field captures the ID of the Common Weakness Enumeration (CWE) entry that represents the type of weakness targeted by the exploit. More than one such CWE ID can be specified by using multiple occurrences of this field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Targeted_Platforms" type="maecBundle:PlatformListType">
      <xs:annotation>
        <xs:documentation>The Targeted_Platforms field specifies the platforms(s) targeted by the vulnerability exploit.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="known_vulnerability" type="xs:boolean">
    <xs:annotation>
      <xs:documentation>The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:CVEVulnerabilityType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CVEVulnerabilityType provides a way of referencing specific vulnerabilities that malware exploits or attempts to exploit via a Common Vulnerabilities and Exposures (CVE) identifier. For more information on CVE please see http://cve.mitre.org.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CVEVulnerabilityType_cve_id maec_bundle_schema_xsd.tmp#CVEVulnerabilityType_Description
Used by
Children maecBundle:Description
Attributes
QName Type Use Annotation
cve_id xs:string required
The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.
Source
<xs:complexType name="CVEVulnerabilityType">
  <xs:annotation>
    <xs:documentation>The CVEVulnerabilityType provides a way of referencing specific vulnerabilities that malware exploits or attempts to exploit via a Common Vulnerabilities and Exposures (CVE) identifier. For more information on CVE please see http://cve.mitre.org.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Description" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field specifies the textual description of the vulnerability referenced by the cve_id.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="cve_id" type="xs:string" use="required">
    <xs:annotation>
      <xs:documentation>The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:PlatformListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The PlatformListType captures a list of software or hardware platforms.
Diagram
Diagram maec_bundle_schema_xsd.tmp#PlatformListType_Platform
Used by
Children maecBundle:Platform
Source
<xs:complexType name="PlatformListType">
  <xs:annotation>
    <xs:documentation>The PlatformListType captures a list of software or hardware platforms.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Platform" type="cyboxCommon:PlatformSpecificationType">
      <xs:annotation>
        <xs:documentation>The Platform field specifies a single Platform in the list via a common platform enumeration ID. It uses the PlatformSpecificationType type from the CybOX Common schema v2.0.1.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:BehavioralActionsType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionsType is intended to capture the Actions or Action Collections that make up a Behavior.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehavioralActionsType_Action_Collection maec_bundle_schema_xsd.tmp#BehavioralActionsType_Action maec_bundle_schema_xsd.tmp#BehavioralActionsType_Action_Reference maec_bundle_schema_xsd.tmp#BehavioralActionsType_Action_Equivalence_Reference
Used by
Children maecBundle:Action, maecBundle:Action_Collection, maecBundle:Action_Equivalence_Reference, maecBundle:Action_Reference
Source
<xs:complexType name="BehavioralActionsType">
  <xs:annotation>
    <xs:documentation>The BehavioralActionsType is intended to capture the Actions or Action Collections that make up a Behavior.</xs:documentation>
  </xs:annotation>
  <xs:choice maxOccurs="unbounded">
    <xs:element minOccurs="1" name="Action_Collection" type="maecBundle:ActionCollectionType">
      <xs:annotation>
        <xs:documentation>The Action_Collection field specifies an Action Collection that is part of the behavioral composition.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="1" name="Action" type="maecBundle:BehavioralActionType">
      <xs:annotation>
        <xs:documentation>The Action field specifies a single Action that is part of the behavioral composition.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Action_Reference" type="maecBundle:BehavioralActionReferenceType">
      <xs:annotation>
        <xs:documentation>The Action_Reference field specifies a reference to a single Action that is part of the behavioral composition.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Action_Equivalence_Reference" type="maecBundle:BehavioralActionEquivalenceReferenceType">
      <xs:annotation>
        <xs:documentation>The Action_Equivalence_Reference field specifies a reference to a single Action Equivalence that is part of the behavioral composition.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:choice>
</xs:complexType>
Complex Type maecBundle:ActionCollectionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionCollectionType provides a method for characterizing collections of actions. This can be useful for organizing actions that may be related and where the exact relationship is unknown, as well as actions whose associated behavior has not yet been established.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BaseCollectionType_name maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema_xsd.tmp#BaseCollectionType_Description maec_bundle_schema_xsd.tmp#BaseCollectionType maec_bundle_schema_xsd.tmp#ActionCollectionType_id maec_bundle_schema_xsd.tmp#ActionCollectionType_Action_List
Type extension of maecBundle:BaseCollectionType
Type hierarchy
Used by
Children maecBundle:Action_List, maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description
Attributes
QName Type Use Annotation
id xs:QName required
The id field specifies a unique ID for this Action Collection.
name xs:string optional
The name field specifies the name of the collection.
Source
<xs:complexType name="ActionCollectionType">
  <xs:annotation>
    <xs:documentation>The ActionCollectionType provides a method for characterizing collections of actions. This can be useful for organizing actions that may be related and where the exact relationship is unknown, as well as actions whose associated behavior has not yet been established.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="maecBundle:BaseCollectionType">
      <xs:sequence>
        <xs:element name="Action_List" type="maecBundle:ActionListType">
          <xs:annotation>
            <xs:documentation>The Action_List field specifies a list of Actions that make up the collection.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="id" use="required" type="xs:QName">
        <xs:annotation>
          <xs:documentation>The id field specifies a unique ID for this Action Collection.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type maecBundle:BaseCollectionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BaseCollectionType is the base type for other MAEC collection types.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BaseCollectionType_name maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema_xsd.tmp#BaseCollectionType_Description
Used by
Children maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description
Attributes
QName Type Use Annotation
name xs:string optional
The name field specifies the name of the collection.
Source
<xs:complexType name="BaseCollectionType">
  <xs:annotation>
    <xs:documentation>The BaseCollectionType is the base type for other MAEC collection types.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Affinity_Type" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Affinity_Type field provides an abstract way of characterizing how the objects in a collection are related.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Affinity_Degree" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Affinity_Degree field is intended to provide an abstract way of characterizing the degree to which the objects in a collection are related.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field contains a textual description of the collection.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="name" type="xs:string">
    <xs:annotation>
      <xs:documentation>The name field specifies the name of the collection.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:ActionListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionListType captures a list of Actions.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ActionListType_Action
Used by
Children maecBundle:Action
Source
<xs:complexType name="ActionListType">
  <xs:annotation>
    <xs:documentation>The ActionListType captures a list of Actions.</xs:documentation>
  </xs:annotation>
  <xs:sequence maxOccurs="1">
    <xs:element name="Action" type="maecBundle:MalwareActionType" maxOccurs="unbounded" minOccurs="1">
      <xs:annotation>
        <xs:documentation>The Action field specifies a single Action in the list.</xs:documentation>
        <xs:documentation>The recommended syntax for Action IDs is a dash-delimited format that starts with the word maec, followed by a unique string, followed by the three letter code 'act', and ending with an integer. The regular expression validating these IDs is: maec-[A-Za-z0-9_\-\.]+-act-[1-9][0-9]*.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:MalwareActionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The MalwareActionType is one of the foundational MAEC types, and serves as a method for the characterization of actions found or observed in malware. Actions can be thought of as system state changes and similar operations that represent the fundamental low-level operation of malware. Some examples include the creation of a file, deletion of a registry key, and the sending of some  data on a socket. It imports and extends the CybOX ActionType. For MAEC, the id attribute is required.
