Schema documentation for maec_bundle

Showing:

Annotations

Attributes

Diagrams

Facets

Identity Constraints

Source

Used by

Imported schema maec_bundle_schema.xsd

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The following is a description of the elements, types, and attributes that compose Malware Attribute Enumeration and Characterization (MAEC) Bundle schema.

The MAEC Bundle Schema is maintained by The Mitre Corporation. For more information, including how to get involved in the project, please visit the MAEC website at http://maec.mitre.org.

This schema imports the CyBOX schema and object schemas. More info on CybOX can be found at http://cybox.mitre.org.

Element maecBundle:ObjectReferenceListType / maecBundle:Object_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Object_Reference field specifies a reference to a single CybOX Object.

Diagram

Type

maecBundle:ObjectReferenceType

Attributes

QName

Type

Use

Annotation

object_idref

xs:QName

required

The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.

Source

<xs:element maxOccurs="unbounded" name="Object_Reference" type="maecBundle:ObjectReferenceType">
  <xs:annotation>
    <xs:documentation>The Object_Reference field specifies a reference to a single CybOX Object.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BundleType / maecBundle:Malware_Instance_Object_Attributes

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.

Diagram

Type

cybox:ObjectType

Children

cybox:Defined_Effect, cybox:Description, cybox:Discovery_Method, cybox:Domain_Specific_Object_Properties, cybox:Location, cybox:Properties, cybox:Related_Objects, cybox:State

Attributes

QName

Type

Use

Annotation

has_changed

xs:boolean

optional

The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.

xs:QName

optional

The id field specifies a unique id for this Object.

idref

xs:QName

optional

The idref field specifies a unique id reference to an Object defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.

Source

<xs:element minOccurs="0" name="Malware_Instance_Object_Attributes" type="cybox:ObjectType">
  <xs:annotation>
    <xs:documentation>The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BundleType / maecBundle:AV_Classifications

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.

Diagram

Type

maecBundle:AVClassificationsType

Children

maecBundle:AV_Classification

Source

<xs:element minOccurs="0" name="AV_Classifications" type="maecBundle:AVClassificationsType">
  <xs:annotation>
    <xs:documentation>The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:AVClassificationsType / maecBundle:AV_Classification

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The AV_Classification field captures a single AV classication of the malware instance object.

Diagram

Type

maecBundle:AVClassificationType

Type hierarchy

cyboxCommon:ToolInformationType
- maecBundle:AVClassificationType

Children

cyboxCommon:Compensation_Model, cyboxCommon:Description, cyboxCommon:Errors, cyboxCommon:Execution_Environment, cyboxCommon:Metadata, cyboxCommon:Name, cyboxCommon:References, cyboxCommon:Service_Pack, cyboxCommon:Tool_Configuration, cyboxCommon:Tool_Hashes, cyboxCommon:Tool_Specific_Data, cyboxCommon:Type, cyboxCommon:Vendor, cyboxCommon:Version, maecBundle:Classification_Name, maecBundle:Definition_Version, maecBundle:Engine_Version

Attributes

QName

Type

Use

Annotation

xs:QName

optional

The id field specifies a unique ID for this Tool.

idref

xs:QName

optional

The idref field specifies reference to a unique ID for this Tool.

When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.

Source

<xs:element maxOccurs="unbounded" name="AV_Classification" type="maecBundle:AVClassificationType">
  <xs:annotation>
    <xs:documentation>The AV_Classification field captures a single AV classication of the malware instance object.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:AVClassificationType / maecBundle:Engine_Version

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Engine_Version field captures the version of the AV engine used by the AV scanner tool that assigned the classification to the malware instance object.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Engine_Version" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Engine_Version field captures the version of the AV engine used by the AV scanner tool that assigned the classification to the malware instance object.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:AVClassificationType / maecBundle:Definition_Version

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Definition_Version field captures the version of the AV definitions used by the AV scanner tool that assigned the classification to the malware instance object.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Definition_Version" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Definition_Version field captures the version of the AV definitions used by the AV scanner tool that assigned the classification to the malware instance object.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:AVClassificationType / maecBundle:Classification_Name

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Classification_Name field captures the classification assigned to the malware instance object by the AV scanner tool characterized in the Company_Name and Product_Name fields.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Classification_Name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Classification_Name field captures the classification assigned to the malware instance object by the AV scanner tool characterized in the Company_Name and Product_Name fields.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BundleType / maecBundle:Process_Tree

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.

Diagram

Type

maecBundle:ProcessTreeType

Children

maecBundle:Root_Process

Source

<xs:element minOccurs="0" name="Process_Tree" type="maecBundle:ProcessTreeType">
  <xs:annotation>
    <xs:documentation>The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ProcessTreeType / maecBundle:Root_Process

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Root_Process field captures the root process in the process tree.

Diagram

Type

maecBundle:ProcessTreeNodeType

Type hierarchy

cyboxCommon:ObjectPropertiesType
- ProcessObj:ProcessObjectType
  - maecBundle:ProcessTreeNodeType

Children

ProcessObj:Argument_List, ProcessObj:Child_PID_List, ProcessObj:Creation_Time, ProcessObj:Environment_Variable_List, ProcessObj:Extracted_Features, ProcessObj:Image_Info, ProcessObj:Kernel_Time, ProcessObj:Name, ProcessObj:Network_Connection_List, ProcessObj:PID, ProcessObj:Parent_PID, ProcessObj:Port_List, ProcessObj:Start_Time, ProcessObj:Status, ProcessObj:User_Time, ProcessObj:Username, cyboxCommon:Custom_Properties, maecBundle:Initiated_Actions, maecBundle:Injected_Process, maecBundle:Spawned_Process

Attributes

QName

Type

Use

Annotation

xs:QName

required

The required id field specifies a unique ID for the Process Node.

is_hidden

xs:boolean

optional

The is_hidden field specifies whether the process is hidden or not.

object_reference

xs:QName

optional

The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.

parent_action_idref

xs:QName

optional

The parent_action_idref field specifies the id of the action that created or injected this process.

Source

<xs:element name="Root_Process" type="maecBundle:ProcessTreeNodeType">
  <xs:annotation>
    <xs:documentation>The Root_Process field captures the root process in the process tree.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ProcessTreeNodeType / maecBundle:Initiated_Actions

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Initiated_Actions field captures, via references, the actions (found inside the top-level Actions element, or an Action Collection inside the top-level Collections element) initiated by the Process.

Diagram

Type

maecBundle:ActionReferenceListType

Children

maecBundle:Action_Reference

Source

<xs:element minOccurs="0" name="Initiated_Actions" type="maecBundle:ActionReferenceListType">
  <xs:annotation>
    <xs:documentation>The Initiated_Actions field captures, via references, the actions (found inside the top-level Actions element, or an Action Collection inside the top-level Collections element) initiated by the Process.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ActionReferenceListType / maecBundle:Action_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action_Reference field specifies a reference to a single Action.

Diagram

Type

cybox:ActionReferenceType

Attributes

QName

Type

Use

Annotation

action_id

xs:QName

required

The action_id field refers to the id of the action being referenced.

Source

<xs:element maxOccurs="unbounded" name="Action_Reference" type="cybox:ActionReferenceType">
  <xs:annotation>
    <xs:documentation>The Action_Reference field specifies a reference to a single Action.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ProcessTreeNodeType / maecBundle:Spawned_Process

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Spawned_Process field captures a single child process spawned by this process.

Diagram

Type

maecBundle:ProcessTreeNodeType

Type hierarchy

cyboxCommon:ObjectPropertiesType
- ProcessObj:ProcessObjectType
  - maecBundle:ProcessTreeNodeType

Children

Attributes

QName

Type

Use

Annotation

xs:QName

required

The required id field specifies a unique ID for the Process Node.

is_hidden

xs:boolean

optional

The is_hidden field specifies whether the process is hidden or not.

object_reference

xs:QName

optional

The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.

parent_action_idref

xs:QName

optional

The parent_action_idref field specifies the id of the action that created or injected this process.

Source

<xs:element maxOccurs="unbounded" minOccurs="0" name="Spawned_Process" type="maecBundle:ProcessTreeNodeType">
  <xs:annotation>
    <xs:documentation>The Spawned_Process field captures a single child process spawned by this process.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ProcessTreeNodeType / maecBundle:Injected_Process

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Injected_Process field captures a single process that was injected by this process.

Diagram

Type

maecBundle:ProcessTreeNodeType

Type hierarchy

cyboxCommon:ObjectPropertiesType
- ProcessObj:ProcessObjectType
  - maecBundle:ProcessTreeNodeType

Children

Attributes

QName

Type

Use

Annotation

xs:QName

required

The required id field specifies a unique ID for the Process Node.

is_hidden

xs:boolean

optional

The is_hidden field specifies whether the process is hidden or not.

object_reference

xs:QName

optional

The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.

parent_action_idref

xs:QName

optional

The parent_action_idref field specifies the id of the action that created or injected this process.

Source

<xs:element maxOccurs="unbounded" minOccurs="0" name="Injected_Process" type="maecBundle:ProcessTreeNodeType">
  <xs:annotation>
    <xs:documentation>The Injected_Process field captures a single process that was injected by this process.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BundleType / maecBundle:Capabilities

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance.

Diagram

Type

maecBundle:CapabilityListType

Children

maecBundle:Capability, maecBundle:Capability_Reference

Source

<xs:element minOccurs="0" name="Capabilities" type="maecBundle:CapabilityListType">
  <xs:annotation>
    <xs:documentation>The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityListType / maecBundle:Capability

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Capability field captures a single Capability in the list, and therefore represents a single Capability possessed by the malware instance.

Diagram

Type

maecBundle:CapabilityType

Children

maecBundle:Behavior_Reference, maecBundle:Description, maecBundle:Property, maecBundle:Relationship, maecBundle:Strategic_Objective, maecBundle:Tactical_Objective

Attributes

QName

Type

Use

Annotation

xs:QName

required

The required id field specifies a unique ID for this MAEC Capability.

name

maecVocabs:MalwareCapabilityEnum-1.0

optional

The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.

Source

<xs:element maxOccurs="1" minOccurs="1" name="Capability" type="maecBundle:CapabilityType">
  <xs:annotation>
    <xs:documentation>The Capability field captures a single Capability in the list, and therefore represents a single Capability possessed by the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityType / maecBundle:Description

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Description field captures a basic textual description of the Capability.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field captures a basic textual description of the Capability.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityType / maecBundle:Property

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Property field permits the capture of a single property of the Capability, as a key/value pair. More than one property can be specified via multiple occurrences of this field.

Diagram

Type

maecBundle:CapabilityPropertyType

Children

maecBundle:Name, maecBundle:Value

Source

<xs:element minOccurs="0" name="Property" type="maecBundle:CapabilityPropertyType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Property field permits the capture of a single property of the Capability, as a key/value pair. More than one property can be specified via multiple occurrences of this field.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityPropertyType / maecBundle:Name

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Name field specifies the name of the property being captured. The name can be either free form text or a standardized value from a vocabulary included in the MAEC Default Vocabularies schema. This field uses the ControlledVocabularyStringType from the imported CybOX Common schema.

Diagram

Type

cyboxCommon:ControlledVocabularyStringType

Type hierarchy

xs:anySimpleType
- cyboxCommon:PatternableFieldType
  - cyboxCommon:ControlledVocabularyStringType

Attributes

QName

Type

Default

Use

Annotation

apply_condition

cyboxCommon:ConditionApplicationEnum

ANY

optional

This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.

bit_mask

xs:hexBinary

optional

Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.

condition

cyboxCommon:ConditionTypeEnum

optional

This field is optional and defines the relevant condition to apply to the value.

delimiter

xs:string

##comma##

optional

The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".

has_changed

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.

is_case_sensitive

xs:boolean

true

optional

The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.

pattern_type

cyboxCommon:PatternTypeEnum

optional

This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

regex_syntax

xs:string

optional

This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.

Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.

trend

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.

vocab_name

xs:string

optional

The vocab_name field specifies the name of the controlled vocabulary.

vocab_reference

xs:anyURI

optional

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.

Source

<xs:element minOccurs="0" name="Name" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Name field specifies the name of the property being captured. The name can be either free form text or a standardized value from a vocabulary included in the MAEC Default Vocabularies schema. This field uses the ControlledVocabularyStringType from the imported CybOX Common schema.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityPropertyType / maecBundle:Value

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Value field specifies the value of the property being captured.

Diagram

Type

cyboxCommon:StringObjectPropertyType

Type hierarchy

xs:anySimpleType
- cyboxCommon:BaseObjectPropertyType
  - cyboxCommon:StringObjectPropertyType

Attributes

QName

Type

Default

Use

Annotation

appears_random

xs:boolean

optional

This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.

apply_condition

cyboxCommon:ConditionApplicationEnum

ANY

optional

This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.

bit_mask

xs:hexBinary

optional

Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.

condition

cyboxCommon:ConditionTypeEnum

optional

This field is optional and defines the relevant condition to apply to the value.

datatype

cyboxCommon:DatatypeEnum

string

optional

This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.

defanging_algorithm_ref

xs:anyURI

optional

This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.

delimiter

xs:string

##comma##

optional

The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".

has_changed

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.

xs:QName

optional

The id field specifies a unique ID for this Object Property.

idref

xs:QName

optional

The idref field specifies a unique ID reference for this Object Property.

When idref is specified, the id attribute must not be specified, and any instance of this property should not hold content unless an extension of the property allows it.

is_case_sensitive

xs:boolean

true

optional

The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.

is_defanged

xs:boolean

optional

This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).

is_obfuscated

xs:boolean

optional

This field is optional and conveys whether the associated Object property has been obfuscated.

obfuscation_algorithm_ref

xs:anyURI

optional

This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.

observed_encoding

xs:string

optional

This field is optional and specifies the encoding of the string when it is/was observed. This may be different from the encoding used to represent the string within this element.

It is strongly recommended that character set names should be taken from the IANA character set registry (https://www.iana.org/assignments/character-sets/character-sets.xhtml).

This field is intended to be applicable only to fields which contain string values.

pattern_type

cyboxCommon:PatternTypeEnum

optional

This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

refanging_transform

xs:string

optional

This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.

refanging_transform_type

xs:string

optional

This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.

regex_syntax

xs:string

optional

This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.

Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.

trend

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.

Source

<xs:element minOccurs="0" name="Value" type="cyboxCommon:StringObjectPropertyType">
  <xs:annotation>
    <xs:documentation>The Value field specifies the value of the property being captured.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityType / maecBundle:Strategic_Objective

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Strategic_Objective field captures a single Strategic Objective that the Capability attempts to achieve. It can be considered as a more granular way of capturing the Capabilities present in the malware instance.

Diagram

Type

maecBundle:CapabilityObjectiveType

Children

maecBundle:Behavior_Reference, maecBundle:Description, maecBundle:Name, maecBundle:Property, maecBundle:Relationship

Attributes

QName

Type

Use

Annotation

xs:QName

required

The required id field specifies a unique ID for this Capability Objective.

Source

<xs:element maxOccurs="unbounded" minOccurs="0" name="Strategic_Objective" type="maecBundle:CapabilityObjectiveType">
  <xs:annotation>
    <xs:documentation>The Strategic_Objective field captures a single Strategic Objective that the Capability attempts to achieve. It can be considered as a more granular way of capturing the Capabilities present in the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityObjectiveType / maecBundle:Name

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Name field captures the name of the Capability Objective. There are several default vocabularies for this usage included in the MAEC Vocabularies schema. It uses the ControlledVocabularyStringType from the imported CybOX Common schema.

Diagram

Type

cyboxCommon:ControlledVocabularyStringType

Type hierarchy

xs:anySimpleType
- cyboxCommon:PatternableFieldType
  - cyboxCommon:ControlledVocabularyStringType

Attributes

QName

Type

Default

Use

Annotation

apply_condition

cyboxCommon:ConditionApplicationEnum

ANY

optional

This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.

bit_mask

xs:hexBinary

optional

Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.

condition

cyboxCommon:ConditionTypeEnum

optional

This field is optional and defines the relevant condition to apply to the value.

delimiter

xs:string

##comma##

optional

The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".

has_changed

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.

is_case_sensitive

xs:boolean

true

optional

The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.

pattern_type

cyboxCommon:PatternTypeEnum

optional

This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

regex_syntax

xs:string

optional

This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.

Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.

trend

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.

vocab_name

xs:string

optional

The vocab_name field specifies the name of the controlled vocabulary.

vocab_reference

xs:anyURI

optional

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.

Source

<xs:element name="Name" minOccurs="0" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Name field captures the name of the Capability Objective. There are several default vocabularies for this usage included in the MAEC Vocabularies schema. It uses the ControlledVocabularyStringType from the imported CybOX Common schema.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityObjectiveType / maecBundle:Description

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Description field captures a basic textual description of the Capability Objective.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field captures a basic textual description of the Capability Objective.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityObjectiveType / maecBundle:Property

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Property field permits the capture of a single property of the Capability Objective, as a key/value pair. More than one property can be specified via multiple occurrences of this field.