Diagram
Diagram cybox_core_xsd.tmp#ActionType_id cybox_core_xsd.tmp#ActionType_idref cybox_core_xsd.tmp#ActionType_ordinal_position cybox_core_xsd.tmp#ActionType_action_status cybox_core_xsd.tmp#ActionType_context cybox_core_xsd.tmp#ActionType_timestamp cybox_core_xsd.tmp#ActionType_timestamp_precision cybox_core_xsd.tmp#ActionType_Type cybox_core_xsd.tmp#ActionType_Name cybox_core_xsd.tmp#ActionType_Description cybox_core_xsd.tmp#ActionType_Action_Aliases cybox_core_xsd.tmp#ActionType_Action_Arguments cybox_core_xsd.tmp#ActionType_Location cybox_core_xsd.tmp#ActionType_Discovery_Method cybox_core_xsd.tmp#ActionType_Associated_Objects cybox_core_xsd.tmp#ActionType_Relationships cybox_core_xsd.tmp#ActionType_Frequency cybox_core_xsd.tmp#ActionType maec_bundle_schema_xsd.tmp#MalwareActionType_Implementation
Type extension of cybox:ActionType
Type hierarchy
Used by
Children cybox:Action_Aliases, cybox:Action_Arguments, cybox:Associated_Objects, cybox:Description, cybox:Discovery_Method, cybox:Frequency, cybox:Location, cybox:Name, cybox:Relationships, cybox:Type, maecBundle:Implementation
Attributes
QName Type Default Use Annotation
action_status cybox:ActionStatusTypeEnum optional
The action_status field enables description of the status of the action being described.
context cybox:ActionContextTypeEnum optional
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
id xs:QName optional
The id field specifies a unique id for this Action.
idref xs:QName optional
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
ordinal_position xs:positiveInteger optional
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
timestamp xs:dateTime optional
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
timestamp_precision cyboxCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:complexType name="MalwareActionType">
  <xs:annotation>
    <xs:documentation>The MalwareActionType is one of the foundational MAEC types, and serves as a method for the characterization of actions found or observed in malware. Actions can be thought of as system state changes and similar operations that represent the fundamental low-level operation of malware. Some examples include the creation of a file, deletion of a registry key, and the sending of some data on a socket. It imports and extends the CybOX ActionType. For MAEC, the id attribute is required.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cybox:ActionType">
      <xs:sequence>
        <xs:element minOccurs="0" name="Implementation" type="maecBundle:ActionImplementationType">
          <xs:annotation>
            <xs:documentation>The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type maecBundle:ActionImplementationType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionImplementationType serves as a method for the characterization of Action Implementations. Currently supported are implementations achieved through API function calls and abstractly defined code.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ActionImplementationType_id maec_bundle_schema_xsd.tmp#ActionImplementationType_type maec_bundle_schema_xsd.tmp#ActionImplementationType_Compatible_Platforms maec_bundle_schema_xsd.tmp#ActionImplementationType_API_Call maec_bundle_schema_xsd.tmp#ActionImplementationType_Code
Used by
Children maecBundle:API_Call, maecBundle:Code, maecBundle:Compatible_Platforms
Attributes
QName Type Use Annotation
id xs:QName optional
The id field specifies a unique ID for this Action Implementation.
type maecBundle:ActionImplementationTypeEnum required
The required type field refers to the type of Action Implementation being characterized in this element.
Source
<xs:complexType name="ActionImplementationType">
  <xs:annotation>
    <xs:documentation>The ActionImplementationType serves as a method for the characterization of Action Implementations. Currently supported are implementations achieved through API function calls and abstractly defined code.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Compatible_Platforms" type="maecBundle:PlatformListType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Compatible_Platforms field specifies the specific platform(s) that the Action is compatible with, or in other words, capable of being successfully executed on.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:choice>
      <xs:element name="API_Call" maxOccurs="1" minOccurs="0" type="maecBundle:APICallType">
        <xs:annotation>
          <xs:documentation>The API_Call field allows for the characterization of a system-level API call that was used to implement the action. Software must make use of such calls to talk to hardware and perform system-specific functions.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="Code" maxOccurs="unbounded" type="CodeObj:CodeObjectType" minOccurs="0">
        <xs:annotation>
          <xs:documentation>The Code field contains any form of code that was used to implement the action.</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:choice>
  </xs:sequence>
  <xs:attribute name="id" use="optional" type="xs:QName">
    <xs:annotation>
      <xs:documentation>The id field specifies a unique ID for this Action Implementation.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="type" use="required" type="maecBundle:ActionImplementationTypeEnum">
    <xs:annotation>
      <xs:documentation>The required type field refers to the type of Action Implementation being characterized in this element.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:APICallType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The APICallType provides a method for the  characterization of API calls, including functions and their parameters.
Diagram
Diagram maec_bundle_schema_xsd.tmp#APICallType_function_name maec_bundle_schema_xsd.tmp#APICallType_normalized_function_name maec_bundle_schema_xsd.tmp#APICallType_Address maec_bundle_schema_xsd.tmp#APICallType_Return_Value maec_bundle_schema_xsd.tmp#APICallType_Parameters
Used by
Children maecBundle:Address, maecBundle:Parameters, maecBundle:Return_Value
Attributes
QName Type Use Annotation
function_name xs:string optional
The function_name field contains the exact name of the API function called, e.g. CreateFileEx.
normalized_function_name xs:string optional
The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.
Source
<xs:complexType name="APICallType">
  <xs:annotation>
    <xs:documentation>The APICallType provides a method for the characterization of API calls, including functions and their parameters.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Address" type="xs:hexBinary" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Address field contains the address of the API call in the binary.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Return_Value" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Return_Value field contains the return value of the API call.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Parameters" type="maecBundle:ParameterListType">
      <xs:annotation>
        <xs:documentation>The Parameter field captures any name/value pairs of the parameters passed into the API call.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="function_name" type="xs:string">
    <xs:annotation>
      <xs:documentation>The function_name field contains the exact name of the API function called, e.g. CreateFileEx.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="normalized_function_name" type="xs:string">
    <xs:annotation>
      <xs:documentation>The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:ParameterListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ParametersType captures a list of function parameters.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ParameterListType_Parameter
Used by
Children maecBundle:Parameter
Source
<xs:complexType name="ParameterListType">
  <xs:annotation>
    <xs:documentation>The ParametersType captures a list of function parameters.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Parameter" type="maecBundle:ParameterType">
      <xs:annotation>
        <xs:documentation>The Parameter field specifies a single function parameter.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:ParameterType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ParameterType characterizes function parameters.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ParameterType_ordinal_position maec_bundle_schema_xsd.tmp#ParameterType_name maec_bundle_schema_xsd.tmp#ParameterType_value
Used by
Attributes
QName Type Use Annotation
name xs:string optional
The name field specifies the name of the parameter.
ordinal_position xs:positiveInteger optional
This field refers to the ordinal position of the parameter with respect to the function where it is used.
value xs:string optional
The value field specifies the actual value of the parameter.