Diagram

Type

maecBundle:CapabilityPropertyType

Children

maecBundle:Name, maecBundle:Value

Source

<xs:element minOccurs="0" name="Property" type="maecBundle:CapabilityPropertyType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Property field permits the capture of a single property of the Capability Objective, as a key/value pair. More than one property can be specified via multiple occurrences of this field.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityObjectiveType / maecBundle:Behavior_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behavior_Reference field captures a reference to a Behavior that functions as an implementation of the Capability Objective.

Diagram

Type

maecBundle:BehaviorReferenceType

Attributes

QName

Type

Use

Annotation

behavior_idref

xs:QName

required

The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.

Source

<xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Behavior_Reference field captures a reference to a Behavior that functions as an implementation of the Capability Objective.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityObjectiveType / maecBundle:Relationship

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Relationship field captures a relationship from the Capability Objective to one or more other Capability Objectives.

Diagram

Type

maecBundle:CapabilityObjectiveRelationshipType

Children

maecBundle:Objective_Reference, maecBundle:Relationship_Type

Source

<xs:element maxOccurs="unbounded" minOccurs="0" name="Relationship" type="maecBundle:CapabilityObjectiveRelationshipType">
  <xs:annotation>
    <xs:documentation>The Relationship field captures a relationship from the Capability Objective to one or more other Capability Objectives.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityObjectiveRelationshipType / maecBundle:Relationship_Type

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Relationship_Type field captures the type of relationship being expressed between Objectives (either Strategic or Tactical).

Diagram

Type

cyboxCommon:ControlledVocabularyStringType

Type hierarchy

xs:anySimpleType
- cyboxCommon:PatternableFieldType
  - cyboxCommon:ControlledVocabularyStringType

Attributes

QName

Type

Default

Use

Annotation

apply_condition

cyboxCommon:ConditionApplicationEnum

ANY

optional

This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.

bit_mask

xs:hexBinary

optional

Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.

condition

cyboxCommon:ConditionTypeEnum

optional

This field is optional and defines the relevant condition to apply to the value.

delimiter

xs:string

##comma##

optional

The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".

has_changed

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.

is_case_sensitive

xs:boolean

true

optional

The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.

pattern_type

cyboxCommon:PatternTypeEnum

optional

This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

regex_syntax

xs:string

optional

This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.

Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.

trend

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.

vocab_name

xs:string

optional

The vocab_name field specifies the name of the controlled vocabulary.

vocab_reference

xs:anyURI

optional

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.

Source

<xs:element minOccurs="0" name="Relationship_Type" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Relationship_Type field captures the type of relationship being expressed between Objectives (either Strategic or Tactical).</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityObjectiveRelationshipType / maecBundle:Objective_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Objective_Reference field references a single Capability Objective (either Strategic or Objective) in the relationship.

Diagram

Type

maecBundle:CapabilityObjectiveReferenceType

Attributes

QName

Type

Use

Annotation

objective_idref

xs:QName

required

The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.

Source

<xs:element maxOccurs="unbounded" minOccurs="1" name="Objective_Reference" type="maecBundle:CapabilityObjectiveReferenceType">
  <xs:annotation>
    <xs:documentation>The Objective_Reference field references a single Capability Objective (either Strategic or Objective) in the relationship.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityType / maecBundle:Tactical_Objective

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Tactical_Objective field captures a single Tactical Objective that the Capability attempts to achieve, typically in the context of a broader Strategic Objective. It can be considered as a way of expounding upon Strategic Objectives to capture the Capabilities of the malware instance in more detail.

Diagram

Type

maecBundle:CapabilityObjectiveType

Children

maecBundle:Behavior_Reference, maecBundle:Description, maecBundle:Name, maecBundle:Property, maecBundle:Relationship

Attributes

QName

Type

Use

Annotation

xs:QName

required

The required id field specifies a unique ID for this Capability Objective.

Source

<xs:element maxOccurs="unbounded" minOccurs="0" name="Tactical_Objective" type="maecBundle:CapabilityObjectiveType">
  <xs:annotation>
    <xs:documentation>The Tactical_Objective field captures a single Tactical Objective that the Capability attempts to achieve, typically in the context of a broader Strategic Objective. It can be considered as a way of expounding upon Strategic Objectives to capture the Capabilities of the malware instance in more detail.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityType / maecBundle:Behavior_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behavior_Reference field captures a reference to a Behavior that serves as an implementation of the Capability. For Behaviors that serve as implementations of specific Strategic or Tactical Objectives, the Behavior_Reference field under the Strategic_Objective or Tactical_Objective fields should be used, respectively.

Diagram

Type

maecBundle:BehaviorReferenceType

Attributes

QName

Type

Use

Annotation

behavior_idref

xs:QName

required

The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.

Source

<xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Behavior_Reference field captures a reference to a Behavior that serves as an implementation of the Capability. For Behaviors that serve as implementations of specific Strategic or Tactical Objectives, the Behavior_Reference field under the Strategic_Objective or Tactical_Objective fields should be used, respectively.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityType / maecBundle:Relationship

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Relationship field captures a relationship from the Capability to one or more other Capabilities.

Diagram

Type

maecBundle:CapabilityRelationshipType

Children

maecBundle:Capability_Reference, maecBundle:Relationship_Type

Source

<xs:element minOccurs="0" name="Relationship" maxOccurs="unbounded" type="maecBundle:CapabilityRelationshipType">
  <xs:annotation>
    <xs:documentation>The Relationship field captures a relationship from the Capability to one or more other Capabilities.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityRelationshipType / maecBundle:Relationship_Type

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Relationship_Type field captures the type of relationship being expressed between Capabilities.

Diagram

Type

cyboxCommon:ControlledVocabularyStringType

Type hierarchy

xs:anySimpleType
- cyboxCommon:PatternableFieldType
  - cyboxCommon:ControlledVocabularyStringType

Attributes

QName

Type

Default

Use

Annotation

apply_condition

cyboxCommon:ConditionApplicationEnum

ANY

optional

This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.

bit_mask

xs:hexBinary

optional

Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.

condition

cyboxCommon:ConditionTypeEnum

optional

This field is optional and defines the relevant condition to apply to the value.

delimiter

xs:string

##comma##

optional

The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".

has_changed

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.

is_case_sensitive

xs:boolean

true

optional

The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.

pattern_type

cyboxCommon:PatternTypeEnum

optional

This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

regex_syntax

xs:string

optional

This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.

Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.

trend

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.

vocab_name

xs:string

optional

The vocab_name field specifies the name of the controlled vocabulary.

vocab_reference

xs:anyURI

optional

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.

Source

<xs:element minOccurs="0" name="Relationship_Type" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Relationship_Type field captures the type of relationship being expressed between Capabilities.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityRelationshipType / maecBundle:Capability_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Capability_Reference field references a single Capability in the relationship, via its ID.

Diagram

Type

maecBundle:CapabilityReferenceType

Attributes

QName

Type

Use

Annotation

capability_idref

xs:QName

required

The capability_idref field references the ID of a Capability contained inside the current MAEC document.

Source

<xs:element maxOccurs="unbounded" minOccurs="1" name="Capability_Reference" type="maecBundle:CapabilityReferenceType">
  <xs:annotation>
    <xs:documentation>The Capability_Reference field references a single Capability in the relationship, via its ID.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CapabilityListType / maecBundle:Capability_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Capability_Reference field references a single Capability defined elsewhere in the MAEC document, and therefore represents a single Capability possessed by the malware instance.

Diagram

Type

maecBundle:CapabilityReferenceType

Attributes

QName

Type

Use

Annotation

capability_idref

xs:QName

required

The capability_idref field references the ID of a Capability contained inside the current MAEC document.

Source

<xs:element name="Capability_Reference" type="maecBundle:CapabilityReferenceType">
  <xs:annotation>
    <xs:documentation>The Capability_Reference field references a single Capability defined elsewhere in the MAEC document, and therefore represents a single Capability possessed by the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BundleType / maecBundle:Behaviors

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.

Diagram

Type

maecBundle:BehaviorListType

Children

maecBundle:Behavior

Source

<xs:element minOccurs="0" name="Behaviors" type="maecBundle:BehaviorListType">
  <xs:annotation>
    <xs:documentation>The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorListType / maecBundle:Behavior

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behavior field specifies a single Behavior in the list.

Diagram

Type

maecBundle:BehaviorType

Children

maecBundle:Action_Composition, maecBundle:Associated_Code, maecBundle:Description, maecBundle:Discovery_Method, maecBundle:Purpose, maecBundle:Relationships

Attributes

QName

Type

Use

Annotation

duration

xs:duration

optional

The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.

xs:QName

required

The required id field specifies a unique ID for this Behavior.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.

status

cybox:ActionStatusTypeEnum

optional

The status field specifies the execution status of the Behavior being characterized.

Source

<xs:element name="Behavior" type="maecBundle:BehaviorType" maxOccurs="unbounded" form="qualified" minOccurs="1">
  <xs:annotation>
    <xs:documentation>The Behavior field specifies a single Behavior in the list.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorType / maecBundle:Purpose

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Purpose field specifies the intended purpose of the Behavior. Since a Behavior is not always successful, and may not be fully observed, this is meant as way to state the nature of the Behavior apart from its constituent actions.

Diagram

Type

maecBundle:BehaviorPurposeType

Children

maecBundle:Description, maecBundle:Vulnerability_Exploit

Source

<xs:element minOccurs="0" name="Purpose" type="maecBundle:BehaviorPurposeType">
  <xs:annotation>
    <xs:documentation>The Purpose field specifies the intended purpose of the Behavior. Since a Behavior is not always successful, and may not be fully observed, this is meant as way to state the nature of the Behavior apart from its constituent actions.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorPurposeType / maecBundle:Description

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Description field contains a prose text description of the purpose of the Behavior, whether it was successful or not.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field contains a prose text description of the purpose of the Behavior, whether it was successful or not.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorPurposeType / maecBundle:Vulnerability_Exploit

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Vulnerability_Exploit field characterizes any vulnerability that a Behavior may have attempted to exploit, whether or not the exploitation was successful (where success is not necessarily known).

Diagram

Type

maecBundle:ExploitType

Children

maecBundle:CVE, maecBundle:CWE_ID, maecBundle:Targeted_Platforms

Attributes

QName

Type

Use

Annotation

known_vulnerability

xs:boolean

optional

The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.

Source

<xs:element minOccurs="0" name="Vulnerability_Exploit" type="maecBundle:ExploitType">
  <xs:annotation>
    <xs:documentation>The Vulnerability_Exploit field characterizes any vulnerability that a Behavior may have attempted to exploit, whether or not the exploitation was successful (where success is not necessarily known).</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ExploitType / maecBundle:CVE

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CVE field specifies the CVE ID and description of the vulnerability targeted by the exploit, if available.

Diagram

Type

maecBundle:CVEVulnerabilityType

Children

maecBundle:Description

Attributes

QName

Type

Use

Annotation

cve_id

xs:string

required

The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.

Source

<xs:element minOccurs="0" name="CVE" type="maecBundle:CVEVulnerabilityType">
  <xs:annotation>
    <xs:documentation>The CVE field specifies the CVE ID and description of the vulnerability targeted by the exploit, if available.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CVEVulnerabilityType / maecBundle:Description

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Description field specifies the textual description of the vulnerability referenced by the cve_id.

Diagram

Type

xs:string

Source

<xs:element name="Description" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field specifies the textual description of the vulnerability referenced by the cve_id.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ExploitType / maecBundle:CWE_ID

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CWE_ID field captures the ID of the Common Weakness Enumeration (CWE) entry that represents the type of weakness targeted by the exploit. More than one such CWE ID can be specified by using multiple occurrences of this field.

Diagram

Type

xs:string

Source

<xs:element maxOccurs="unbounded" minOccurs="0" name="CWE_ID" type="xs:string">
  <xs:annotation>
    <xs:documentation>The CWE_ID field captures the ID of the Common Weakness Enumeration (CWE) entry that represents the type of weakness targeted by the exploit. More than one such CWE ID can be specified by using multiple occurrences of this field.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ExploitType / maecBundle:Targeted_Platforms

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Targeted_Platforms field specifies the platforms(s) targeted by the vulnerability exploit.

Diagram

Type

maecBundle:PlatformListType

Children

maecBundle:Platform

Source

<xs:element minOccurs="0" name="Targeted_Platforms" type="maecBundle:PlatformListType">
  <xs:annotation>
    <xs:documentation>The Targeted_Platforms field specifies the platforms(s) targeted by the vulnerability exploit.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:PlatformListType / maecBundle:Platform

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Platform field specifies a single Platform in the list via a common platform enumeration ID. It uses the PlatformSpecificationType type from the CybOX Common schema v2.0.1.

Diagram

Type

cyboxCommon:PlatformSpecificationType

Children

cyboxCommon:Description, cyboxCommon:Identifier

Source

<xs:element maxOccurs="unbounded" name="Platform" type="cyboxCommon:PlatformSpecificationType">
  <xs:annotation>
    <xs:documentation>The Platform field specifies a single Platform in the list via a common platform enumeration ID. It uses the PlatformSpecificationType type from the CybOX Common schema v2.0.1.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorType / maecBundle:Description

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Description field specifies a prose textual description of the Behavior.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field specifies a prose textual description of the Behavior.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorType / maecBundle:Discovery_Method

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Discovery_Method field specifies the method used to discover the Behavior.

Diagram

Type

cyboxCommon:MeasureSourceType

Children

cyboxCommon:Contributors, cyboxCommon:Description, cyboxCommon:Information_Source_Type, cyboxCommon:Instance, cyboxCommon:Observable_Location, cyboxCommon:Observation_Location, cyboxCommon:Platform, cyboxCommon:System, cyboxCommon:Time, cyboxCommon:Tool_Type, cyboxCommon:Tools

Attributes

QName

Type

Use

Annotation

class

cyboxCommon:SourceClassTypeEnum

optional

The class field is optional and enables identification of the high-level class of this cyber observation source.

name

xs:string

optional

The name field is optional and enables the assignment of a relevant name to this Discovery Method.

sighting_count

xs:positiveInteger

optional

The sighting_count field specifies how many different identical instances of a given Observable may have been seen/sighted by the observation source.

source_type

cyboxCommon:SourceTypeEnum

optional

The source_type field is optional and enables identification of the broad type of this cyber observation source.

Source

<xs:element minOccurs="0" name="Discovery_Method" type="cyboxCommon:MeasureSourceType">
  <xs:annotation>
    <xs:documentation>The Discovery_Method field specifies the method used to discover the Behavior.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorType / maecBundle:Action_Composition

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action_Composition field captures the Actions that compose the Behavior.

Diagram

Type

maecBundle:BehavioralActionsType

Children

maecBundle:Action, maecBundle:Action_Collection, maecBundle:Action_Equivalence_Reference, maecBundle:Action_Reference

Source

<xs:element minOccurs="0" name="Action_Composition" type="maecBundle:BehavioralActionsType">
  <xs:annotation>
    <xs:documentation>The Action_Composition field captures the Actions that compose the Behavior.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehavioralActionsType / maecBundle:Action_Collection

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action_Collection field specifies an Action Collection that is part of the behavioral composition.

Diagram

Type

maecBundle:ActionCollectionType

Type hierarchy

maecBundle:BaseCollectionType
- maecBundle:ActionCollectionType

Children

maecBundle:Action_List, maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description

Attributes

QName

Type

Use

Annotation

xs:QName

required

The id field specifies a unique ID for this Action Collection.

name

xs:string

optional

The name field specifies the name of the collection.

Source

<xs:element minOccurs="1" name="Action_Collection" type="maecBundle:ActionCollectionType">
  <xs:annotation>
    <xs:documentation>The Action_Collection field specifies an Action Collection that is part of the behavioral composition.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BaseCollectionType / maecBundle:Affinity_Type

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Affinity_Type field provides an abstract way of characterizing how the objects in a collection are related.

Diagram

Type

xs:string

Source

<xs:element name="Affinity_Type" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Affinity_Type field provides an abstract way of characterizing how the objects in a collection are related.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BaseCollectionType / maecBundle:Affinity_Degree

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Affinity_Degree field is intended to provide an abstract way of characterizing the degree to which the objects in a collection are related.

Diagram

Type

xs:string

Source

<xs:element name="Affinity_Degree" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Affinity_Degree field is intended to provide an abstract way of characterizing the degree to which the objects in a collection are related.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BaseCollectionType / maecBundle:Description

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Description field contains a textual description of the collection.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field contains a textual description of the collection.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ActionCollectionType / maecBundle:Action_List

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action_List field specifies a list of Actions that make up the collection.