Source
<xs:complexType name="ParameterType">
  <xs:annotation>
    <xs:documentation>The ParameterType characterizes function parameters.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="ordinal_position" type="xs:positiveInteger">
    <xs:annotation>
      <xs:documentation>This field refers to the ordinal position of the parameter with respect to the function where it is used.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="name" type="xs:string">
    <xs:annotation>
      <xs:documentation>The name field specifies the name of the parameter.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="value" type="xs:string">
    <xs:annotation>
      <xs:documentation>The value field specifies the actual value of the parameter.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Simple Type maecBundle:ActionImplementationTypeEnum
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionImplementationTypeEnum represents an enumeration of action implementation types.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration api call
The api call value specifies that the action was implemented using some particular API call, details of which may be captured in the API_Call element.
enumeration code
The Code value specifies that the action was implemented using some particular code snippet, details of which may be captured in the Code element
Used by
Source
<xs:simpleType name="ActionImplementationTypeEnum">
  <xs:annotation>
    <xs:documentation>The ActionImplementationTypeEnum represents an enumeration of action implementation types.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="api call">
      <xs:annotation>
        <xs:documentation>The api call value specifies that the action was implemented using some particular API call, details of which may be captured in the API_Call element.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="code">
      <xs:annotation>
        <xs:documentation>The Code value specifies that the action was implemented using some particular code snippet, details of which may be captured in the Code element</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecBundle:BehavioralActionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionType type defines an Action field that can be used as part of a Behavior.  It extends the MAEC MalwareActionType type, which in turn extends the CybOX ActionType type.
Diagram
Diagram cybox_core_xsd.tmp#ActionType_id cybox_core_xsd.tmp#ActionType_idref cybox_core_xsd.tmp#ActionType_ordinal_position cybox_core_xsd.tmp#ActionType_action_status cybox_core_xsd.tmp#ActionType_context cybox_core_xsd.tmp#ActionType_timestamp cybox_core_xsd.tmp#ActionType_timestamp_precision cybox_core_xsd.tmp#ActionType_Type cybox_core_xsd.tmp#ActionType_Name cybox_core_xsd.tmp#ActionType_Description cybox_core_xsd.tmp#ActionType_Action_Aliases cybox_core_xsd.tmp#ActionType_Action_Arguments cybox_core_xsd.tmp#ActionType_Location cybox_core_xsd.tmp#ActionType_Discovery_Method cybox_core_xsd.tmp#ActionType_Associated_Objects cybox_core_xsd.tmp#ActionType_Relationships cybox_core_xsd.tmp#ActionType_Frequency cybox_core_xsd.tmp#ActionType maec_bundle_schema_xsd.tmp#MalwareActionType_Implementation maec_bundle_schema_xsd.tmp#MalwareActionType maec_bundle_schema_xsd.tmp#BehavioralActionType_behavioral_ordering
Type extension of maecBundle:MalwareActionType
Type hierarchy
Used by
Children cybox:Action_Aliases, cybox:Action_Arguments, cybox:Associated_Objects, cybox:Description, cybox:Discovery_Method, cybox:Frequency, cybox:Location, cybox:Name, cybox:Relationships, cybox:Type, maecBundle:Implementation
Attributes
QName Type Default Use Annotation
action_status cybox:ActionStatusTypeEnum optional
The action_status field enables description of the status of the action being described.
behavioral_ordering xs:positiveInteger optional
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
context cybox:ActionContextTypeEnum optional
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
id xs:QName optional
The id field specifies a unique id for this Action.
idref xs:QName optional
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
ordinal_position xs:positiveInteger optional
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
timestamp xs:dateTime optional
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
timestamp_precision cyboxCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:complexType name="BehavioralActionType">
  <xs:annotation>
    <xs:documentation>The BehavioralActionType type defines an Action field that can be used as part of a Behavior. It extends the MAEC MalwareActionType type, which in turn extends the CybOX ActionType type.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="maecBundle:MalwareActionType">
      <xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
        <xs:annotation>
          <xs:documentation>The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type maecBundle:BehavioralActionReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionReferenceType defines an action reference that can be used as part of a Behavior.
Diagram
Diagram cybox_core_xsd.tmp#ActionReferenceType_action_id cybox_core_xsd.tmp#ActionReferenceType maec_bundle_schema_xsd.tmp#BehavioralActionReferenceType_behavioral_ordering
Type extension of cybox:ActionReferenceType
Type hierarchy
Used by
Attributes
QName Type Use Annotation
action_id xs:QName required
The action_id field refers to the id of the action being referenced.
behavioral_ordering xs:positiveInteger optional
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
Source
<xs:complexType name="BehavioralActionReferenceType">
  <xs:annotation>
    <xs:documentation>The BehavioralActionReferenceType defines an action reference that can be used as part of a Behavior.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cybox:ActionReferenceType">
      <xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
        <xs:annotation>
          <xs:documentation>The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type maecBundle:BehavioralActionEquivalenceReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehavioralActionEquivalenceReferenceType defines an Action Equivalence reference that can be used as part of a Behavior. Since the Action Equivalency equates two or more actions to a single one, this can be thought of as specifying one of the aforementioned Actions as part of the composition of the Behavior.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehavioralActionEquivalenceReferenceType_action_equivalence_idref maec_bundle_schema_xsd.tmp#BehavioralActionEquivalenceReferenceType_behavioral_ordering
Used by
Attributes
QName Type Use Annotation
action_equivalence_idref xs:QName required
The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.
behavioral_ordering xs:positiveInteger optional
The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.
Source
<xs:complexType name="BehavioralActionEquivalenceReferenceType">
  <xs:annotation>
    <xs:documentation>The BehavioralActionEquivalenceReferenceType defines an Action Equivalence reference that can be used as part of a Behavior. Since the Action Equivalency equates two or more actions to a single one, this can be thought of as specifying one of the aforementioned Actions as part of the composition of the Behavior.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="action_equivalence_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
    <xs:annotation>
      <xs:documentation>The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:AssociatedCodeType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The AssociatedCodeType serves as generic way of specifying any code snippets associated with a MAEC entity, such as a Behavior.