Diagram

Type

maecBundle:ActionListType

Children

maecBundle:Action

Source

<xs:element name="Action_List" type="maecBundle:ActionListType">
  <xs:annotation>
    <xs:documentation>The Action_List field specifies a list of Actions that make up the collection.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ActionListType / maecBundle:Action

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action field specifies a single Action in the list.

The recommended syntax for Action IDs is a dash-delimited format that starts with the word maec, followed by a unique string, followed by the three letter code 'act', and ending with an integer. The regular expression validating these IDs is: maec-[A-Za-z0-9_\-\.]+-act-[1-9][0-9]*.

Diagram

Type

maecBundle:MalwareActionType

Type hierarchy

cybox:ActionType
- maecBundle:MalwareActionType

Children

cybox:Action_Aliases, cybox:Action_Arguments, cybox:Associated_Objects, cybox:Description, cybox:Discovery_Method, cybox:Frequency, cybox:Location, cybox:Name, cybox:Relationships, cybox:Type, maecBundle:Implementation

Attributes

QName

Type

Default

Use

Annotation

action_status

cybox:ActionStatusTypeEnum

optional

The action_status field enables description of the status of the action being described.

context

cybox:ActionContextTypeEnum

optional

The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.

xs:QName

optional

The id field specifies a unique id for this Action.

idref

xs:QName

optional

The idref field specifies a unique id reference to an Action defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.

timestamp

xs:dateTime

optional

The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.

timestamp_precision

cyboxCommon:DateTimePrecisionEnum

second

optional

Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.

Source

<xs:element name="Action" type="maecBundle:MalwareActionType" maxOccurs="unbounded" minOccurs="1">
  <xs:annotation>
    <xs:documentation>The Action field specifies a single Action in the list.</xs:documentation>
    <xs:documentation>The recommended syntax for Action IDs is a dash-delimited format that starts with the word maec, followed by a unique string, followed by the three letter code 'act', and ending with an integer. The regular expression validating these IDs is: maec-[A-Za-z0-9_\-\.]+-act-[1-9][0-9]*.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:MalwareActionType / maecBundle:Implementation

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used.

Diagram

Type

maecBundle:ActionImplementationType

Children

maecBundle:API_Call, maecBundle:Code, maecBundle:Compatible_Platforms

Attributes

QName

Type

Use

Annotation

xs:QName

optional

The id field specifies a unique ID for this Action Implementation.

type

maecBundle:ActionImplementationTypeEnum

required

The required type field refers to the type of Action Implementation being characterized in this element.

Source

<xs:element minOccurs="0" name="Implementation" type="maecBundle:ActionImplementationType">
  <xs:annotation>
    <xs:documentation>The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ActionImplementationType / maecBundle:Compatible_Platforms

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Compatible_Platforms field specifies the specific platform(s) that the Action is compatible with, or in other words, capable of being successfully executed on.

Diagram

Type

maecBundle:PlatformListType

Children

maecBundle:Platform

Source

<xs:element name="Compatible_Platforms" type="maecBundle:PlatformListType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Compatible_Platforms field specifies the specific platform(s) that the Action is compatible with, or in other words, capable of being successfully executed on.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ActionImplementationType / maecBundle:API_Call

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The API_Call field allows for the characterization of a system-level API call that was used to implement the action. Software must make use of such calls to talk to 			hardware and perform system-specific functions.

Diagram

Type

maecBundle:APICallType

Children

maecBundle:Address, maecBundle:Parameters, maecBundle:Return_Value

Attributes

QName

Type

Use

Annotation

function_name

xs:string

optional

The function_name field contains the exact name of the API function called, e.g. CreateFileEx.

normalized_function_name

xs:string

optional

The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.

Source

<xs:element name="API_Call" maxOccurs="1" minOccurs="0" type="maecBundle:APICallType">
  <xs:annotation>
    <xs:documentation>The API_Call field allows for the characterization of a system-level API call that was used to implement the action. Software must make use of such calls to talk to hardware and perform system-specific functions.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:APICallType / maecBundle:Address

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Address field contains the address of the API call in the binary.

Diagram

Type

xs:hexBinary

Source

<xs:element name="Address" type="xs:hexBinary" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Address field contains the address of the API call in the binary.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:APICallType / maecBundle:Return_Value

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Return_Value field contains the return value of the API call.

Diagram

Type

xs:string

Source

<xs:element name="Return_Value" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Return_Value field contains the return value of the API call.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:APICallType / maecBundle:Parameters

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Parameter field captures any name/value pairs of the parameters passed into the API call.

Diagram

Type

maecBundle:ParameterListType

Children

maecBundle:Parameter

Source

<xs:element minOccurs="0" name="Parameters" type="maecBundle:ParameterListType">
  <xs:annotation>
    <xs:documentation>The Parameter field captures any name/value pairs of the parameters passed into the API call.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ParameterListType / maecBundle:Parameter

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Parameter field specifies a single function parameter.

Diagram

Type

maecBundle:ParameterType

Attributes

QName

Type

Use

Annotation

name

xs:string

optional

The name field specifies the name of the parameter.

ordinal_position

xs:positiveInteger

optional

This field refers to the ordinal position of the parameter with respect to the function where it is used.

value

xs:string

optional

The value field specifies the actual value of the parameter.

Source

<xs:element maxOccurs="unbounded" name="Parameter" type="maecBundle:ParameterType">
  <xs:annotation>
    <xs:documentation>The Parameter field specifies a single function parameter.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ActionImplementationType / maecBundle:Code

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Code field contains any form of code that was used to implement the action.

Diagram

Type

CodeObj:CodeObjectType

Type hierarchy

cyboxCommon:ObjectPropertiesType
- CodeObj:CodeObjectType

Children

CodeObj:Code_Language, CodeObj:Code_Segment, CodeObj:Code_Segment_XOR, CodeObj:Description, CodeObj:Digital_Signatures, CodeObj:Discovery_Method, CodeObj:Extracted_Features, CodeObj:Processor_Family, CodeObj:Purpose, CodeObj:Start_Address, CodeObj:Targeted_Platforms, CodeObj:Type, cyboxCommon:Custom_Properties

Attributes

QName

Type

Use

Annotation

object_reference

xs:QName

optional

The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.

Source

<xs:element name="Code" maxOccurs="unbounded" type="CodeObj:CodeObjectType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Code field contains any form of code that was used to implement the action.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehavioralActionsType / maecBundle:Action

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action field specifies a single Action that is part of the behavioral composition.

Diagram

Type

maecBundle:BehavioralActionType

Type hierarchy

cybox:ActionType
- maecBundle:MalwareActionType
  - maecBundle:BehavioralActionType

Children

Attributes

QName

Type

Default

Use

Annotation

action_status

cybox:ActionStatusTypeEnum

optional

The action_status field enables description of the status of the action being described.

behavioral_ordering

xs:positiveInteger

optional

The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.

context

cybox:ActionContextTypeEnum

optional

The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.

xs:QName

optional

The id field specifies a unique id for this Action.

idref

xs:QName

optional

The idref field specifies a unique id reference to an Action defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.

timestamp

xs:dateTime

optional

The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.

timestamp_precision

cyboxCommon:DateTimePrecisionEnum

second

optional

Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.

Source

<xs:element minOccurs="1" name="Action" type="maecBundle:BehavioralActionType">
  <xs:annotation>
    <xs:documentation>The Action field specifies a single Action that is part of the behavioral composition.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehavioralActionsType / maecBundle:Action_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action_Reference field specifies a reference to a single Action that is part of the behavioral composition.

Diagram

Type

maecBundle:BehavioralActionReferenceType

Type hierarchy

cybox:ActionReferenceType
- maecBundle:BehavioralActionReferenceType

Attributes

QName

Type

Use

Annotation

action_id

xs:QName

required

The action_id field refers to the id of the action being referenced.

behavioral_ordering

xs:positiveInteger

optional

The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.

Source

<xs:element name="Action_Reference" type="maecBundle:BehavioralActionReferenceType">
  <xs:annotation>
    <xs:documentation>The Action_Reference field specifies a reference to a single Action that is part of the behavioral composition.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehavioralActionsType / maecBundle:Action_Equivalence_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action_Equivalence_Reference field specifies a reference to a single Action Equivalence that is part of the behavioral composition.

Diagram

Type

maecBundle:BehavioralActionEquivalenceReferenceType

Attributes

QName

Type

Use

Annotation

action_equivalence_idref

xs:QName

required

The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.

behavioral_ordering

xs:positiveInteger

optional

The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.

Source

<xs:element name="Action_Equivalence_Reference" type="maecBundle:BehavioralActionEquivalenceReferenceType">
  <xs:annotation>
    <xs:documentation>The Action_Equivalence_Reference field specifies a reference to a single Action Equivalence that is part of the behavioral composition.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorType / maecBundle:Associated_Code

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Associated_Code field specifies any code snippets that may be associated with the Behavior.

Diagram

Type

maecBundle:AssociatedCodeType

Children

maecBundle:Code_Snippet

Source

<xs:element minOccurs="0" name="Associated_Code" type="maecBundle:AssociatedCodeType">
  <xs:annotation>
    <xs:documentation>The Associated_Code field specifies any code snippets that may be associated with the Behavior.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:AssociatedCodeType / maecBundle:Code_Snippet

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Code_Snippet field captures a single snippet of code, via the CybOX CodeObjectType.

Diagram

Type

CodeObj:CodeObjectType

Type hierarchy

cyboxCommon:ObjectPropertiesType
- CodeObj:CodeObjectType

Children

Attributes

QName

Type

Use

Annotation

object_reference

xs:QName

optional

The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.

Source

<xs:element maxOccurs="unbounded" name="Code_Snippet" type="CodeObj:CodeObjectType">
  <xs:annotation>
    <xs:documentation>The Code_Snippet field captures a single snippet of code, via the CybOX CodeObjectType.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorType / maecBundle:Relationships

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Relationships field specifies any relationships between this Behavior and any other Behaviors.

Diagram

Type

maecBundle:BehaviorRelationshipListType

Children

maecBundle:Relationship

Source

<xs:element minOccurs="0" name="Relationships" type="maecBundle:BehaviorRelationshipListType">
  <xs:annotation>
    <xs:documentation>The Relationships field specifies any relationships between this Behavior and any other Behaviors.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorRelationshipListType / maecBundle:Relationship

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Relationship field specifies a single relationship between a single Behavior and one or more other Behaviors.

Diagram

Type

maecBundle:BehaviorRelationshipType

Children

maecBundle:Behavior_Reference

Attributes

QName

Type

Use

Annotation

type

restriction of cyboxVocabs:ActionRelationshipTypeEnum-1.0

optional

The type field specifies the nature of the relationship between Behaviors that is being captured.

Source

<xs:element maxOccurs="unbounded" name="Relationship" type="maecBundle:BehaviorRelationshipType">
  <xs:annotation>
    <xs:documentation>The Relationship field specifies a single relationship between a single Behavior and one or more other Behaviors.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorRelationshipType / maecBundle:Behavior_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behavior_Reference field specifies a reference to a single Behavior in the relationship.

Diagram

Type

maecBundle:BehaviorReferenceType

Attributes

QName

Type

Use

Annotation

behavior_idref

xs:QName

required

The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.

Source

<xs:element maxOccurs="unbounded" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior in the relationship.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BundleType / maecBundle:Actions

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.

Diagram

Type

maecBundle:ActionListType

Children

maecBundle:Action

Source

<xs:element minOccurs="0" name="Actions" type="maecBundle:ActionListType">
  <xs:annotation>
    <xs:documentation>The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BundleType / maecBundle:Objects

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance.

Diagram

Type

maecBundle:ObjectListType

Children

maecBundle:Object

Source

<xs:element minOccurs="0" name="Objects" type="maecBundle:ObjectListType">
  <xs:annotation>
    <xs:documentation>The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ObjectListType / maecBundle:Object

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Object field specifies a single CybOX Object in the list. For use in MAEC, the id attribute at the top level of the Object must be utilized.

Diagram

Type

cybox:ObjectType

Children

Attributes

QName

Type

Use

Annotation

has_changed

xs:boolean

optional

The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.

xs:QName

optional

The id field specifies a unique id for this Object.

idref

xs:QName

optional

The idref field specifies a unique id reference to an Object defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.

Source

<xs:element maxOccurs="unbounded" name="Object" type="cybox:ObjectType">
  <xs:annotation>
    <xs:documentation>The Object field specifies a single CybOX Object in the list. For use in MAEC, the id attribute at the top level of the Object must be utilized.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BundleType / maecBundle:Candidate_Indicators

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.

Diagram

Type

maecBundle:CandidateIndicatorListType

Children

maecBundle:Candidate_Indicator

Source

<xs:element minOccurs="0" name="Candidate_Indicators" type="maecBundle:CandidateIndicatorListType">
  <xs:annotation>
    <xs:documentation>The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorListType / maecBundle:Candidate_Indicator

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Candidate_Indicator field specifies a single Candidate Indicator in the list.

Diagram

Type

maecBundle:CandidateIndicatorType

Children

maecBundle:Author, maecBundle:Composition, maecBundle:Description, maecBundle:Importance, maecBundle:Malware_Entity, maecBundle:Numeric_Importance

Attributes

QName

Type

Use

Annotation

creation_datetime

xs:dateTime

optional

The creation_datetime field specifies the date/time that the Candidate Indicator was created.

xs:QName

required

The id field specifies a unique ID for this Candidate Indicator.

lastupdate_datetime

xs:dateTime

optional

The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.

version

xs:string

optional

The version field specifies the version of the Candidate Indicator.

Source

<xs:element maxOccurs="unbounded" name="Candidate_Indicator" type="maecBundle:CandidateIndicatorType">
  <xs:annotation>
    <xs:documentation>The Candidate_Indicator field specifies a single Candidate Indicator in the list.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorType / maecBundle:Importance

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Importance field specifies the relative importance of the Candidate Indicator.

This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is ImportanceTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.

Diagram

Type

cyboxCommon:ControlledVocabularyStringType

Type hierarchy

xs:anySimpleType
- cyboxCommon:PatternableFieldType
  - cyboxCommon:ControlledVocabularyStringType

Attributes

QName

Type

Default

Use

Annotation

apply_condition

cyboxCommon:ConditionApplicationEnum

ANY

optional

This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.

bit_mask

xs:hexBinary

optional

Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.

condition

cyboxCommon:ConditionTypeEnum

optional

This field is optional and defines the relevant condition to apply to the value.

delimiter

xs:string

##comma##

optional

The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".

has_changed

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.

is_case_sensitive

xs:boolean

true

optional

The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.

pattern_type

cyboxCommon:PatternTypeEnum

optional

This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

regex_syntax

xs:string

optional

This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.

Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.

trend

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.

vocab_name

xs:string

optional

The vocab_name field specifies the name of the controlled vocabulary.

vocab_reference

xs:anyURI

optional

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.

Source

<xs:element minOccurs="0" name="Importance" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Importance field specifies the relative importance of the Candidate Indicator.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is ImportanceTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorType / maecBundle:Numeric_Importance

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Numeric_Importance field specifies the specific numeric importance of the Candidate Indicator.

Diagram

Type

xs:positiveInteger

Source

<xs:element minOccurs="0" name="Numeric_Importance" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The Numeric_Importance field specifies the specific numeric importance of the Candidate Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorType / maecBundle:Author

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Author field specifies the author of the Candidate Indicator.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Author" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Author field specifies the author of the Candidate Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorType / maecBundle:Description

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Description field provides a brief description of the Candidate Indicator.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field provides a brief description of the Candidate Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorType / maecBundle:Malware_Entity

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc.

Diagram

Type

maecBundle:MalwareEntityType

Children

maecBundle:Description, maecBundle:Name, maecBundle:Type

Source

<xs:element minOccurs="0" name="Malware_Entity" type="maecBundle:MalwareEntityType">
  <xs:annotation>
    <xs:documentation>The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:MalwareEntityType / maecBundle:Type

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Type field refers to the specific type of malware entity that the indicator or signature is written against.

This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is MalwareEntityTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.

Diagram

Type

cyboxCommon:ControlledVocabularyStringType

Type hierarchy

xs:anySimpleType
- cyboxCommon:PatternableFieldType
  - cyboxCommon:ControlledVocabularyStringType

Attributes

QName

Type

Default

Use

Annotation

apply_condition

cyboxCommon:ConditionApplicationEnum

ANY

optional

This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.

bit_mask

xs:hexBinary

optional

Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.

condition

cyboxCommon:ConditionTypeEnum

optional

This field is optional and defines the relevant condition to apply to the value.

delimiter

xs:string

##comma##

optional

The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".

has_changed

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.

is_case_sensitive

xs:boolean

true

optional

The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.

pattern_type

cyboxCommon:PatternTypeEnum

optional

This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

regex_syntax

xs:string

optional

This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.

Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.

trend

xs:boolean

optional

This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.

vocab_name

xs:string

optional

The vocab_name field specifies the name of the controlled vocabulary.

vocab_reference

xs:anyURI

optional

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.

Source

<xs:element minOccurs="0" name="Type" type="cyboxCommon:ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The Type field refers to the specific type of malware entity that the indicator or signature is written against.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is MalwareEntityTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:MalwareEntityType / maecBundle:Name

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Name field refers to the name of the malware instance, malware family, or malware class that the indicator or signature is written against.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Name field refers to the name of the malware instance, malware family, or malware class that the indicator or signature is written against.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:MalwareEntityType / maecBundle:Description

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Description field is intended to provide a brief description of the entity that the indicator or signature is written against.

Diagram

Type

xs:string

Source

<xs:element minOccurs="0" name="Description" type="xs:string">
  <xs:annotation>
    <xs:documentation>The Description field is intended to provide a brief description of the entity that the indicator or signature is written against.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorType / maecBundle:Composition

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle.

Diagram

Type

maecBundle:CandidateIndicatorCompositionType

Children

maecBundle:Action_Reference, maecBundle:Behavior_Reference, maecBundle:Object_Reference, maecBundle:Sub_Composition

Attributes

QName

Type

Use

Annotation

operator

cybox:OperatorTypeEnum

optional

The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.

Source

<xs:element minOccurs="0" name="Composition" type="maecBundle:CandidateIndicatorCompositionType">
  <xs:annotation>
    <xs:documentation>The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Behavior_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behavior_Reference field specifies a reference to a single Behavior in the Bundle that is part of the candidate indicator's composition.

Diagram

Type

maecBundle:BehaviorReferenceType

Attributes

QName

Type

Use

Annotation

behavior_idref

xs:QName

required

The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.

Source

<xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType">
  <xs:annotation>
    <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Action_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action_Reference field specifies a reference to a single Action in the Bundle that is part of the candidate indicator's composition.

Diagram

Type

cybox:ActionReferenceType

Attributes

QName

Type

Use

Annotation

action_id

xs:QName

required

The action_id field refers to the id of the action being referenced.

Source

<xs:element minOccurs="0" name="Action_Reference" type="cybox:ActionReferenceType">
  <xs:annotation>
    <xs:documentation>The Action_Reference field specifies a reference to a single Action in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Object_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Object_Reference field specifies a reference to a single Object in the Bundle that is part of the candidate indicator's composition.

Diagram

Type

maecBundle:ObjectReferenceType

Attributes

QName

Type

Use

Annotation

object_idref

xs:QName

required

The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.

Source

<xs:element minOccurs="0" name="Object_Reference" type="maecBundle:ObjectReferenceType">
  <xs:annotation>
    <xs:documentation>The Object_Reference field specifies a reference to a single Object in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorCompositionType / maecBundle:Sub_Composition

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Sub_Composition field captures any sub-compositions in this Candidate Indicator, for expressing more complex Candidate Indicators.

Diagram

Type

maecBundle:CandidateIndicatorCompositionType

Children

maecBundle:Action_Reference, maecBundle:Behavior_Reference, maecBundle:Object_Reference, maecBundle:Sub_Composition

Attributes

QName

Type

Use

Annotation

operator

cybox:OperatorTypeEnum

optional

The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.

Source

<xs:element maxOccurs="unbounded" minOccurs="0" name="Sub_Composition" type="maecBundle:CandidateIndicatorCompositionType">
  <xs:annotation>
    <xs:documentation>The Sub_Composition field captures any sub-compositions in this Candidate Indicator, for expressing more complex Candidate Indicators.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BundleType / maecBundle:Collections

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators.

Diagram

Type

maecBundle:CollectionsType

Children

maecBundle:Action_Collections, maecBundle:Behavior_Collections, maecBundle:Candidate_Indicator_Collections, maecBundle:Object_Collections

Source

<xs:element minOccurs="0" name="Collections" type="maecBundle:CollectionsType">
  <xs:annotation>
    <xs:documentation>The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CollectionsType / maecBundle:Behavior_Collections

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behavior_Collections field captures any collections of Behaviors in the Bundle.

Diagram

Type

maecBundle:BehaviorCollectionListType

Children

maecBundle:Behavior_Collection

Source

<xs:element minOccurs="0" name="Behavior_Collections" type="maecBundle:BehaviorCollectionListType">
  <xs:annotation>
    <xs:documentation>The Behavior_Collections field captures any collections of Behaviors in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorCollectionListType / maecBundle:Behavior_Collection

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behavior_Collection field specifies a single collection of Behaviors in the Bundle.

Diagram

Type

maecBundle:BehaviorCollectionType

Type hierarchy

maecBundle:BaseCollectionType
- maecBundle:BehaviorCollectionType

Children

maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Behavior_List, maecBundle:Description, maecBundle:Purpose

Attributes

QName

Type

Use

Annotation

xs:QName

required

The id field specifies a unique ID for this Behavior Collection.

name

xs:string

optional

The name field specifies the name of the collection.

Source

<xs:element maxOccurs="unbounded" name="Behavior_Collection" type="maecBundle:BehaviorCollectionType">
  <xs:annotation>
    <xs:documentation>The Behavior_Collection field specifies a single collection of Behaviors in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorCollectionType / maecBundle:Purpose

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Purpose field states the intended purpose of the collection of Behaviors. Since Behaviors are not always successful, and may not be fully observed, this is meant as way of absracting the nature of the collection of Behaviors away  from its constituent Actions.

Diagram

Type

xs:string

Source

<xs:element name="Purpose" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Purpose field states the intended purpose of the collection of Behaviors. Since Behaviors are not always successful, and may not be fully observed, this is meant as way of absracting the nature of the collection of Behaviors away from its constituent Actions.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:BehaviorCollectionType / maecBundle:Behavior_List

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behavior_List field specifies a list of Behaviors that make up the collection.

Diagram

Type

maecBundle:BehaviorListType

Children

maecBundle:Behavior

Source

<xs:element name="Behavior_List" type="maecBundle:BehaviorListType">
  <xs:annotation>
    <xs:documentation>The Behavior_List field specifies a list of Behaviors that make up the collection.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CollectionsType / maecBundle:Action_Collections

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action_Collections field captures any collections of Actions in the Bundle.

Diagram

Type

maecBundle:ActionCollectionListType

Children

maecBundle:Action_Collection

Source

<xs:element minOccurs="0" name="Action_Collections" type="maecBundle:ActionCollectionListType">
  <xs:annotation>
    <xs:documentation>The Action_Collections field captures any collections of Actions in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ActionCollectionListType / maecBundle:Action_Collection

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action_Collection field specifies a single collection of Actions in the Bundle.

Diagram

Type

maecBundle:ActionCollectionType

Type hierarchy

maecBundle:BaseCollectionType
- maecBundle:ActionCollectionType

Children

maecBundle:Action_List, maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description

Attributes

QName

Type

Use

Annotation

xs:QName

required

The id field specifies a unique ID for this Action Collection.

name

xs:string

optional

The name field specifies the name of the collection.

Source

<xs:element maxOccurs="unbounded" name="Action_Collection" type="maecBundle:ActionCollectionType">
  <xs:annotation>
    <xs:documentation>The Action_Collection field specifies a single collection of Actions in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CollectionsType / maecBundle:Object_Collections

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Objects_Collections field captures any collections of CybOX Objects in the Bundle.

Diagram

Type

maecBundle:ObjectCollectionListType

Children

maecBundle:Object_Collection

Source

<xs:element minOccurs="0" name="Object_Collections" type="maecBundle:ObjectCollectionListType">
  <xs:annotation>
    <xs:documentation>The Objects_Collections field captures any collections of CybOX Objects in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ObjectCollectionListType / maecBundle:Object_Collection

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Object_Collection field specifies a single collection of CybOX Objects.

Diagram

Type

maecBundle:ObjectCollectionType

Type hierarchy

maecBundle:BaseCollectionType
- maecBundle:ObjectCollectionType

Children

maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description, maecBundle:Object_List

Attributes

QName

Type

Use

Annotation

xs:QName

required

The id attribute specifies a unique ID for this Object Collection.

name

xs:string

optional

The name field specifies the name of the collection.

Source

<xs:element maxOccurs="unbounded" name="Object_Collection" type="maecBundle:ObjectCollectionType">
  <xs:annotation>
    <xs:documentation>The Object_Collection field specifies a single collection of CybOX Objects.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:ObjectCollectionType / maecBundle:Object_List

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Object_List field specifies a list of Objects that make up the collection.

Diagram

Type

maecBundle:ObjectListType

Children

maecBundle:Object

Source

<xs:element name="Object_List" type="maecBundle:ObjectListType">
  <xs:annotation>
    <xs:documentation>The Object_List field specifies a list of Objects that make up the collection.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CollectionsType / maecBundle:Candidate_Indicator_Collections

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Candidate_Indicator_Collections field captures any collections of Candidate Indicators in the Bundle.

Diagram

Type

maecBundle:CandidateIndicatorCollectionListType

Children

maecBundle:Candidate_Indicator_Collection

Source

<xs:element minOccurs="0" name="Candidate_Indicator_Collections" type="maecBundle:CandidateIndicatorCollectionListType">
  <xs:annotation>
    <xs:documentation>The Candidate_Indicator_Collections field captures any collections of Candidate Indicators in the Bundle.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorCollectionListType / maecBundle:Candidate_Indicator_Collection

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Candidate_Indicator_Collection field specifies a single collection of Candidate Indicators.

Diagram

Type

maecBundle:CandidateIndicatorCollectionType

Type hierarchy

maecBundle:BaseCollectionType
- maecBundle:CandidateIndicatorCollectionType

Children

maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Candidate_Indicator_List, maecBundle:Description

Attributes

QName

Type

Use

Annotation

xs:QName

required

The id field specifies a unique ID for this Candidate Indicator Collection.

name

xs:string

optional

The name field specifies the name of the collection.

Source

<xs:element maxOccurs="unbounded" name="Candidate_Indicator_Collection" type="maecBundle:CandidateIndicatorCollectionType">
  <xs:annotation>
    <xs:documentation>The Candidate_Indicator_Collection field specifies a single collection of Candidate Indicators.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:CandidateIndicatorCollectionType / maecBundle:Candidate_Indicator_List

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Candidate_Indicator_List field specifies a list of Candidate Indicators that make up the collection.

Diagram

Type

maecBundle:CandidateIndicatorListType

Children

maecBundle:Candidate_Indicator

Source

<xs:element name="Candidate_Indicator_List" type="maecBundle:CandidateIndicatorListType">
  <xs:annotation>
    <xs:documentation>The Candidate_Indicator_List field specifies a list of Candidate Indicators that make up the collection.</xs:documentation>
  </xs:annotation>
</xs:element>

Element maecBundle:MAEC_Bundle

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The MAEC_Bundle element is the root element of this schema, and is of type BundleType. As such, it represents the characterization of a single malware instance, characterized in the top-level Subject_Details element, via its MAEC entities.

Diagram

Type

maecBundle:BundleType

Children

maecBundle:AV_Classifications, maecBundle:Actions, maecBundle:Behaviors, maecBundle:Candidate_Indicators, maecBundle:Capabilities, maecBundle:Collections, maecBundle:Malware_Instance_Object_Attributes, maecBundle:Objects, maecBundle:Process_Tree

Attributes

QName

Type

Fixed

Use

Annotation

content_type

maecBundle:BundleContentTypeEnum

optional

The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.

defined_subject

xs:boolean

required

The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).

xs:QName

required

The required id field specifies a unique ID for this MAEC Bundle.

schema_version

xs:string

4.1

required

The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.

timestamp

xs:dateTime

optional

The timestamp field specifies the date/time that the bundle was generated.

Source

<xs:element name="MAEC_Bundle" type="maecBundle:BundleType">
  <xs:annotation>
    <xs:documentation>The MAEC_Bundle element is the root element of this schema, and is of type BundleType. As such, it represents the characterization of a single malware instance, characterized in the top-level Subject_Details element, via its MAEC entities.</xs:documentation>
  </xs:annotation>
  <xs:unique name="unique-bundle-id">
    <xs:selector xpath=".//*"/>
    <xs:field xpath="@id"/>
  </xs:unique>
</xs:element>

Element maecBundle:Action

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Action element enables description/specification of a single malware action.

Diagram

Type

maecBundle:MalwareActionType

Type hierarchy

cybox:ActionType
- maecBundle:MalwareActionType

Children

Attributes

QName

Type

Default

Use

Annotation

action_status

cybox:ActionStatusTypeEnum

optional

The action_status field enables description of the status of the action being described.

context

cybox:ActionContextTypeEnum

optional

The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.

xs:QName

optional

The id field specifies a unique id for this Action.

idref

xs:QName

optional

The idref field specifies a unique id reference to an Action defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.

timestamp

xs:dateTime

optional

The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.

timestamp_precision

cyboxCommon:DateTimePrecisionEnum

second

optional

Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.

Source

<xs:element name="Action" type="maecBundle:MalwareActionType">
  <xs:annotation>
    <xs:documentation>The Action element enables description/specification of a single malware action.</xs:documentation>
  </xs:annotation>
  <xs:unique name="unique-action-id">
    <xs:selector xpath=".//*"/>
    <xs:field xpath="@id"/>
  </xs:unique>
</xs:element>

Element maecBundle:Behavior

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behavior element enables description/specification of a single malware behavior.

Diagram

Type

maecBundle:BehaviorType

Children

maecBundle:Action_Composition, maecBundle:Associated_Code, maecBundle:Description, maecBundle:Discovery_Method, maecBundle:Purpose, maecBundle:Relationships

Attributes

QName

Type

Use

Annotation

duration

xs:duration

optional

The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.

xs:QName

required

The required id field specifies a unique ID for this Behavior.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.

status

cybox:ActionStatusTypeEnum

optional

The status field specifies the execution status of the Behavior being characterized.

Source

<xs:element name="Behavior" type="maecBundle:BehaviorType">
  <xs:annotation>
    <xs:documentation>The Behavior element enables description/specification of a single malware behavior.</xs:documentation>
  </xs:annotation>
  <xs:unique name="unique-behavior-id">
    <xs:selector xpath=".//*"/>
    <xs:field xpath="@id"/>
  </xs:unique>
</xs:element>

Element maecBundle:BehaviorReferenceListType / maecBundle:Behavior_Reference

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The Behavior_Reference field specifies a reference to a single Behavior.

Diagram

Type

maecBundle:BehaviorReferenceType

Attributes

QName

Type

Use

Annotation

behavior_idref

xs:QName

required

The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.

Source

<xs:element maxOccurs="unbounded" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType">
  <xs:annotation>
    <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior.</xs:documentation>
  </xs:annotation>
</xs:element>

Complex Type maecBundle:BundleReferenceType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BundleReferenceType serves as a method for linking to Bundles embedded in other locations.

Diagram

Used by

Element

maecPackage:AnalysisType/maecPackage:Findings_Bundle_Reference

Attributes

QName

Type

Use

Annotation

bundle_idref

xs:QName

required

The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.

Source

<xs:complexType name="BundleReferenceType">
  <xs:annotation>
    <xs:documentation>The BundleReferenceType serves as a method for linking to Bundles embedded in other locations.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="bundle_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:ObjectReferenceListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ObjectReferenceListType captures a list of references to CybOX Objects.

Diagram

Used by

Complex Type

maecPackage:ObjectEquivalenceType

Children

maecBundle:Object_Reference

Source

<xs:complexType name="ObjectReferenceListType">
  <xs:annotation>
    <xs:documentation>The ObjectReferenceListType captures a list of references to CybOX Objects.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Object_Reference" type="maecBundle:ObjectReferenceType">
      <xs:annotation>
        <xs:documentation>The Object_Reference field specifies a reference to a single CybOX Object.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:ObjectReferenceType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ObjectReferenceType serves as a method for linking to CybOX Objects embedded in the MAEC Bundle.

Diagram

Used by

Elements

maecBundle:CandidateIndicatorCompositionType/maecBundle:Object_Reference, maecBundle:ObjectReferenceListType/maecBundle:Object_Reference

Attributes

QName

Type

Use

Annotation

object_idref

xs:QName

required

The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.

Source

<xs:complexType name="ObjectReferenceType">
  <xs:annotation>
    <xs:documentation>The ObjectReferenceType serves as a method for linking to CybOX Objects embedded in the MAEC Bundle.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="object_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:BundleType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BundleType serves as the high-level construct which encapsulates all Bundle elements, and represents some characterized analysis data (from any arbitrary set of analyses) for a single malware instance in terms of its MAEC Components (e.g., Behaviors, Actions, Objects, etc.).