Diagram
Diagram maec_bundle_schema_xsd.tmp#AssociatedCodeType_Code_Snippet
Used by
Children maecBundle:Code_Snippet
Source
<xs:complexType name="AssociatedCodeType">
  <xs:annotation>
    <xs:documentation>The AssociatedCodeType serves as generic way of specifying any code snippets associated with a MAEC entity, such as a Behavior.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Code_Snippet" type="CodeObj:CodeObjectType">
      <xs:annotation>
        <xs:documentation>The Code_Snippet field captures a single snippet of code, via the CybOX CodeObjectType.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:BehaviorRelationshipListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorRelationshipListType captures any relationships between a Behavior and other Behaviors.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorRelationshipListType_Relationship
Used by
Children maecBundle:Relationship
Source
<xs:complexType name="BehaviorRelationshipListType">
  <xs:annotation>
    <xs:documentation>The BehaviorRelationshipListType captures any relationships between a Behavior and other Behaviors.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Relationship" type="maecBundle:BehaviorRelationshipType">
      <xs:annotation>
        <xs:documentation>The Relationship field specifies a single relationship between a single Behavior and one or more other Behaviors.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:BehaviorRelationshipType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorRelationshipType provides a method for the characterization of relationships between Behaviors.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorRelationshipType_type maec_bundle_schema_xsd.tmp#BehaviorRelationshipType_Behavior_Reference
Used by
Children maecBundle:Behavior_Reference
Attributes
QName Type Use Annotation
type restriction of cyboxVocabs:ActionRelationshipTypeEnum-1.0 optional
The type field specifies the nature of the relationship between Behaviors that is being captured.
Source
<xs:complexType name="BehaviorRelationshipType">
  <xs:annotation>
    <xs:documentation>The BehaviorRelationshipType provides a method for the characterization of relationships between Behaviors.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" minOccurs="1">
      <xs:annotation>
        <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior in the relationship.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="type" use="optional">
    <xs:annotation>
      <xs:documentation>The type field specifies the nature of the relationship between Behaviors that is being captured.</xs:documentation>
    </xs:annotation>
    <xs:simpleType>
      <xs:restriction base="cyboxVocabs:ActionRelationshipTypeEnum-1.0">
        <xs:enumeration value="Preceded_By"/>
        <xs:enumeration value="Followed_By"/>
        <xs:enumeration value="Related_To"/>
        <xs:enumeration value="Dependent_On"/>
      </xs:restriction>
    </xs:simpleType>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:ObjectListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectListType captures a list of CybOX Objects.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ObjectListType_Object
Used by
Children maecBundle:Object
Source
<xs:complexType name="ObjectListType">
  <xs:annotation>
    <xs:documentation>The ObjectListType captures a list of CybOX Objects.</xs:documentation>
  </xs:annotation>
  <xs:sequence maxOccurs="1">
    <xs:element maxOccurs="unbounded" name="Object" type="cybox:ObjectType">
      <xs:annotation>
        <xs:documentation>The Object field specifies a single CybOX Object in the list. For use in MAEC, the id attribute at the top level of the Object must be utilized.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:CandidateIndicatorListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorListType captures a list of Candidate Indicators.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CandidateIndicatorListType_Candidate_Indicator
Used by
Children maecBundle:Candidate_Indicator
Source
<xs:complexType name="CandidateIndicatorListType">
  <xs:annotation>
    <xs:documentation>The CandidateIndicatorListType captures a list of Candidate Indicators.</xs:documentation>
  </xs:annotation>
  <xs:sequence maxOccurs="1" minOccurs="1">
    <xs:element maxOccurs="unbounded" name="Candidate_Indicator" type="maecBundle:CandidateIndicatorType">
      <xs:annotation>
        <xs:documentation>The Candidate_Indicator field specifies a single Candidate Indicator in the list.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:CandidateIndicatorType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorType provides a way of defining a MAEC entity-based Candidate Indicator, which specifies the particular components that may signify the presence of the malware instance on a host system or network.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CandidateIndicatorType_id maec_bundle_schema_xsd.tmp#CandidateIndicatorType_creation_datetime maec_bundle_schema_xsd.tmp#CandidateIndicatorType_lastupdate_datetime maec_bundle_schema_xsd.tmp#CandidateIndicatorType_version maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Importance maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Numeric_Importance maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Author maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Description maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Malware_Entity maec_bundle_schema_xsd.tmp#CandidateIndicatorType_Composition
Used by
Children maecBundle:Author, maecBundle:Composition, maecBundle:Description, maecBundle:Importance, maecBundle:Malware_Entity, maecBundle:Numeric_Importance
Attributes
QName Type Use Annotation
creation_datetime xs:dateTime optional
The creation_datetime field specifies the date/time that the Candidate Indicator was created.
id xs:QName required
The id field specifies a unique ID for this Candidate Indicator.
lastupdate_datetime xs:dateTime optional
The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.
version xs:string optional
The version field specifies the version of the Candidate Indicator.
Source
<xs:complexType name="CandidateIndicatorType">
  <xs:annotation>
    <xs:documentation>The CandidateIndicatorType provides a way of defining a MAEC entity-based Candidate Indicator, which specifies the particular components that may signify the presence of the malware instance on a host system or network.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Importance" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Importance field specifies the relative importance of the Candidate Indicator.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is ImportanceTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Numeric_Importance" type="xs:positiveInteger">
      <xs:annotation>
        <xs:documentation>The Numeric_Importance field specifies the specific numeric importance of the Candidate Indicator.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Author" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Author field specifies the author of the Candidate Indicator.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field provides a brief description of the Candidate Indicator.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Malware_Entity" type="maecBundle:MalwareEntityType">
      <xs:annotation>
        <xs:documentation>The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Composition" type="maecBundle:CandidateIndicatorCompositionType">
      <xs:annotation>
        <xs:documentation>The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The id field specifies a unique ID for this Candidate Indicator.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="creation_datetime" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>The creation_datetime field specifies the date/time that the Candidate Indicator was created.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="lastupdate_datetime" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="version" type="xs:string">
    <xs:annotation>
      <xs:documentation>The version field specifies the version of the Candidate Indicator.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:MalwareEntityType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The MalwareEntityType provides a Capability for characterizing the particular entity that an indicator or signature is written against, whether it is a particular malware instance, family, etc.
Diagram
Diagram maec_bundle_schema_xsd.tmp#MalwareEntityType_Type maec_bundle_schema_xsd.tmp#MalwareEntityType_Name maec_bundle_schema_xsd.tmp#MalwareEntityType_Description
Used by
Children maecBundle:Description, maecBundle:Name, maecBundle:Type
Source
<xs:complexType name="MalwareEntityType">
  <xs:annotation>
    <xs:documentation>The MalwareEntityType provides a Capability for characterizing the particular entity that an indicator or signature is written against, whether it is a particular malware instance, family, etc.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Type" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Type field refers to the specific type of malware entity that the indicator or signature is written against.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is MalwareEntityTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Name" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Name field refers to the name of the malware instance, malware family, or malware class that the indicator or signature is written against.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field is intended to provide a brief description of the entity that the indicator or signature is written against.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:CandidateIndicatorCompositionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorCompositionType captures the composition of a Candidate Indicator, via references to any corresponding MAEC entities contained in the Bundle.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_operator maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Behavior_Reference maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Action_Reference maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Object_Reference maec_bundle_schema_xsd.tmp#CandidateIndicatorCompositionType_Sub_Composition
Used by
Children maecBundle:Action_Reference, maecBundle:Behavior_Reference, maecBundle:Object_Reference, maecBundle:Sub_Composition
Attributes
QName Type Use Annotation
operator cybox:OperatorTypeEnum optional
The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.