Diagram

Used by

Elements

maecBundle:MAEC_Bundle, maecPackage:FindingsBundleListType/maecPackage:Bundle

Children

Attributes

QName

Type

Fixed

Use

Annotation

content_type

maecBundle:BundleContentTypeEnum

optional

The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.

defined_subject

xs:boolean

required

The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).

xs:QName

required

The required id field specifies a unique ID for this MAEC Bundle.

schema_version

xs:string

4.1

required

The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.

timestamp

xs:dateTime

optional

The timestamp field specifies the date/time that the bundle was generated.

Source

<xs:complexType name="BundleType">
  <xs:annotation>
    <xs:documentation>The BundleType serves as the high-level construct which encapsulates all Bundle elements, and represents some characterized analysis data (from any arbitrary set of analyses) for a single malware instance in terms of its MAEC Components (e.g., Behaviors, Actions, Objects, etc.).</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Malware_Instance_Object_Attributes" type="cybox:ObjectType">
      <xs:annotation>
        <xs:documentation>The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="AV_Classifications" type="maecBundle:AVClassificationsType">
      <xs:annotation>
        <xs:documentation>The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Process_Tree" type="maecBundle:ProcessTreeType">
      <xs:annotation>
        <xs:documentation>The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Capabilities" type="maecBundle:CapabilityListType">
      <xs:annotation>
        <xs:documentation>The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Behaviors" type="maecBundle:BehaviorListType">
      <xs:annotation>
        <xs:documentation>The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Actions" type="maecBundle:ActionListType">
      <xs:annotation>
        <xs:documentation>The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Objects" type="maecBundle:ObjectListType">
      <xs:annotation>
        <xs:documentation>The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Candidate_Indicators" type="maecBundle:CandidateIndicatorListType">
      <xs:annotation>
        <xs:documentation>The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Collections" type="maecBundle:CollectionsType">
      <xs:annotation>
        <xs:documentation>The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" use="required" type="xs:QName">
    <xs:annotation>
      <xs:documentation>The required id field specifies a unique ID for this MAEC Bundle.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="schema_version" type="xs:string" use="required" fixed="4.1">
    <xs:annotation>
      <xs:documentation>The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="defined_subject" type="xs:boolean" use="required">
    <xs:annotation>
      <xs:documentation>The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="content_type" type="maecBundle:BundleContentTypeEnum">
    <xs:annotation>
      <xs:documentation>The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>The timestamp field specifies the date/time that the bundle was generated.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:AVClassificationsType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The AVClassificationsType captures any Anti-Virus (AV) tool classifications for an Object.

Diagram

Used by

Element

maecBundle:BundleType/maecBundle:AV_Classifications

Children

maecBundle:AV_Classification

Source

<xs:complexType name="AVClassificationsType">
  <xs:annotation>
    <xs:documentation>The AVClassificationsType captures any Anti-Virus (AV) tool classifications for an Object.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="AV_Classification" type="maecBundle:AVClassificationType">
      <xs:annotation>
        <xs:documentation>The AV_Classification field captures a single AV classication of the malware instance object.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:AVClassificationType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The AVClassificationType captures information on AV scanner classifications for the malware instance object captured in the Bundle or Package.

Diagram

Type

extension of cyboxCommon:ToolInformationType

Type hierarchy

cyboxCommon:ToolInformationType
- maecBundle:AVClassificationType

Used by

Element

maecBundle:AVClassificationsType/maecBundle:AV_Classification

Children

Attributes

QName

Type

Use

Annotation

xs:QName

optional

The id field specifies a unique ID for this Tool.

idref

xs:QName

optional

The idref field specifies reference to a unique ID for this Tool.

When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.

Source

<xs:complexType name="AVClassificationType">
  <xs:annotation>
    <xs:documentation>The AVClassificationType captures information on AV scanner classifications for the malware instance object captured in the Bundle or Package.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cyboxCommon:ToolInformationType">
      <xs:sequence>
        <xs:element minOccurs="0" name="Engine_Version" type="xs:string">
          <xs:annotation>
            <xs:documentation>The Engine_Version field captures the version of the AV engine used by the AV scanner tool that assigned the classification to the malware instance object.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element minOccurs="0" name="Definition_Version" type="xs:string">
          <xs:annotation>
            <xs:documentation>The Definition_Version field captures the version of the AV definitions used by the AV scanner tool that assigned the classification to the malware instance object.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element minOccurs="0" name="Classification_Name" type="xs:string">
          <xs:annotation>
            <xs:documentation>The Classification_Name field captures the classification assigned to the malware instance object by the AV scanner tool characterized in the Company_Name and Product_Name fields.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

Complex Type maecBundle:ProcessTreeType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ProcessTreeType captures the process tree for the malware instance, including the parent process and processes spawned by it, along with any Actions initiated by each.

Diagram

Used by

Element

maecBundle:BundleType/maecBundle:Process_Tree

Children

maecBundle:Root_Process

Source

<xs:complexType name="ProcessTreeType">
  <xs:annotation>
    <xs:documentation>The ProcessTreeType captures the process tree for the malware instance, including the parent process and processes spawned by it, along with any Actions initiated by each.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Root_Process" type="maecBundle:ProcessTreeNodeType">
      <xs:annotation>
        <xs:documentation>The Root_Process field captures the root process in the process tree.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:ProcessTreeNodeType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ProcessTreeNodeType captures a single process, or node, in the process tree. It imports and extends the ProcessObjectType from the CybOX Process Object.

Diagram

Type

extension of ProcessObj:ProcessObjectType

Type hierarchy

cyboxCommon:ObjectPropertiesType
- ProcessObj:ProcessObjectType
  - maecBundle:ProcessTreeNodeType

Used by

Elements

maecBundle:ProcessTreeNodeType/maecBundle:Injected_Process, maecBundle:ProcessTreeNodeType/maecBundle:Spawned_Process, maecBundle:ProcessTreeType/maecBundle:Root_Process

Children

Attributes

QName

Type

Use

Annotation

xs:QName

required

The required id field specifies a unique ID for the Process Node.

is_hidden

xs:boolean

optional

The is_hidden field specifies whether the process is hidden or not.

object_reference

xs:QName

optional

The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.

parent_action_idref

xs:QName

optional

The parent_action_idref field specifies the id of the action that created or injected this process.

Source

<xs:complexType name="ProcessTreeNodeType">
  <xs:annotation>
    <xs:documentation>The ProcessTreeNodeType captures a single process, or node, in the process tree. It imports and extends the ProcessObjectType from the CybOX Process Object.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="ProcessObj:ProcessObjectType">
      <xs:sequence>
        <xs:element minOccurs="0" name="Initiated_Actions" type="maecBundle:ActionReferenceListType">
          <xs:annotation>
            <xs:documentation>The Initiated_Actions field captures, via references, the actions (found inside the top-level Actions element, or an Action Collection inside the top-level Collections element) initiated by the Process.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element maxOccurs="unbounded" minOccurs="0" name="Spawned_Process" type="maecBundle:ProcessTreeNodeType">
          <xs:annotation>
            <xs:documentation>The Spawned_Process field captures a single child process spawned by this process.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element maxOccurs="unbounded" minOccurs="0" name="Injected_Process" type="maecBundle:ProcessTreeNodeType">
          <xs:annotation>
            <xs:documentation>The Injected_Process field captures a single process that was injected by this process.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="id" type="xs:QName" use="required">
        <xs:annotation>
          <xs:documentation>The required id field specifies a unique ID for the Process Node.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
      <xs:attribute name="parent_action_idref" type="xs:QName">
        <xs:annotation>
          <xs:documentation>The parent_action_idref field specifies the id of the action that created or injected this process.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
      <xs:attribute name="ordinal_position" type="xs:positiveInteger">
        <xs:annotation>
          <xs:documentation>The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

Complex Type maecBundle:ActionReferenceListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ActionReferenceListType captures a list of Action References.

Diagram

Used by

Element

maecBundle:ProcessTreeNodeType/maecBundle:Initiated_Actions

Children

maecBundle:Action_Reference

Source

<xs:complexType name="ActionReferenceListType">
  <xs:annotation>
    <xs:documentation>The ActionReferenceListType captures a list of Action References.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Action_Reference" type="cybox:ActionReferenceType">
      <xs:annotation>
        <xs:documentation>The Action_Reference field specifies a reference to a single Action.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:CapabilityListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CapabilityListType captures a list of Capabilities.

Diagram

Used by

Element

maecBundle:BundleType/maecBundle:Capabilities

Children

maecBundle:Capability, maecBundle:Capability_Reference

Source

<xs:complexType name="CapabilityListType">
  <xs:annotation>
    <xs:documentation>The CapabilityListType captures a list of Capabilities.</xs:documentation>
  </xs:annotation>
  <xs:choice maxOccurs="unbounded">
    <xs:element maxOccurs="1" minOccurs="1" name="Capability" type="maecBundle:CapabilityType">
      <xs:annotation>
        <xs:documentation>The Capability field captures a single Capability in the list, and therefore represents a single Capability possessed by the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Capability_Reference" type="maecBundle:CapabilityReferenceType">
      <xs:annotation>
        <xs:documentation>The Capability_Reference field references a single Capability defined elsewhere in the MAEC document, and therefore represents a single Capability possessed by the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:choice>
</xs:complexType>

Complex Type maecBundle:CapabilityType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CapabilityType captures details of a Capability that may be implemented in the malware instance, along with its child Strategic and Tactical Objectives.

Diagram

Used by

Element

maecBundle:CapabilityListType/maecBundle:Capability

Children

maecBundle:Behavior_Reference, maecBundle:Description, maecBundle:Property, maecBundle:Relationship, maecBundle:Strategic_Objective, maecBundle:Tactical_Objective

Attributes

QName

Type

Use

Annotation

xs:QName

required

The required id field specifies a unique ID for this MAEC Capability.

name

maecVocabs:MalwareCapabilityEnum-1.0

optional

The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.

Source

<xs:complexType name="CapabilityType">
  <xs:annotation>
    <xs:documentation>The CapabilityType captures details of a Capability that may be implemented in the malware instance, along with its child Strategic and Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field captures a basic textual description of the Capability.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Property" type="maecBundle:CapabilityPropertyType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Property field permits the capture of a single property of the Capability, as a key/value pair. More than one property can be specified via multiple occurrences of this field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="0" name="Strategic_Objective" type="maecBundle:CapabilityObjectiveType">
      <xs:annotation>
        <xs:documentation>The Strategic_Objective field captures a single Strategic Objective that the Capability attempts to achieve. It can be considered as a more granular way of capturing the Capabilities present in the malware instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="0" name="Tactical_Objective" type="maecBundle:CapabilityObjectiveType">
      <xs:annotation>
        <xs:documentation>The Tactical_Objective field captures a single Tactical Objective that the Capability attempts to achieve, typically in the context of a broader Strategic Objective. It can be considered as a way of expounding upon Strategic Objectives to capture the Capabilities of the malware instance in more detail.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Behavior_Reference field captures a reference to a Behavior that serves as an implementation of the Capability. For Behaviors that serve as implementations of specific Strategic or Tactical Objectives, the Behavior_Reference field under the Strategic_Objective or Tactical_Objective fields should be used, respectively.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Relationship" maxOccurs="unbounded" type="maecBundle:CapabilityRelationshipType">
      <xs:annotation>
        <xs:documentation>The Relationship field captures a relationship from the Capability to one or more other Capabilities.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" use="required" type="xs:QName">
    <xs:annotation>
      <xs:documentation>The required id field specifies a unique ID for this MAEC Capability.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="name" type="maecVocabs:MalwareCapabilityEnum-1.0">
    <xs:annotation>
      <xs:documentation>The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:CapabilityPropertyType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CapabilityPropertyType captures a single property of a Capability or Capability Objective.

Diagram

Used by

Elements

maecBundle:CapabilityObjectiveType/maecBundle:Property, maecBundle:CapabilityType/maecBundle:Property

Children

maecBundle:Name, maecBundle:Value

Source

<xs:complexType name="CapabilityPropertyType">
  <xs:annotation>
    <xs:documentation>The CapabilityPropertyType captures a single property of a Capability or Capability Objective.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Name" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Name field specifies the name of the property being captured. The name can be either free form text or a standardized value from a vocabulary included in the MAEC Default Vocabularies schema. This field uses the ControlledVocabularyStringType from the imported CybOX Common schema.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Value" type="cyboxCommon:StringObjectPropertyType">
      <xs:annotation>
        <xs:documentation>The Value field specifies the value of the property being captured.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:CapabilityObjectiveType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CapabilityObjectiveType captures details of a Capability Strategic or Tactical Objective.

Diagram

Used by

Elements

maecBundle:CapabilityType/maecBundle:Strategic_Objective, maecBundle:CapabilityType/maecBundle:Tactical_Objective

Children

maecBundle:Behavior_Reference, maecBundle:Description, maecBundle:Name, maecBundle:Property, maecBundle:Relationship

Attributes

QName

Type

Use

Annotation

xs:QName

required

The required id field specifies a unique ID for this Capability Objective.

Source

<xs:complexType name="CapabilityObjectiveType">
  <xs:annotation>
    <xs:documentation>The CapabilityObjectiveType captures details of a Capability Strategic or Tactical Objective.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Name" minOccurs="0" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Name field captures the name of the Capability Objective. There are several default vocabularies for this usage included in the MAEC Vocabularies schema. It uses the ControlledVocabularyStringType from the imported CybOX Common schema.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field captures a basic textual description of the Capability Objective.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Property" type="maecBundle:CapabilityPropertyType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Property field permits the capture of a single property of the Capability Objective, as a key/value pair. More than one property can be specified via multiple occurrences of this field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Behavior_Reference field captures a reference to a Behavior that functions as an implementation of the Capability Objective.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="0" name="Relationship" type="maecBundle:CapabilityObjectiveRelationshipType">
      <xs:annotation>
        <xs:documentation>The Relationship field captures a relationship from the Capability Objective to one or more other Capability Objectives.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" use="required" type="xs:QName">
    <xs:annotation>
      <xs:documentation>The required id field specifies a unique ID for this Capability Objective.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:BehaviorReferenceType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehaviorReferenceType serves as a method for referencing existing behaviors contained in the Bundle.

Diagram

Used by

Elements

maecBundle:BehaviorReferenceListType/maecBundle:Behavior_Reference, maecBundle:BehaviorRelationshipType/maecBundle:Behavior_Reference, maecBundle:CandidateIndicatorCompositionType/maecBundle:Behavior_Reference, maecBundle:CapabilityObjectiveType/maecBundle:Behavior_Reference, maecBundle:CapabilityType/maecBundle:Behavior_Reference

Attributes

QName

Type

Use

Annotation

behavior_idref

xs:QName

required

The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.

Source

<xs:complexType name="BehaviorReferenceType">
  <xs:annotation>
    <xs:documentation>The BehaviorReferenceType serves as a method for referencing existing behaviors contained in the Bundle.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="behavior_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:CapabilityObjectiveRelationshipType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CapabilityObjectiveRelationshipType captures a relationship between a Strategic or Tactical Objective and one or more other Strategic or Tactical Objectives.

Diagram

Used by

Element

maecBundle:CapabilityObjectiveType/maecBundle:Relationship

Children

maecBundle:Objective_Reference, maecBundle:Relationship_Type

Source

<xs:complexType name="CapabilityObjectiveRelationshipType">
  <xs:annotation>
    <xs:documentation>The CapabilityObjectiveRelationshipType captures a relationship between a Strategic or Tactical Objective and one or more other Strategic or Tactical Objectives.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Relationship_Type" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Relationship_Type field captures the type of relationship being expressed between Objectives (either Strategic or Tactical).</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="1" name="Objective_Reference" type="maecBundle:CapabilityObjectiveReferenceType">
      <xs:annotation>
        <xs:documentation>The Objective_Reference field references a single Capability Objective (either Strategic or Objective) in the relationship.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:CapabilityObjectiveReferenceType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CapabilityObjectiveReferenceType serves as a method for referencing existing Capability Objectives (either Strategic or Tactical) contained in the Bundle.

Diagram

Used by

Element

maecBundle:CapabilityObjectiveRelationshipType/maecBundle:Objective_Reference

Attributes

QName

Type

Use

Annotation

objective_idref

xs:QName

required

The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.

Source

<xs:complexType name="CapabilityObjectiveReferenceType">
  <xs:annotation>
    <xs:documentation>The CapabilityObjectiveReferenceType serves as a method for referencing existing Capability Objectives (either Strategic or Tactical) contained in the Bundle.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="objective_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:CapabilityRelationshipType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CapabilityObjectiveRelationshipType captures a relationship between a Capability and one or more other Capabilitys.