Source
<xs:complexType name="CandidateIndicatorCompositionType">
  <xs:annotation>
    <xs:documentation>The CandidateIndicatorCompositionType captures the composition of a Candidate Indicator, via references to any corresponding MAEC entities contained in the Bundle.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:choice maxOccurs="unbounded">
      <xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType">
        <xs:annotation>
          <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element minOccurs="0" name="Action_Reference" type="cybox:ActionReferenceType">
        <xs:annotation>
          <xs:documentation>The Action_Reference field specifies a reference to a single Action in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element minOccurs="0" name="Object_Reference" type="maecBundle:ObjectReferenceType">
        <xs:annotation>
          <xs:documentation>The Object_Reference field specifies a reference to a single Object in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:choice>
    <xs:element maxOccurs="unbounded" minOccurs="0" name="Sub_Composition" type="maecBundle:CandidateIndicatorCompositionType">
      <xs:annotation>
        <xs:documentation>The Sub_Composition field captures any sub-compositions in this Candidate Indicator, for expressing more complex Candidate Indicators.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="operator" type="cybox:OperatorTypeEnum">
    <xs:annotation>
      <xs:documentation>The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type maecBundle:CollectionsType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CollectionsType captures the various types of MAEC entity collections.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CollectionsType_Behavior_Collections maec_bundle_schema_xsd.tmp#CollectionsType_Action_Collections maec_bundle_schema_xsd.tmp#CollectionsType_Object_Collections maec_bundle_schema_xsd.tmp#CollectionsType_Candidate_Indicator_Collections
Used by
Children maecBundle:Action_Collections, maecBundle:Behavior_Collections, maecBundle:Candidate_Indicator_Collections, maecBundle:Object_Collections
Source
<xs:complexType name="CollectionsType">
  <xs:annotation>
    <xs:documentation>The CollectionsType captures the various types of MAEC entity collections.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Behavior_Collections" type="maecBundle:BehaviorCollectionListType">
      <xs:annotation>
        <xs:documentation>The Behavior_Collections field captures any collections of Behaviors in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Action_Collections" type="maecBundle:ActionCollectionListType">
      <xs:annotation>
        <xs:documentation>The Action_Collections field captures any collections of Actions in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Object_Collections" type="maecBundle:ObjectCollectionListType">
      <xs:annotation>
        <xs:documentation>The Objects_Collections field captures any collections of CybOX Objects in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Candidate_Indicator_Collections" type="maecBundle:CandidateIndicatorCollectionListType">
      <xs:annotation>
        <xs:documentation>The Candidate_Indicator_Collections field captures any collections of Candidate Indicators in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:BehaviorCollectionListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorCollectionListType captures a list of Behaviors Collections.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorCollectionListType_Behavior_Collection
Used by
Children maecBundle:Behavior_Collection
Source
<xs:complexType name="BehaviorCollectionListType">
  <xs:annotation>
    <xs:documentation>The BehaviorCollectionListType captures a list of Behaviors Collections.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Behavior_Collection" type="maecBundle:BehaviorCollectionType">
      <xs:annotation>
        <xs:documentation>The Behavior_Collection field specifies a single collection of Behaviors in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:BehaviorCollectionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorCollectionType provides a Capability for characterizing collections of behaviors.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BaseCollectionType_name maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema_xsd.tmp#BaseCollectionType_Description maec_bundle_schema_xsd.tmp#BaseCollectionType maec_bundle_schema_xsd.tmp#BehaviorCollectionType_id maec_bundle_schema_xsd.tmp#BehaviorCollectionType_Purpose maec_bundle_schema_xsd.tmp#BehaviorCollectionType_Behavior_List
Type extension of maecBundle:BaseCollectionType
Type hierarchy
Used by
Children maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Behavior_List, maecBundle:Description, maecBundle:Purpose
Attributes
QName Type Use Annotation
id xs:QName required
The id field specifies a unique ID for this Behavior Collection.
name xs:string optional
The name field specifies the name of the collection.
Source
<xs:complexType name="BehaviorCollectionType">
  <xs:annotation>
    <xs:documentation>The BehaviorCollectionType provides a Capability for characterizing collections of behaviors.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="maecBundle:BaseCollectionType">
      <xs:sequence>
        <xs:element name="Purpose" type="xs:string" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Purpose field states the intended purpose of the collection of Behaviors. Since Behaviors are not always successful, and may not be fully observed, this is meant as way of absracting the nature of the collection of Behaviors away from its constituent Actions.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Behavior_List" type="maecBundle:BehaviorListType">
          <xs:annotation>
            <xs:documentation>The Behavior_List field specifies a list of Behaviors that make up the collection.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="id" use="required" type="xs:QName">
        <xs:annotation>
          <xs:documentation>The id field specifies a unique ID for this Behavior Collection.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type maecBundle:ActionCollectionListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ActionCollectionListType captures a list of Actions Collections.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ActionCollectionListType_Action_Collection
Used by
Children maecBundle:Action_Collection
Source
<xs:complexType name="ActionCollectionListType">
  <xs:annotation>
    <xs:documentation>The ActionCollectionListType captures a list of Actions Collections.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Action_Collection" type="maecBundle:ActionCollectionType">
      <xs:annotation>
        <xs:documentation>The Action_Collection field specifies a single collection of Actions in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:ObjectCollectionListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectCollectionListType captures a list of Object Collections.
Diagram
Diagram maec_bundle_schema_xsd.tmp#ObjectCollectionListType_Object_Collection
Used by
Children maecBundle:Object_Collection
Source
<xs:complexType name="ObjectCollectionListType">
  <xs:annotation>
    <xs:documentation>The ObjectCollectionListType captures a list of Object Collections.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Object_Collection" type="maecBundle:ObjectCollectionType">
      <xs:annotation>
        <xs:documentation>The Object_Collection field specifies a single collection of CybOX Objects.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:ObjectCollectionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The ObjectCollectionType provides a Capability for characterizing collections of Objects. For instance, it can be used to group all of the Objects that are associated with a specific behavior.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BaseCollectionType_name maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema_xsd.tmp#BaseCollectionType_Description maec_bundle_schema_xsd.tmp#BaseCollectionType maec_bundle_schema_xsd.tmp#ObjectCollectionType_id maec_bundle_schema_xsd.tmp#ObjectCollectionType_Object_List
Type extension of maecBundle:BaseCollectionType
Type hierarchy
Used by
Children maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description, maecBundle:Object_List
Attributes
QName Type Use Annotation
id xs:QName required
The id attribute specifies a unique ID for this Object Collection.
name xs:string optional
The name field specifies the name of the collection.
Source
<xs:complexType name="ObjectCollectionType">
  <xs:annotation>
    <xs:documentation>The ObjectCollectionType provides a Capability for characterizing collections of Objects. For instance, it can be used to group all of the Objects that are associated with a specific behavior.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="maecBundle:BaseCollectionType">
      <xs:sequence>
        <xs:element name="Object_List" type="maecBundle:ObjectListType">
          <xs:annotation>
            <xs:documentation>The Object_List field specifies a list of Objects that make up the collection.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="id" use="required" type="xs:QName">
        <xs:annotation>
          <xs:documentation>The id attribute specifies a unique ID for this Object Collection.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type maecBundle:CandidateIndicatorCollectionListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorCollectionListType captures a list of Candidate Indicators.
Diagram
Diagram maec_bundle_schema_xsd.tmp#CandidateIndicatorCollectionListType_Candidate_Indicator_Collection
Used by
Children maecBundle:Candidate_Indicator_Collection
Source
<xs:complexType name="CandidateIndicatorCollectionListType">
  <xs:annotation>
    <xs:documentation>The CandidateIndicatorCollectionListType captures a list of Candidate Indicators.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Candidate_Indicator_Collection" type="maecBundle:CandidateIndicatorCollectionType">
      <xs:annotation>
        <xs:documentation>The Candidate_Indicator_Collection field specifies a single collection of Candidate Indicators.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type maecBundle:CandidateIndicatorCollectionType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The CandidateIndicatorCollectionType provides a Capability for characterizing collections of Candidate Indicators.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BaseCollectionType_name maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Type maec_bundle_schema_xsd.tmp#BaseCollectionType_Affinity_Degree maec_bundle_schema_xsd.tmp#BaseCollectionType_Description maec_bundle_schema_xsd.tmp#BaseCollectionType maec_bundle_schema_xsd.tmp#CandidateIndicatorCollectionType_id maec_bundle_schema_xsd.tmp#CandidateIndicatorCollectionType_Candidate_Indicator_List
Type extension of maecBundle:BaseCollectionType
Type hierarchy
Used by
Children maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Candidate_Indicator_List, maecBundle:Description
Attributes
QName Type Use Annotation
id xs:QName required
The id field specifies a unique ID for this Candidate Indicator Collection.
name xs:string optional
The name field specifies the name of the collection.
Source
<xs:complexType name="CandidateIndicatorCollectionType">
  <xs:annotation>
    <xs:documentation>The CandidateIndicatorCollectionType provides a Capability for characterizing collections of Candidate Indicators.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="maecBundle:BaseCollectionType">
      <xs:sequence>
        <xs:element name="Candidate_Indicator_List" type="maecBundle:CandidateIndicatorListType">
          <xs:annotation>
            <xs:documentation>The Candidate_Indicator_List field specifies a list of Candidate Indicators that make up the collection.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="id" type="xs:QName" use="required">
        <xs:annotation>
          <xs:documentation>The id field specifies a unique ID for this Candidate Indicator Collection.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Simple Type maecBundle:BundleContentTypeEnum
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BundleContentTypeEnum is a non-exhaustive enumeration of the general types of content that a Bundle can contain.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration dynamic analysis tool output
The dynamic analysis tool output value specifies that the Bundle primarily captures some form of dynamic analysis tool output, such as from a sandbox.
enumeration static analysis tool output
The static analysis tool output value specifies that the Bundle primarily captures some form of static analysis tool output, such as from a packer detection tool.
enumeration manual analysis output
The manual analysis output value specifies that the Bundle primarily captures some form of manual analysis output, which may or may not involve the use of tools.
enumeration extracted from subject
The extracted from subject value specifies that the Bundle primarily captures some data that extracted from the Malware Subject, such as some PE Header fields.
enumeration mixed
The mixed value specifies that the Bundle captures some mixed forms of analysis or tool output for the Malware Subject, such as both dynamic and static analysis tool output.
enumeration other
The other value specifies that the Bundle captures some other form of analysis or tool output that is not represented by the other enumeration values.
Used by
Source
<xs:simpleType name="BundleContentTypeEnum">
  <xs:annotation>
    <xs:documentation>The BundleContentTypeEnum is a non-exhaustive enumeration of the general types of content that a Bundle can contain.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="dynamic analysis tool output">
      <xs:annotation>
        <xs:documentation>The dynamic analysis tool output value specifies that the Bundle primarily captures some form of dynamic analysis tool output, such as from a sandbox.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="static analysis tool output">
      <xs:annotation>
        <xs:documentation>The static analysis tool output value specifies that the Bundle primarily captures some form of static analysis tool output, such as from a packer detection tool.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="manual analysis output">
      <xs:annotation>
        <xs:documentation>The manual analysis output value specifies that the Bundle primarily captures some form of manual analysis output, which may or may not involve the use of tools.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="extracted from subject">
      <xs:annotation>
        <xs:documentation>The extracted from subject value specifies that the Bundle primarily captures some data that extracted from the Malware Subject, such as some PE Header fields.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="mixed">
      <xs:annotation>
        <xs:documentation>The mixed value specifies that the Bundle captures some mixed forms of analysis or tool output for the Malware Subject, such as both dynamic and static analysis tool output.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="other">
      <xs:annotation>
        <xs:documentation>The other value specifies that the Bundle captures some other form of analysis or tool output that is not represented by the other enumeration values.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type maecBundle:BehaviorReferenceListType
Namespace http://maec.mitre.org/XMLSchema/maec-bundle-4
Annotations
The BehaviorReferenceListType captures a list of Behavior References.
Diagram
Diagram maec_bundle_schema_xsd.tmp#BehaviorReferenceListType_Behavior_Reference
Children maecBundle:Behavior_Reference
Source
<xs:complexType name="BehaviorReferenceListType">
  <xs:annotation>
    <xs:documentation>The BehaviorReferenceListType captures a list of Behavior References.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType">
      <xs:annotation>
        <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Attribute maecBundle:BundleReferenceType / @bundle_idref
Namespace No namespace
Annotations
The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.
Type xs:QName
Used by
Source
<xs:attribute name="bundle_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ObjectReferenceType / @object_idref
Namespace No namespace
Annotations
The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.
Type xs:QName
Used by
Source
<xs:attribute name="object_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ProcessTreeNodeType / @id
Namespace No namespace
Annotations
The required id field specifies a unique ID for the Process Node.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The required id field specifies a unique ID for the Process Node.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ProcessTreeNodeType / @parent_action_idref
Namespace No namespace
Annotations
The parent_action_idref field specifies the id of the action that created or injected this process.
Type xs:QName
Used by
Source
<xs:attribute name="parent_action_idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The parent_action_idref field specifies the id of the action that created or injected this process.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ProcessTreeNodeType / @ordinal_position
Namespace No namespace
Annotations
The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.
Type xs:positiveInteger
Used by
Source
<xs:attribute name="ordinal_position" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BehaviorReferenceType / @behavior_idref
Namespace No namespace
Annotations
The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.
Type xs:QName
Used by
Source
<xs:attribute name="behavior_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CapabilityObjectiveReferenceType / @objective_idref
Namespace No namespace
Annotations
The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.