Diagram

Used by

Element

maecBundle:CapabilityType/maecBundle:Relationship

Children

maecBundle:Capability_Reference, maecBundle:Relationship_Type

Source

<xs:complexType name="CapabilityRelationshipType">
  <xs:annotation>
    <xs:documentation>The CapabilityObjectiveRelationshipType captures a relationship between a Capability and one or more other Capabilitys.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Relationship_Type" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Relationship_Type field captures the type of relationship being expressed between Capabilities.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="1" name="Capability_Reference" type="maecBundle:CapabilityReferenceType">
      <xs:annotation>
        <xs:documentation>The Capability_Reference field references a single Capability in the relationship, via its ID.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:CapabilityReferenceType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CapabilityReferenceType serves as a method for referencing existing Capabilities contained in the MAEC document.

Diagram

Used by

Elements

maecBundle:CapabilityListType/maecBundle:Capability_Reference, maecBundle:CapabilityRelationshipType/maecBundle:Capability_Reference

Attributes

QName

Type

Use

Annotation

capability_idref

xs:QName

required

The capability_idref field references the ID of a Capability contained inside the current MAEC document.

Source

<xs:complexType name="CapabilityReferenceType">
  <xs:annotation>
    <xs:documentation>The CapabilityReferenceType serves as a method for referencing existing Capabilities contained in the MAEC document.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="capability_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The capability_idref field references the ID of a Capability contained inside the current MAEC document.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:BehaviorListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehaviorListType captures a list of Behaviors.

Diagram

Used by

Elements

maecBundle:BehaviorCollectionType/maecBundle:Behavior_List, maecBundle:BundleType/maecBundle:Behaviors

Children

maecBundle:Behavior

Source

<xs:complexType name="BehaviorListType">
  <xs:annotation>
    <xs:documentation>The BehaviorListType captures a list of Behaviors.</xs:documentation>
  </xs:annotation>
  <xs:sequence maxOccurs="1">
    <xs:element name="Behavior" type="maecBundle:BehaviorType" maxOccurs="unbounded" form="qualified" minOccurs="1">
      <xs:annotation>
        <xs:documentation>The Behavior field specifies a single Behavior in the list.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:BehaviorType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehaviorType is one of the foundational MAEC types, and serves as a method for the characterization of malicious behaviors found or observed in malware. Behaviors can be thought of as representing the purpose behind groups of MAEC Actions, and are therefore representative of distinct portions of higher-level malware functionality. Thus, while a malware instance may perform some multitude of Actions, it is likely that these Actions represent only a few distinct behaviors. Some examples include vulnerability exploitation, email address harvesting, the disabling of a security service, etc.

Diagram

Used by

Elements

maecBundle:Behavior, maecBundle:BehaviorListType/maecBundle:Behavior

Children

maecBundle:Action_Composition, maecBundle:Associated_Code, maecBundle:Description, maecBundle:Discovery_Method, maecBundle:Purpose, maecBundle:Relationships

Attributes

QName

Type

Use

Annotation

duration

xs:duration

optional

The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.

xs:QName

required

The required id field specifies a unique ID for this Behavior.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.

status

cybox:ActionStatusTypeEnum

optional

The status field specifies the execution status of the Behavior being characterized.

Source

<xs:complexType name="BehaviorType">
  <xs:annotation>
    <xs:documentation>The BehaviorType is one of the foundational MAEC types, and serves as a method for the characterization of malicious behaviors found or observed in malware. Behaviors can be thought of as representing the purpose behind groups of MAEC Actions, and are therefore representative of distinct portions of higher-level malware functionality. Thus, while a malware instance may perform some multitude of Actions, it is likely that these Actions represent only a few distinct behaviors. Some examples include vulnerability exploitation, email address harvesting, the disabling of a security service, etc.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Purpose" type="maecBundle:BehaviorPurposeType">
      <xs:annotation>
        <xs:documentation>The Purpose field specifies the intended purpose of the Behavior. Since a Behavior is not always successful, and may not be fully observed, this is meant as way to state the nature of the Behavior apart from its constituent actions.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field specifies a prose textual description of the Behavior.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Discovery_Method" type="cyboxCommon:MeasureSourceType">
      <xs:annotation>
        <xs:documentation>The Discovery_Method field specifies the method used to discover the Behavior.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Action_Composition" type="maecBundle:BehavioralActionsType">
      <xs:annotation>
        <xs:documentation>The Action_Composition field captures the Actions that compose the Behavior.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Associated_Code" type="maecBundle:AssociatedCodeType">
      <xs:annotation>
        <xs:documentation>The Associated_Code field specifies any code snippets that may be associated with the Behavior.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Relationships" type="maecBundle:BehaviorRelationshipListType">
      <xs:annotation>
        <xs:documentation>The Relationships field specifies any relationships between this Behavior and any other Behaviors.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" use="required" type="xs:QName">
    <xs:annotation>
      <xs:documentation>The required id field specifies a unique ID for this Behavior.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="ordinal_position" type="xs:positiveInteger">
    <xs:annotation>
      <xs:documentation>The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="status" type="cybox:ActionStatusTypeEnum">
    <xs:annotation>
      <xs:documentation>The status field specifies the execution status of the Behavior being characterized.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="duration" type="xs:duration">
    <xs:annotation>
      <xs:documentation>The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:BehaviorPurposeType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehaviorPurposeType captures the purpose behind a malware Behavior.

Diagram

Used by

Element

maecBundle:BehaviorType/maecBundle:Purpose

Children

maecBundle:Description, maecBundle:Vulnerability_Exploit

Source

<xs:complexType name="BehaviorPurposeType">
  <xs:annotation>
    <xs:documentation>The BehaviorPurposeType captures the purpose behind a malware Behavior.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field contains a prose text description of the purpose of the Behavior, whether it was successful or not.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Vulnerability_Exploit" type="maecBundle:ExploitType">
      <xs:annotation>
        <xs:documentation>The Vulnerability_Exploit field characterizes any vulnerability that a Behavior may have attempted to exploit, whether or not the exploitation was successful (where success is not necessarily known).</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:ExploitType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ExploitType characterizes any exploitable weakness that may be targeted for exploitation by a malware instance through a Behavior. Most commonly, this refers to a known and identifiable vulnerability, but it may also refer to one or more weaknesses.

Diagram

Used by

Element

maecBundle:BehaviorPurposeType/maecBundle:Vulnerability_Exploit

Children

maecBundle:CVE, maecBundle:CWE_ID, maecBundle:Targeted_Platforms

Attributes

QName

Type

Use

Annotation

known_vulnerability

xs:boolean

optional

The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.

Source

<xs:complexType name="ExploitType">
  <xs:annotation>
    <xs:documentation>The ExploitType characterizes any exploitable weakness that may be targeted for exploitation by a malware instance through a Behavior. Most commonly, this refers to a known and identifiable vulnerability, but it may also refer to one or more weaknesses.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="CVE" type="maecBundle:CVEVulnerabilityType">
      <xs:annotation>
        <xs:documentation>The CVE field specifies the CVE ID and description of the vulnerability targeted by the exploit, if available.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element maxOccurs="unbounded" minOccurs="0" name="CWE_ID" type="xs:string">
      <xs:annotation>
        <xs:documentation>The CWE_ID field captures the ID of the Common Weakness Enumeration (CWE) entry that represents the type of weakness targeted by the exploit. More than one such CWE ID can be specified by using multiple occurrences of this field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Targeted_Platforms" type="maecBundle:PlatformListType">
      <xs:annotation>
        <xs:documentation>The Targeted_Platforms field specifies the platforms(s) targeted by the vulnerability exploit.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="known_vulnerability" type="xs:boolean">
    <xs:annotation>
      <xs:documentation>The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:CVEVulnerabilityType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CVEVulnerabilityType provides a way of referencing specific vulnerabilities that malware exploits or attempts to exploit via a Common Vulnerabilities and Exposures (CVE) identifier. For more information on CVE please see http://cve.mitre.org.

Diagram

Used by

Element

maecBundle:ExploitType/maecBundle:CVE

Children

maecBundle:Description

Attributes

QName

Type

Use

Annotation

cve_id

xs:string

required

The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.

Source

<xs:complexType name="CVEVulnerabilityType">
  <xs:annotation>
    <xs:documentation>The CVEVulnerabilityType provides a way of referencing specific vulnerabilities that malware exploits or attempts to exploit via a Common Vulnerabilities and Exposures (CVE) identifier. For more information on CVE please see http://cve.mitre.org.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Description" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field specifies the textual description of the vulnerability referenced by the cve_id.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="cve_id" type="xs:string" use="required">
    <xs:annotation>
      <xs:documentation>The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:PlatformListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The PlatformListType captures a list of software or hardware platforms.

Diagram

Used by

Elements

maecBundle:ActionImplementationType/maecBundle:Compatible_Platforms, maecBundle:ExploitType/maecBundle:Targeted_Platforms

Children

maecBundle:Platform

Source

<xs:complexType name="PlatformListType">
  <xs:annotation>
    <xs:documentation>The PlatformListType captures a list of software or hardware platforms.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Platform" type="cyboxCommon:PlatformSpecificationType">
      <xs:annotation>
        <xs:documentation>The Platform field specifies a single Platform in the list via a common platform enumeration ID. It uses the PlatformSpecificationType type from the CybOX Common schema v2.0.1.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:BehavioralActionsType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehavioralActionsType is intended to capture the Actions or Action Collections that make up a Behavior.

Diagram

Used by

Element

maecBundle:BehaviorType/maecBundle:Action_Composition

Children

maecBundle:Action, maecBundle:Action_Collection, maecBundle:Action_Equivalence_Reference, maecBundle:Action_Reference

Source

<xs:complexType name="BehavioralActionsType">
  <xs:annotation>
    <xs:documentation>The BehavioralActionsType is intended to capture the Actions or Action Collections that make up a Behavior.</xs:documentation>
  </xs:annotation>
  <xs:choice maxOccurs="unbounded">
    <xs:element minOccurs="1" name="Action_Collection" type="maecBundle:ActionCollectionType">
      <xs:annotation>
        <xs:documentation>The Action_Collection field specifies an Action Collection that is part of the behavioral composition.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="1" name="Action" type="maecBundle:BehavioralActionType">
      <xs:annotation>
        <xs:documentation>The Action field specifies a single Action that is part of the behavioral composition.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Action_Reference" type="maecBundle:BehavioralActionReferenceType">
      <xs:annotation>
        <xs:documentation>The Action_Reference field specifies a reference to a single Action that is part of the behavioral composition.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Action_Equivalence_Reference" type="maecBundle:BehavioralActionEquivalenceReferenceType">
      <xs:annotation>
        <xs:documentation>The Action_Equivalence_Reference field specifies a reference to a single Action Equivalence that is part of the behavioral composition.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:choice>
</xs:complexType>

Complex Type maecBundle:ActionCollectionType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ActionCollectionType provides a method for characterizing collections of actions. This can be useful for organizing actions that may be related and where the exact relationship is unknown, as well as actions whose associated behavior has not yet been established.

Diagram

Type

extension of maecBundle:BaseCollectionType

Type hierarchy

maecBundle:BaseCollectionType
- maecBundle:ActionCollectionType

Used by

Elements

maecBundle:ActionCollectionListType/maecBundle:Action_Collection, maecBundle:BehavioralActionsType/maecBundle:Action_Collection

Children

maecBundle:Action_List, maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description

Attributes

QName

Type

Use

Annotation

xs:QName

required

The id field specifies a unique ID for this Action Collection.

name

xs:string

optional

The name field specifies the name of the collection.

Source

<xs:complexType name="ActionCollectionType">
  <xs:annotation>
    <xs:documentation>The ActionCollectionType provides a method for characterizing collections of actions. This can be useful for organizing actions that may be related and where the exact relationship is unknown, as well as actions whose associated behavior has not yet been established.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="maecBundle:BaseCollectionType">
      <xs:sequence>
        <xs:element name="Action_List" type="maecBundle:ActionListType">
          <xs:annotation>
            <xs:documentation>The Action_List field specifies a list of Actions that make up the collection.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="id" use="required" type="xs:QName">
        <xs:annotation>
          <xs:documentation>The id field specifies a unique ID for this Action Collection.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

Complex Type maecBundle:BaseCollectionType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BaseCollectionType is the base type for other MAEC collection types.

Diagram

Used by

Complex Types

maecBundle:ActionCollectionType, maecBundle:BehaviorCollectionType, maecBundle:CandidateIndicatorCollectionType, maecBundle:ObjectCollectionType

Children

maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description

Attributes

QName

Type

Use

Annotation

name

xs:string

optional

The name field specifies the name of the collection.

Source

<xs:complexType name="BaseCollectionType">
  <xs:annotation>
    <xs:documentation>The BaseCollectionType is the base type for other MAEC collection types.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Affinity_Type" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Affinity_Type field provides an abstract way of characterizing how the objects in a collection are related.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Affinity_Degree" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Affinity_Degree field is intended to provide an abstract way of characterizing the degree to which the objects in a collection are related.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field contains a textual description of the collection.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="name" type="xs:string">
    <xs:annotation>
      <xs:documentation>The name field specifies the name of the collection.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:ActionListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ActionListType captures a list of Actions.

Diagram

Used by

Elements

maecBundle:ActionCollectionType/maecBundle:Action_List, maecBundle:BundleType/maecBundle:Actions

Children

maecBundle:Action

Source

<xs:complexType name="ActionListType">
  <xs:annotation>
    <xs:documentation>The ActionListType captures a list of Actions.</xs:documentation>
  </xs:annotation>
  <xs:sequence maxOccurs="1">
    <xs:element name="Action" type="maecBundle:MalwareActionType" maxOccurs="unbounded" minOccurs="1">
      <xs:annotation>
        <xs:documentation>The Action field specifies a single Action in the list.</xs:documentation>
        <xs:documentation>The recommended syntax for Action IDs is a dash-delimited format that starts with the word maec, followed by a unique string, followed by the three letter code 'act', and ending with an integer. The regular expression validating these IDs is: maec-[A-Za-z0-9_\-\.]+-act-[1-9][0-9]*.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:MalwareActionType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The MalwareActionType is one of the foundational MAEC types, and serves as a method for the characterization of actions found or observed in malware. Actions can be thought of as system state changes and similar operations that represent the fundamental low-level operation of malware. Some examples include the creation of a file, deletion of a registry key, and the sending of some  data on a socket. It imports and extends the CybOX ActionType. For MAEC, the id attribute is required.

Diagram

Type

extension of cybox:ActionType

Type hierarchy

cybox:ActionType
- maecBundle:MalwareActionType

Used by

Elements	maecBundle:Action, maecBundle:ActionListType/maecBundle:Action
Complex Type	maecBundle:BehavioralActionType

Children

Attributes

QName

Type

Default

Use

Annotation

action_status

cybox:ActionStatusTypeEnum

optional

The action_status field enables description of the status of the action being described.

context

cybox:ActionContextTypeEnum

optional

The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.

xs:QName

optional

The id field specifies a unique id for this Action.

idref

xs:QName

optional

The idref field specifies a unique id reference to an Action defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.

timestamp

xs:dateTime

optional

The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.

timestamp_precision

cyboxCommon:DateTimePrecisionEnum

second

optional

Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.

Source

<xs:complexType name="MalwareActionType">
  <xs:annotation>
    <xs:documentation>The MalwareActionType is one of the foundational MAEC types, and serves as a method for the characterization of actions found or observed in malware. Actions can be thought of as system state changes and similar operations that represent the fundamental low-level operation of malware. Some examples include the creation of a file, deletion of a registry key, and the sending of some data on a socket. It imports and extends the CybOX ActionType. For MAEC, the id attribute is required.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cybox:ActionType">
      <xs:sequence>
        <xs:element minOccurs="0" name="Implementation" type="maecBundle:ActionImplementationType">
          <xs:annotation>
            <xs:documentation>The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

Complex Type maecBundle:ActionImplementationType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ActionImplementationType serves as a method for the characterization of Action Implementations. Currently supported are implementations achieved through API function calls and abstractly defined code.

Diagram

Used by

Element

maecBundle:MalwareActionType/maecBundle:Implementation

Children

maecBundle:API_Call, maecBundle:Code, maecBundle:Compatible_Platforms

Attributes

QName

Type

Use

Annotation

xs:QName

optional

The id field specifies a unique ID for this Action Implementation.

type

maecBundle:ActionImplementationTypeEnum

required

The required type field refers to the type of Action Implementation being characterized in this element.