Type xs:QName
Used by
Source
<xs:attribute name="objective_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CapabilityObjectiveType / @id
Namespace No namespace
Annotations
The required id field specifies a unique ID for this Capability Objective.
Type xs:QName
Used by
Source
<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The required id field specifies a unique ID for this Capability Objective.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CapabilityReferenceType / @capability_idref
Namespace No namespace
Annotations
The capability_idref field references the ID of a Capability contained inside the current MAEC document.
Type xs:QName
Used by
Source
<xs:attribute name="capability_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The capability_idref field references the ID of a Capability contained inside the current MAEC document.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CapabilityType / @id
Namespace No namespace
Annotations
The required id field specifies a unique ID for this MAEC Capability.
Type xs:QName
Used by
Source
<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The required id field specifies a unique ID for this MAEC Capability.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CapabilityType / @name
Namespace No namespace
Annotations
The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.
Type maecVocabs:MalwareCapabilityEnum-1.0
Facets
enumeration command and control
The 'command and control' (C2) Capability indicates that the malware instance is able to receive and execute remotely submitted commands.
enumeration remote machine manipulation
The 'remote machine manipulation' Capability indicates that the malware instance is able to manipulate or access other remote machines.
enumeration privilege escalation
The 'privilege escalation' Capability indicates that the malware instance is able to elevate the privileges under which it executes.
enumeration data theft
The 'data theft' Capability indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser.
enumeration spying
The 'spying' Capability indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).
enumeration secondary operation
The 'secondary operation' Capability indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives.
enumeration anti-detection
The 'anti-detection' Capability indicates that the malware instance is able to prevent itself and its components from being detected on a system.
enumeration anti-code analysis
The 'anti-code analysis' Capability indicates that the malware instance is able to prevent code analysis or make it more difficult.
enumeration infection/propagation
The 'infection/propagation' Capability indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system.  The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email).  This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself.
enumeration anti-behavioral analysis
The 'anti-behavioral analysis' Capability indicates that the malware instance is able to prevent behavioral analysis or make it more difficult.
enumeration integrity violation
The 'integrity violation' Capability indicates that the malware instance is able to compromise the integrity of a system.
enumeration data exfiltration
The 'data exfiltration' Capability indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data.
enumeration probing
The 'probing' Capability indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives.
enumeration anti-removal
The 'anti-removal' Capability indicates that the malware instance is able to prevent itself and its components from being removed from a system.
enumeration security degradation
The �security degradation� Capability indicates that the malware instance is able to bypass or disable security features and/or controls.
enumeration availability violation
The 'availability violation' Capability indicates that the malware instance is able to compromise the availability of a system or some aspect of the system.
enumeration destruction
The 'destruction' Capability indicates that the malware instance is able to destroy some aspect of a system.
enumeration fraud
The 'fraud' Capability indicates that the malware instance is able to defraud a user or a system.
enumeration persistence
The 'persistence' Capability indicates that the malware instance is able to persist and remain on a system regardless of system events.
enumeration machine access/control
The 'machine access/control' Capability indicates that the malware instance is able to provide the means to access or control the machine on which it is resident.
Used by
Source
<xs:attribute name="name" type="maecVocabs:MalwareCapabilityEnum-1.0">
  <xs:annotation>
    <xs:documentation>The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CVEVulnerabilityType / @cve_id
Namespace No namespace
Annotations
The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.
Type xs:string
Used by
Source
<xs:attribute name="cve_id" type="xs:string" use="required">
  <xs:annotation>
    <xs:documentation>The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ExploitType / @known_vulnerability
Namespace No namespace
Annotations
The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.
Type xs:boolean
Used by
Complex Type maecBundle:ExploitType
Source
<xs:attribute name="known_vulnerability" type="xs:boolean">
  <xs:annotation>
    <xs:documentation>The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BaseCollectionType / @name
Namespace No namespace
Annotations
The name field specifies the name of the collection.
Type xs:string
Used by
Source
<xs:attribute name="name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The name field specifies the name of the collection.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ParameterType / @ordinal_position
Namespace No namespace
Annotations
This field refers to the ordinal position of the parameter with respect to the function where it is used.
Type xs:positiveInteger
Used by
Source
<xs:attribute name="ordinal_position" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>This field refers to the ordinal position of the parameter with respect to the function where it is used.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ParameterType / @name
Namespace No namespace
Annotations
The name field specifies the name of the parameter.
Type xs:string
Used by
Source
<xs:attribute name="name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The name field specifies the name of the parameter.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ParameterType / @value
Namespace No namespace
Annotations
The value field specifies the actual value of the parameter.
Type xs:string
Used by
Source
<xs:attribute name="value" type="xs:string">
  <xs:annotation>
    <xs:documentation>The value field specifies the actual value of the parameter.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:APICallType / @function_name
Namespace No namespace
Annotations
The function_name field contains the exact name of the API function called, e.g. CreateFileEx.
Type xs:string
Used by
Complex Type maecBundle:APICallType
Source
<xs:attribute name="function_name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The function_name field contains the exact name of the API function called, e.g. CreateFileEx.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:APICallType / @normalized_function_name
Namespace No namespace
Annotations
The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.
Type xs:string
Used by
Complex Type maecBundle:APICallType
Source
<xs:attribute name="normalized_function_name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ActionImplementationType / @id
Namespace No namespace
Annotations
The id field specifies a unique ID for this Action Implementation.
Type xs:QName
Used by
Source
<xs:attribute name="id" use="optional" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The id field specifies a unique ID for this Action Implementation.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ActionImplementationType / @type
Namespace No namespace
Annotations
The required type field refers to the type of Action Implementation being characterized in this element.
Type maecBundle:ActionImplementationTypeEnum
Facets
enumeration api call
The api call value specifies that the action was implemented using some particular API call, details of which may be captured in the API_Call element.
enumeration code
The Code value specifies that the action was implemented using some particular code snippet, details of which may be captured in the Code element
Used by
Source
<xs:attribute name="type" use="required" type="maecBundle:ActionImplementationTypeEnum">
  <xs:annotation>
    <xs:documentation>The required type field refers to the type of Action Implementation being characterized in this element.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ActionCollectionType / @id
Namespace No namespace
Annotations
The id field specifies a unique ID for this Action Collection.
Type xs:QName
Used by
Source
<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The id field specifies a unique ID for this Action Collection.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BehavioralActionType / @behavioral_ordering
Namespace No namespace
Annotations
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
Type xs:positiveInteger
Used by
Source
<xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BehavioralActionReferenceType / @behavioral_ordering
Namespace No namespace
Annotations
The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.
Type xs:positiveInteger
Used by
Source
<xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BehavioralActionEquivalenceReferenceType / @action_equivalence_idref
Namespace No namespace
Annotations
The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.
Type xs:QName
Used by
Source
<xs:attribute name="action_equivalence_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BehavioralActionEquivalenceReferenceType / @behavioral_ordering
Namespace No namespace
Annotations
The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.