Source

<xs:complexType name="ActionImplementationType">
  <xs:annotation>
    <xs:documentation>The ActionImplementationType serves as a method for the characterization of Action Implementations. Currently supported are implementations achieved through API function calls and abstractly defined code.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Compatible_Platforms" type="maecBundle:PlatformListType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Compatible_Platforms field specifies the specific platform(s) that the Action is compatible with, or in other words, capable of being successfully executed on.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:choice>
      <xs:element name="API_Call" maxOccurs="1" minOccurs="0" type="maecBundle:APICallType">
        <xs:annotation>
          <xs:documentation>The API_Call field allows for the characterization of a system-level API call that was used to implement the action. Software must make use of such calls to talk to hardware and perform system-specific functions.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="Code" maxOccurs="unbounded" type="CodeObj:CodeObjectType" minOccurs="0">
        <xs:annotation>
          <xs:documentation>The Code field contains any form of code that was used to implement the action.</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:choice>
  </xs:sequence>
  <xs:attribute name="id" use="optional" type="xs:QName">
    <xs:annotation>
      <xs:documentation>The id field specifies a unique ID for this Action Implementation.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="type" use="required" type="maecBundle:ActionImplementationTypeEnum">
    <xs:annotation>
      <xs:documentation>The required type field refers to the type of Action Implementation being characterized in this element.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:APICallType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The APICallType provides a method for the  characterization of API calls, including functions and their parameters.

Diagram

Used by

Element

maecBundle:ActionImplementationType/maecBundle:API_Call

Children

maecBundle:Address, maecBundle:Parameters, maecBundle:Return_Value

Attributes

QName

Type

Use

Annotation

function_name

xs:string

optional

The function_name field contains the exact name of the API function called, e.g. CreateFileEx.

normalized_function_name

xs:string

optional

The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.

Source

<xs:complexType name="APICallType">
  <xs:annotation>
    <xs:documentation>The APICallType provides a method for the characterization of API calls, including functions and their parameters.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Address" type="xs:hexBinary" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Address field contains the address of the API call in the binary.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Return_Value" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Return_Value field contains the return value of the API call.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Parameters" type="maecBundle:ParameterListType">
      <xs:annotation>
        <xs:documentation>The Parameter field captures any name/value pairs of the parameters passed into the API call.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="function_name" type="xs:string">
    <xs:annotation>
      <xs:documentation>The function_name field contains the exact name of the API function called, e.g. CreateFileEx.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="normalized_function_name" type="xs:string">
    <xs:annotation>
      <xs:documentation>The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:ParameterListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ParametersType captures a list of function parameters.

Diagram

Used by

Element

maecBundle:APICallType/maecBundle:Parameters

Children

maecBundle:Parameter

Source

<xs:complexType name="ParameterListType">
  <xs:annotation>
    <xs:documentation>The ParametersType captures a list of function parameters.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Parameter" type="maecBundle:ParameterType">
      <xs:annotation>
        <xs:documentation>The Parameter field specifies a single function parameter.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:ParameterType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ParameterType characterizes function parameters.

Diagram

Used by

Element

maecBundle:ParameterListType/maecBundle:Parameter

Attributes

QName

Type

Use

Annotation

name

xs:string

optional

The name field specifies the name of the parameter.

ordinal_position

xs:positiveInteger

optional

This field refers to the ordinal position of the parameter with respect to the function where it is used.

value

xs:string

optional

The value field specifies the actual value of the parameter.

Source

<xs:complexType name="ParameterType">
  <xs:annotation>
    <xs:documentation>The ParameterType characterizes function parameters.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="ordinal_position" type="xs:positiveInteger">
    <xs:annotation>
      <xs:documentation>This field refers to the ordinal position of the parameter with respect to the function where it is used.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="name" type="xs:string">
    <xs:annotation>
      <xs:documentation>The name field specifies the name of the parameter.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="value" type="xs:string">
    <xs:annotation>
      <xs:documentation>The value field specifies the actual value of the parameter.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Simple Type maecBundle:ActionImplementationTypeEnum

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ActionImplementationTypeEnum represents an enumeration of action implementation types.

Diagram

Type

restriction of xs:string

Facets

enumeration

api call

The api call value specifies that the action was implemented using some particular API call, details of which may be captured in the API_Call element.

enumeration

code

The Code value specifies that the action was implemented using some particular code snippet, details of which may be captured in the Code element

Used by

Attribute

maecBundle:ActionImplementationType/@type

Source

<xs:simpleType name="ActionImplementationTypeEnum">
  <xs:annotation>
    <xs:documentation>The ActionImplementationTypeEnum represents an enumeration of action implementation types.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="api call">
      <xs:annotation>
        <xs:documentation>The api call value specifies that the action was implemented using some particular API call, details of which may be captured in the API_Call element.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="code">
      <xs:annotation>
        <xs:documentation>The Code value specifies that the action was implemented using some particular code snippet, details of which may be captured in the Code element</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>

Complex Type maecBundle:BehavioralActionType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehavioralActionType type defines an Action field that can be used as part of a Behavior.  It extends the MAEC MalwareActionType type, which in turn extends the CybOX ActionType type.

Diagram

Type

extension of maecBundle:MalwareActionType

Type hierarchy

cybox:ActionType
- maecBundle:MalwareActionType
  - maecBundle:BehavioralActionType

Used by

Element

maecBundle:BehavioralActionsType/maecBundle:Action

Children

Attributes

QName

Type

Default

Use

Annotation

action_status

cybox:ActionStatusTypeEnum

optional

The action_status field enables description of the status of the action being described.

behavioral_ordering

xs:positiveInteger

optional

The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.

context

cybox:ActionContextTypeEnum

optional

The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.

xs:QName

optional

The id field specifies a unique id for this Action.

idref

xs:QName

optional

The idref field specifies a unique id reference to an Action defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.

ordinal_position

xs:positiveInteger

optional

The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.

timestamp

xs:dateTime

optional

The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.

timestamp_precision

cyboxCommon:DateTimePrecisionEnum

second

optional

Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.

Source

<xs:complexType name="BehavioralActionType">
  <xs:annotation>
    <xs:documentation>The BehavioralActionType type defines an Action field that can be used as part of a Behavior. It extends the MAEC MalwareActionType type, which in turn extends the CybOX ActionType type.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="maecBundle:MalwareActionType">
      <xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
        <xs:annotation>
          <xs:documentation>The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

Complex Type maecBundle:BehavioralActionReferenceType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehavioralActionReferenceType defines an action reference that can be used as part of a Behavior.

Diagram

Type

extension of cybox:ActionReferenceType

Type hierarchy

cybox:ActionReferenceType
- maecBundle:BehavioralActionReferenceType

Used by

Element

maecBundle:BehavioralActionsType/maecBundle:Action_Reference

Attributes

QName

Type

Use

Annotation

action_id

xs:QName

required

The action_id field refers to the id of the action being referenced.

behavioral_ordering

xs:positiveInteger

optional

The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.

Source

<xs:complexType name="BehavioralActionReferenceType">
  <xs:annotation>
    <xs:documentation>The BehavioralActionReferenceType defines an action reference that can be used as part of a Behavior.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cybox:ActionReferenceType">
      <xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
        <xs:annotation>
          <xs:documentation>The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

Complex Type maecBundle:BehavioralActionEquivalenceReferenceType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehavioralActionEquivalenceReferenceType defines an Action Equivalence reference that can be used as part of a Behavior. Since the Action Equivalency equates two or more actions to a single one, this can be thought of as specifying one of the aforementioned Actions as part of the composition of the Behavior.

Diagram

Used by

Element

maecBundle:BehavioralActionsType/maecBundle:Action_Equivalence_Reference

Attributes

QName

Type

Use

Annotation

action_equivalence_idref

xs:QName

required

The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.

behavioral_ordering

xs:positiveInteger

optional

The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.

Source

<xs:complexType name="BehavioralActionEquivalenceReferenceType">
  <xs:annotation>
    <xs:documentation>The BehavioralActionEquivalenceReferenceType defines an Action Equivalence reference that can be used as part of a Behavior. Since the Action Equivalency equates two or more actions to a single one, this can be thought of as specifying one of the aforementioned Actions as part of the composition of the Behavior.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="action_equivalence_idref" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
    <xs:annotation>
      <xs:documentation>The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:AssociatedCodeType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The AssociatedCodeType serves as generic way of specifying any code snippets associated with a MAEC entity, such as a Behavior.

Diagram

Used by

Element

maecBundle:BehaviorType/maecBundle:Associated_Code

Children

maecBundle:Code_Snippet

Source

<xs:complexType name="AssociatedCodeType">
  <xs:annotation>
    <xs:documentation>The AssociatedCodeType serves as generic way of specifying any code snippets associated with a MAEC entity, such as a Behavior.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Code_Snippet" type="CodeObj:CodeObjectType">
      <xs:annotation>
        <xs:documentation>The Code_Snippet field captures a single snippet of code, via the CybOX CodeObjectType.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:BehaviorRelationshipListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehaviorRelationshipListType captures any relationships between a Behavior and other Behaviors.

Diagram

Used by

Element

maecBundle:BehaviorType/maecBundle:Relationships

Children

maecBundle:Relationship

Source

<xs:complexType name="BehaviorRelationshipListType">
  <xs:annotation>
    <xs:documentation>The BehaviorRelationshipListType captures any relationships between a Behavior and other Behaviors.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Relationship" type="maecBundle:BehaviorRelationshipType">
      <xs:annotation>
        <xs:documentation>The Relationship field specifies a single relationship between a single Behavior and one or more other Behaviors.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:BehaviorRelationshipType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehaviorRelationshipType provides a method for the characterization of relationships between Behaviors.

Diagram

Used by

Element

maecBundle:BehaviorRelationshipListType/maecBundle:Relationship

Children

maecBundle:Behavior_Reference

Attributes

QName

Type

Use

Annotation

type

restriction of cyboxVocabs:ActionRelationshipTypeEnum-1.0

optional

The type field specifies the nature of the relationship between Behaviors that is being captured.

Source

<xs:complexType name="BehaviorRelationshipType">
  <xs:annotation>
    <xs:documentation>The BehaviorRelationshipType provides a method for the characterization of relationships between Behaviors.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType" minOccurs="1">
      <xs:annotation>
        <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior in the relationship.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="type" use="optional">
    <xs:annotation>
      <xs:documentation>The type field specifies the nature of the relationship between Behaviors that is being captured.</xs:documentation>
    </xs:annotation>
    <xs:simpleType>
      <xs:restriction base="cyboxVocabs:ActionRelationshipTypeEnum-1.0">
        <xs:enumeration value="Preceded_By"/>
        <xs:enumeration value="Followed_By"/>
        <xs:enumeration value="Related_To"/>
        <xs:enumeration value="Dependent_On"/>
      </xs:restriction>
    </xs:simpleType>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:ObjectListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ObjectListType captures a list of CybOX Objects.

Diagram

Used by

Elements

maecBundle:BundleType/maecBundle:Objects, maecBundle:ObjectCollectionType/maecBundle:Object_List

Children

maecBundle:Object

Source

<xs:complexType name="ObjectListType">
  <xs:annotation>
    <xs:documentation>The ObjectListType captures a list of CybOX Objects.</xs:documentation>
  </xs:annotation>
  <xs:sequence maxOccurs="1">
    <xs:element maxOccurs="unbounded" name="Object" type="cybox:ObjectType">
      <xs:annotation>
        <xs:documentation>The Object field specifies a single CybOX Object in the list. For use in MAEC, the id attribute at the top level of the Object must be utilized.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:CandidateIndicatorListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CandidateIndicatorListType captures a list of Candidate Indicators.

Diagram

Used by

Elements

maecBundle:BundleType/maecBundle:Candidate_Indicators, maecBundle:CandidateIndicatorCollectionType/maecBundle:Candidate_Indicator_List

Children

maecBundle:Candidate_Indicator

Source

<xs:complexType name="CandidateIndicatorListType">
  <xs:annotation>
    <xs:documentation>The CandidateIndicatorListType captures a list of Candidate Indicators.</xs:documentation>
  </xs:annotation>
  <xs:sequence maxOccurs="1" minOccurs="1">
    <xs:element maxOccurs="unbounded" name="Candidate_Indicator" type="maecBundle:CandidateIndicatorType">
      <xs:annotation>
        <xs:documentation>The Candidate_Indicator field specifies a single Candidate Indicator in the list.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:CandidateIndicatorType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CandidateIndicatorType provides a way of defining a MAEC entity-based Candidate Indicator, which specifies the particular components that may signify the presence of the malware instance on a host system or network.

Diagram

Used by

Element

maecBundle:CandidateIndicatorListType/maecBundle:Candidate_Indicator

Children

maecBundle:Author, maecBundle:Composition, maecBundle:Description, maecBundle:Importance, maecBundle:Malware_Entity, maecBundle:Numeric_Importance

Attributes

QName

Type

Use

Annotation

creation_datetime

xs:dateTime

optional

The creation_datetime field specifies the date/time that the Candidate Indicator was created.

xs:QName

required

The id field specifies a unique ID for this Candidate Indicator.

lastupdate_datetime

xs:dateTime

optional

The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.

version

xs:string

optional

The version field specifies the version of the Candidate Indicator.

Source

<xs:complexType name="CandidateIndicatorType">
  <xs:annotation>
    <xs:documentation>The CandidateIndicatorType provides a way of defining a MAEC entity-based Candidate Indicator, which specifies the particular components that may signify the presence of the malware instance on a host system or network.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Importance" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Importance field specifies the relative importance of the Candidate Indicator.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is ImportanceTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Numeric_Importance" type="xs:positiveInteger">
      <xs:annotation>
        <xs:documentation>The Numeric_Importance field specifies the specific numeric importance of the Candidate Indicator.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Author" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Author field specifies the author of the Candidate Indicator.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field provides a brief description of the Candidate Indicator.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Malware_Entity" type="maecBundle:MalwareEntityType">
      <xs:annotation>
        <xs:documentation>The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Composition" type="maecBundle:CandidateIndicatorCompositionType">
      <xs:annotation>
        <xs:documentation>The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" type="xs:QName" use="required">
    <xs:annotation>
      <xs:documentation>The id field specifies a unique ID for this Candidate Indicator.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="creation_datetime" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>The creation_datetime field specifies the date/time that the Candidate Indicator was created.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="lastupdate_datetime" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="version" type="xs:string">
    <xs:annotation>
      <xs:documentation>The version field specifies the version of the Candidate Indicator.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:MalwareEntityType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The MalwareEntityType provides a Capability for characterizing the particular entity that an indicator or signature is written against, whether it is a particular malware instance, family, etc.

Diagram

Used by

Element

maecBundle:CandidateIndicatorType/maecBundle:Malware_Entity

Children

maecBundle:Description, maecBundle:Name, maecBundle:Type

Source

<xs:complexType name="MalwareEntityType">
  <xs:annotation>
    <xs:documentation>The MalwareEntityType provides a Capability for characterizing the particular entity that an indicator or signature is written against, whether it is a particular malware instance, family, etc.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Type" type="cyboxCommon:ControlledVocabularyStringType">
      <xs:annotation>
        <xs:documentation>The Type field refers to the specific type of malware entity that the indicator or signature is written against.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is MalwareEntityTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Name" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Name field refers to the name of the malware instance, malware family, or malware class that the indicator or signature is written against.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Description" type="xs:string">
      <xs:annotation>
        <xs:documentation>The Description field is intended to provide a brief description of the entity that the indicator or signature is written against.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:CandidateIndicatorCompositionType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CandidateIndicatorCompositionType captures the composition of a Candidate Indicator, via references to any corresponding MAEC entities contained in the Bundle.

Diagram

Used by

Elements

maecBundle:CandidateIndicatorCompositionType/maecBundle:Sub_Composition, maecBundle:CandidateIndicatorType/maecBundle:Composition

Children

maecBundle:Action_Reference, maecBundle:Behavior_Reference, maecBundle:Object_Reference, maecBundle:Sub_Composition

Attributes

QName

Type

Use

Annotation

operator

cybox:OperatorTypeEnum

optional

The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.

Source

<xs:complexType name="CandidateIndicatorCompositionType">
  <xs:annotation>
    <xs:documentation>The CandidateIndicatorCompositionType captures the composition of a Candidate Indicator, via references to any corresponding MAEC entities contained in the Bundle.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:choice maxOccurs="unbounded">
      <xs:element minOccurs="0" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType">
        <xs:annotation>
          <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element minOccurs="0" name="Action_Reference" type="cybox:ActionReferenceType">
        <xs:annotation>
          <xs:documentation>The Action_Reference field specifies a reference to a single Action in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element minOccurs="0" name="Object_Reference" type="maecBundle:ObjectReferenceType">
        <xs:annotation>
          <xs:documentation>The Object_Reference field specifies a reference to a single Object in the Bundle that is part of the candidate indicator's composition.</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:choice>
    <xs:element maxOccurs="unbounded" minOccurs="0" name="Sub_Composition" type="maecBundle:CandidateIndicatorCompositionType">
      <xs:annotation>
        <xs:documentation>The Sub_Composition field captures any sub-compositions in this Candidate Indicator, for expressing more complex Candidate Indicators.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="operator" type="cybox:OperatorTypeEnum">
    <xs:annotation>
      <xs:documentation>The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

Complex Type maecBundle:CollectionsType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CollectionsType captures the various types of MAEC entity collections.