Type xs:positiveInteger
Used by
Source
<xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BehaviorRelationshipType / @type
Namespace No namespace
Annotations
The type field specifies the nature of the relationship between Behaviors that is being captured.
Type restriction of cyboxVocabs:ActionRelationshipTypeEnum-1.0
Type hierarchy
Facets
enumeration Preceded_By
enumeration Followed_By
enumeration Related_To
enumeration Dependent_On
Used by
Source
<xs:attribute name="type" use="optional">
  <xs:annotation>
    <xs:documentation>The type field specifies the nature of the relationship between Behaviors that is being captured.</xs:documentation>
  </xs:annotation>
  <xs:simpleType>
    <xs:restriction base="cyboxVocabs:ActionRelationshipTypeEnum-1.0">
      <xs:enumeration value="Preceded_By"/>
      <xs:enumeration value="Followed_By"/>
      <xs:enumeration value="Related_To"/>
      <xs:enumeration value="Dependent_On"/>
    </xs:restriction>
  </xs:simpleType>
</xs:attribute>
Attribute maecBundle:BehaviorType / @id
Namespace No namespace
Annotations
The required id field specifies a unique ID for this Behavior.
Type xs:QName
Used by
Source
<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The required id field specifies a unique ID for this Behavior.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BehaviorType / @ordinal_position
Namespace No namespace
Annotations
The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.
Type xs:positiveInteger
Used by
Source
<xs:attribute name="ordinal_position" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BehaviorType / @status
Namespace No namespace
Annotations
The status field specifies the execution status of the Behavior being characterized.
Type cybox:ActionStatusTypeEnum
Facets
enumeration Success
Specifies a cyber observable action that was successful.
enumeration Fail
Specifies a cyber observable action that failed.
enumeration Error
Specifies a cyber observable action that resulted in an error.
enumeration Complete/Finish
Specifies a cyber observable action that completed or finished. This action status does not specify the result of the action (e.g., Success/Error).
enumeration Pending
Specifies a cyber observable action is pending.
enumeration Ongoing
Specifies a cyber observable action that is ongoing.
enumeration Unknown
Specifies a cyber observable action with an unknown status.
Used by
Source
<xs:attribute name="status" type="cybox:ActionStatusTypeEnum">
  <xs:annotation>
    <xs:documentation>The status field specifies the execution status of the Behavior being characterized.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BehaviorType / @duration
Namespace No namespace
Annotations
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
Type xs:duration
Used by
Source
<xs:attribute name="duration" type="xs:duration">
  <xs:annotation>
    <xs:documentation>The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CandidateIndicatorCompositionType / @operator
Namespace No namespace
Annotations
The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.
Type cybox:OperatorTypeEnum
Facets
enumeration AND
Specifies the AND logical composition operation.
enumeration OR
Specifies the OR logical composition operation.
Used by
Source
<xs:attribute name="operator" type="cybox:OperatorTypeEnum">
  <xs:annotation>
    <xs:documentation>The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CandidateIndicatorType / @id
Namespace No namespace
Annotations
The id field specifies a unique ID for this Candidate Indicator.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The id field specifies a unique ID for this Candidate Indicator.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CandidateIndicatorType / @creation_datetime
Namespace No namespace
Annotations
The creation_datetime field specifies the date/time that the Candidate Indicator was created.
Type xs:dateTime
Used by
Source
<xs:attribute name="creation_datetime" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>The creation_datetime field specifies the date/time that the Candidate Indicator was created.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CandidateIndicatorType / @lastupdate_datetime
Namespace No namespace
Annotations
The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.
Type xs:dateTime
Used by
Source
<xs:attribute name="lastupdate_datetime" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CandidateIndicatorType / @version
Namespace No namespace
Annotations
The version field specifies the version of the Candidate Indicator.
Type xs:string
Used by
Source
<xs:attribute name="version" type="xs:string">
  <xs:annotation>
    <xs:documentation>The version field specifies the version of the Candidate Indicator.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BehaviorCollectionType / @id
Namespace No namespace
Annotations
The id field specifies a unique ID for this Behavior Collection.
Type xs:QName
Used by
Source
<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The id field specifies a unique ID for this Behavior Collection.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:ObjectCollectionType / @id
Namespace No namespace
Annotations
The id attribute specifies a unique ID for this Object Collection.
Type xs:QName
Used by
Source
<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The id attribute specifies a unique ID for this Object Collection.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:CandidateIndicatorCollectionType / @id
Namespace No namespace
Annotations
The id field specifies a unique ID for this Candidate Indicator Collection.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The id field specifies a unique ID for this Candidate Indicator Collection.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BundleType / @id
Namespace No namespace
Annotations
The required id field specifies a unique ID for this MAEC Bundle.
Type xs:QName
Used by
Complex Type maecBundle:BundleType
Source
<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The required id field specifies a unique ID for this MAEC Bundle.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BundleType / @schema_version
Namespace No namespace
Annotations
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
Type xs:string
Used by
Complex Type maecBundle:BundleType
Source
<xs:attribute name="schema_version" type="xs:string" use="required" fixed="4.1">
  <xs:annotation>
    <xs:documentation>The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BundleType / @defined_subject
Namespace No namespace
Annotations
The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).
Type xs:boolean
Used by
Complex Type maecBundle:BundleType
Source
<xs:attribute name="defined_subject" type="xs:boolean" use="required">
  <xs:annotation>
    <xs:documentation>The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BundleType / @content_type
Namespace No namespace
Annotations
The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.
Type maecBundle:BundleContentTypeEnum
Facets
enumeration dynamic analysis tool output
The dynamic analysis tool output value specifies that the Bundle primarily captures some form of dynamic analysis tool output, such as from a sandbox.
enumeration static analysis tool output
The static analysis tool output value specifies that the Bundle primarily captures some form of static analysis tool output, such as from a packer detection tool.
enumeration manual analysis output
The manual analysis output value specifies that the Bundle primarily captures some form of manual analysis output, which may or may not involve the use of tools.
enumeration extracted from subject
The extracted from subject value specifies that the Bundle primarily captures some data that extracted from the Malware Subject, such as some PE Header fields.
enumeration mixed
The mixed value specifies that the Bundle captures some mixed forms of analysis or tool output for the Malware Subject, such as both dynamic and static analysis tool output.
enumeration other
The other value specifies that the Bundle captures some other form of analysis or tool output that is not represented by the other enumeration values.
Used by
Complex Type maecBundle:BundleType
Source
<xs:attribute name="content_type" type="maecBundle:BundleContentTypeEnum">
  <xs:annotation>
    <xs:documentation>The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute maecBundle:BundleType / @timestamp
Namespace No namespace
Annotations
The timestamp field specifies the date/time that the bundle was generated.
Type xs:dateTime
Used by
Complex Type maecBundle:BundleType
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>The timestamp field specifies the date/time that the bundle was generated.</xs:documentation>
  </xs:annotation>
</xs:attribute>