Diagram

Used by

Element

maecBundle:BundleType/maecBundle:Collections

Children

maecBundle:Action_Collections, maecBundle:Behavior_Collections, maecBundle:Candidate_Indicator_Collections, maecBundle:Object_Collections

Source

<xs:complexType name="CollectionsType">
  <xs:annotation>
    <xs:documentation>The CollectionsType captures the various types of MAEC entity collections.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element minOccurs="0" name="Behavior_Collections" type="maecBundle:BehaviorCollectionListType">
      <xs:annotation>
        <xs:documentation>The Behavior_Collections field captures any collections of Behaviors in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Action_Collections" type="maecBundle:ActionCollectionListType">
      <xs:annotation>
        <xs:documentation>The Action_Collections field captures any collections of Actions in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Object_Collections" type="maecBundle:ObjectCollectionListType">
      <xs:annotation>
        <xs:documentation>The Objects_Collections field captures any collections of CybOX Objects in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element minOccurs="0" name="Candidate_Indicator_Collections" type="maecBundle:CandidateIndicatorCollectionListType">
      <xs:annotation>
        <xs:documentation>The Candidate_Indicator_Collections field captures any collections of Candidate Indicators in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:BehaviorCollectionListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehaviorCollectionListType captures a list of Behaviors Collections.

Diagram

Used by

Element

maecBundle:CollectionsType/maecBundle:Behavior_Collections

Children

maecBundle:Behavior_Collection

Source

<xs:complexType name="BehaviorCollectionListType">
  <xs:annotation>
    <xs:documentation>The BehaviorCollectionListType captures a list of Behaviors Collections.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Behavior_Collection" type="maecBundle:BehaviorCollectionType">
      <xs:annotation>
        <xs:documentation>The Behavior_Collection field specifies a single collection of Behaviors in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:BehaviorCollectionType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehaviorCollectionType provides a Capability for characterizing collections of behaviors.

Diagram

Type

extension of maecBundle:BaseCollectionType

Type hierarchy

maecBundle:BaseCollectionType
- maecBundle:BehaviorCollectionType

Used by

Element

maecBundle:BehaviorCollectionListType/maecBundle:Behavior_Collection

Children

maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Behavior_List, maecBundle:Description, maecBundle:Purpose

Attributes

QName

Type

Use

Annotation

xs:QName

required

The id field specifies a unique ID for this Behavior Collection.

name

xs:string

optional

The name field specifies the name of the collection.

Source

<xs:complexType name="BehaviorCollectionType">
  <xs:annotation>
    <xs:documentation>The BehaviorCollectionType provides a Capability for characterizing collections of behaviors.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="maecBundle:BaseCollectionType">
      <xs:sequence>
        <xs:element name="Purpose" type="xs:string" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Purpose field states the intended purpose of the collection of Behaviors. Since Behaviors are not always successful, and may not be fully observed, this is meant as way of absracting the nature of the collection of Behaviors away from its constituent Actions.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Behavior_List" type="maecBundle:BehaviorListType">
          <xs:annotation>
            <xs:documentation>The Behavior_List field specifies a list of Behaviors that make up the collection.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="id" use="required" type="xs:QName">
        <xs:annotation>
          <xs:documentation>The id field specifies a unique ID for this Behavior Collection.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

Complex Type maecBundle:ActionCollectionListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ActionCollectionListType captures a list of Actions Collections.

Diagram

Used by

Element

maecBundle:CollectionsType/maecBundle:Action_Collections

Children

maecBundle:Action_Collection

Source

<xs:complexType name="ActionCollectionListType">
  <xs:annotation>
    <xs:documentation>The ActionCollectionListType captures a list of Actions Collections.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Action_Collection" type="maecBundle:ActionCollectionType">
      <xs:annotation>
        <xs:documentation>The Action_Collection field specifies a single collection of Actions in the Bundle.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:ObjectCollectionListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ObjectCollectionListType captures a list of Object Collections.

Diagram

Used by

Element

maecBundle:CollectionsType/maecBundle:Object_Collections

Children

maecBundle:Object_Collection

Source

<xs:complexType name="ObjectCollectionListType">
  <xs:annotation>
    <xs:documentation>The ObjectCollectionListType captures a list of Object Collections.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Object_Collection" type="maecBundle:ObjectCollectionType">
      <xs:annotation>
        <xs:documentation>The Object_Collection field specifies a single collection of CybOX Objects.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:ObjectCollectionType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The ObjectCollectionType provides a Capability for characterizing collections of Objects. For instance, it can be used to group all of the Objects that are associated with a specific behavior.

Diagram

Type

extension of maecBundle:BaseCollectionType

Type hierarchy

maecBundle:BaseCollectionType
- maecBundle:ObjectCollectionType

Used by

Element

maecBundle:ObjectCollectionListType/maecBundle:Object_Collection

Children

maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Description, maecBundle:Object_List

Attributes

QName

Type

Use

Annotation

xs:QName

required

The id attribute specifies a unique ID for this Object Collection.

name

xs:string

optional

The name field specifies the name of the collection.

Source

<xs:complexType name="ObjectCollectionType">
  <xs:annotation>
    <xs:documentation>The ObjectCollectionType provides a Capability for characterizing collections of Objects. For instance, it can be used to group all of the Objects that are associated with a specific behavior.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="maecBundle:BaseCollectionType">
      <xs:sequence>
        <xs:element name="Object_List" type="maecBundle:ObjectListType">
          <xs:annotation>
            <xs:documentation>The Object_List field specifies a list of Objects that make up the collection.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="id" use="required" type="xs:QName">
        <xs:annotation>
          <xs:documentation>The id attribute specifies a unique ID for this Object Collection.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

Complex Type maecBundle:CandidateIndicatorCollectionListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CandidateIndicatorCollectionListType captures a list of Candidate Indicators.

Diagram

Used by

Element

maecBundle:CollectionsType/maecBundle:Candidate_Indicator_Collections

Children

maecBundle:Candidate_Indicator_Collection

Source

<xs:complexType name="CandidateIndicatorCollectionListType">
  <xs:annotation>
    <xs:documentation>The CandidateIndicatorCollectionListType captures a list of Candidate Indicators.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Candidate_Indicator_Collection" type="maecBundle:CandidateIndicatorCollectionType">
      <xs:annotation>
        <xs:documentation>The Candidate_Indicator_Collection field specifies a single collection of Candidate Indicators.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Complex Type maecBundle:CandidateIndicatorCollectionType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The CandidateIndicatorCollectionType provides a Capability for characterizing collections of Candidate Indicators.

Diagram

Type

extension of maecBundle:BaseCollectionType

Type hierarchy

maecBundle:BaseCollectionType
- maecBundle:CandidateIndicatorCollectionType

Used by

Element

maecBundle:CandidateIndicatorCollectionListType/maecBundle:Candidate_Indicator_Collection

Children

maecBundle:Affinity_Degree, maecBundle:Affinity_Type, maecBundle:Candidate_Indicator_List, maecBundle:Description

Attributes

QName

Type

Use

Annotation

xs:QName

required

The id field specifies a unique ID for this Candidate Indicator Collection.

name

xs:string

optional

The name field specifies the name of the collection.

Source

<xs:complexType name="CandidateIndicatorCollectionType">
  <xs:annotation>
    <xs:documentation>The CandidateIndicatorCollectionType provides a Capability for characterizing collections of Candidate Indicators.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="maecBundle:BaseCollectionType">
      <xs:sequence>
        <xs:element name="Candidate_Indicator_List" type="maecBundle:CandidateIndicatorListType">
          <xs:annotation>
            <xs:documentation>The Candidate_Indicator_List field specifies a list of Candidate Indicators that make up the collection.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="id" type="xs:QName" use="required">
        <xs:annotation>
          <xs:documentation>The id field specifies a unique ID for this Candidate Indicator Collection.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

Simple Type maecBundle:BundleContentTypeEnum

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BundleContentTypeEnum is a non-exhaustive enumeration of the general types of content that a Bundle can contain.

Diagram

Type

restriction of xs:string

Facets

enumeration

dynamic analysis tool output

The dynamic analysis tool output value specifies that the Bundle primarily captures some form of dynamic analysis tool output, such as from a sandbox.

enumeration

static analysis tool output

The static analysis tool output value specifies that the Bundle primarily captures some form of static analysis tool output, such as from a packer detection tool.

enumeration

manual analysis output

The manual analysis output value specifies that the Bundle primarily captures some form of manual analysis output, which may or may not involve the use of tools.

enumeration

extracted from subject

The extracted from subject value specifies that the Bundle primarily captures some data that extracted from the Malware Subject, such as some PE Header fields.

enumeration

mixed

The mixed value specifies that the Bundle captures some mixed forms of analysis or tool output for the Malware Subject, such as both dynamic and static analysis tool output.

enumeration

other

The other value specifies that the Bundle captures some other form of analysis or tool output that is not represented by the other enumeration values.

Used by

Attribute

maecBundle:BundleType/@content_type

Source

<xs:simpleType name="BundleContentTypeEnum">
  <xs:annotation>
    <xs:documentation>The BundleContentTypeEnum is a non-exhaustive enumeration of the general types of content that a Bundle can contain.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="dynamic analysis tool output">
      <xs:annotation>
        <xs:documentation>The dynamic analysis tool output value specifies that the Bundle primarily captures some form of dynamic analysis tool output, such as from a sandbox.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="static analysis tool output">
      <xs:annotation>
        <xs:documentation>The static analysis tool output value specifies that the Bundle primarily captures some form of static analysis tool output, such as from a packer detection tool.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="manual analysis output">
      <xs:annotation>
        <xs:documentation>The manual analysis output value specifies that the Bundle primarily captures some form of manual analysis output, which may or may not involve the use of tools.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="extracted from subject">
      <xs:annotation>
        <xs:documentation>The extracted from subject value specifies that the Bundle primarily captures some data that extracted from the Malware Subject, such as some PE Header fields.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="mixed">
      <xs:annotation>
        <xs:documentation>The mixed value specifies that the Bundle captures some mixed forms of analysis or tool output for the Malware Subject, such as both dynamic and static analysis tool output.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="other">
      <xs:annotation>
        <xs:documentation>The other value specifies that the Bundle captures some other form of analysis or tool output that is not represented by the other enumeration values.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>

Complex Type maecBundle:BehaviorReferenceListType

Namespace

http://maec.mitre.org/XMLSchema/maec-bundle-4

Annotations

The BehaviorReferenceListType captures a list of Behavior References.

Diagram

Children

maecBundle:Behavior_Reference

Source

<xs:complexType name="BehaviorReferenceListType">
  <xs:annotation>
    <xs:documentation>The BehaviorReferenceListType captures a list of Behavior References.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element maxOccurs="unbounded" name="Behavior_Reference" type="maecBundle:BehaviorReferenceType">
      <xs:annotation>
        <xs:documentation>The Behavior_Reference field specifies a reference to a single Behavior.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

Attribute maecBundle:BundleReferenceType / @bundle_idref

Namespace

No namespace

Annotations

The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.

Type

xs:QName

Used by

Complex Type

maecBundle:BundleReferenceType

Source

<xs:attribute name="bundle_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ObjectReferenceType / @object_idref

Namespace

No namespace

Annotations

The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.

Type

xs:QName

Used by

Complex Type

maecBundle:ObjectReferenceType

Source

<xs:attribute name="object_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The object_idref field specifies the id of a CybOX Object being referenced in the current MAEC Bundle.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ProcessTreeNodeType / @id

Namespace

No namespace

Annotations

The required id field specifies a unique ID for the Process Node.

Type

xs:QName

Used by

Complex Type

maecBundle:ProcessTreeNodeType

Source

<xs:attribute name="id" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The required id field specifies a unique ID for the Process Node.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ProcessTreeNodeType / @parent_action_idref

Namespace

No namespace

Annotations

The parent_action_idref field specifies the id of the action that created or injected this process.

Type

xs:QName

Used by

Complex Type

maecBundle:ProcessTreeNodeType

Source

<xs:attribute name="parent_action_idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The parent_action_idref field specifies the id of the action that created or injected this process.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ProcessTreeNodeType / @ordinal_position

Namespace

No namespace

Annotations

The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.

Type

xs:positiveInteger

Used by

Complex Type

maecBundle:ProcessTreeNodeType

Source

<xs:attribute name="ordinal_position" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The ordinal_position field specifies the ordinal position of the process with respect to the other processes spawned or injected by the malware.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BehaviorReferenceType / @behavior_idref

Namespace

No namespace

Annotations

The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.

Type

xs:QName

Used by

Complex Type

maecBundle:BehaviorReferenceType

Source

<xs:attribute name="behavior_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The behavior_idref field specifies the id of the Behavior being referenced; this Behavior must be present in the current Bundle.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CapabilityObjectiveReferenceType / @objective_idref

Namespace

No namespace

Annotations

The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.

Type

xs:QName

Used by

Complex Type

maecBundle:CapabilityObjectiveReferenceType

Source

<xs:attribute name="objective_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The objective_idref field references the ID of a Capability Objective (either Strategic or Tactical) contained inside the current MAEC document.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CapabilityObjectiveType / @id

Namespace

No namespace

Annotations

The required id field specifies a unique ID for this Capability Objective.

Type

xs:QName

Used by

Complex Type

maecBundle:CapabilityObjectiveType

Source

<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The required id field specifies a unique ID for this Capability Objective.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CapabilityReferenceType / @capability_idref

Namespace

No namespace

Annotations

The capability_idref field references the ID of a Capability contained inside the current MAEC document.

Type

xs:QName

Used by

Complex Type

maecBundle:CapabilityReferenceType

Source

<xs:attribute name="capability_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The capability_idref field references the ID of a Capability contained inside the current MAEC document.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CapabilityType / @id

Namespace

No namespace

Annotations

The required id field specifies a unique ID for this MAEC Capability.

Type

xs:QName

Used by

Complex Type

maecBundle:CapabilityType

Source

<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The required id field specifies a unique ID for this MAEC Capability.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CapabilityType / @name

Namespace

No namespace

Annotations

The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.

Type

maecVocabs:MalwareCapabilityEnum-1.0

Facets

enumeration

command and control

The 'command and control' (C2) Capability indicates that the malware instance is able to receive and execute remotely submitted commands.

enumeration

remote machine manipulation

The 'remote machine manipulation' Capability indicates that the malware instance is able to manipulate or access other remote machines.

enumeration

privilege escalation

The 'privilege escalation' Capability indicates that the malware instance is able to elevate the privileges under which it executes.

enumeration

data theft

The 'data theft' Capability indicates that the malware instance is able to steal data from the system on which it executes. This includes data stored in some form, e.g. in a file, as well as data that may be entered into some application such as a web-browser.

enumeration

spying

The 'spying' Capability indicates that the malware instance is able to capture information from a system related to user or system activity (e.g., from a system's peripheral devices).

enumeration

secondary operation

The 'secondary operation' Capability indicates that the malware instance is able to achieve secondary objectives in conjunction with or after achieving its primary objectives.

enumeration

anti-detection

The 'anti-detection' Capability indicates that the malware instance is able to prevent itself and its components from being detected on a system.

enumeration

anti-code analysis

The 'anti-code analysis' Capability indicates that the malware instance is able to prevent code analysis or make it more difficult.

enumeration

infection/propagation

The 'infection/propagation' Capability indicates that the malware instance is able to propagate through the infection of a machine or is able to infect a file after executing on a system.  The malware instance may infect actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email).  This Capability does not encompass any aspects of the initial infection that is done independently of the malware instance itself.

enumeration

anti-behavioral analysis

The 'anti-behavioral analysis' Capability indicates that the malware instance is able to prevent behavioral analysis or make it more difficult.

enumeration

integrity violation

The 'integrity violation' Capability indicates that the malware instance is able to compromise the integrity of a system.

enumeration

data exfiltration

The 'data exfiltration' Capability indicates that the malware instance is able to exfiltrate stolen data or perform tasks related to the exfiltration of stolen data.

enumeration

probing

The 'probing' Capability indicates that the malware instance is able to probe its host system or network environment; most often this is done to support other Capabilities and their Objectives.

enumeration

anti-removal

The 'anti-removal' Capability indicates that the malware instance is able to prevent itself and its components from being removed from a system.

enumeration

security degradation

The �security degradation� Capability indicates that the malware instance is able to bypass or disable security features and/or controls.

enumeration

availability violation

The 'availability violation' Capability indicates that the malware instance is able to compromise the availability of a system or some aspect of the system.

enumeration

destruction

The 'destruction' Capability indicates that the malware instance is able to destroy some aspect of a system.

enumeration

fraud

The 'fraud' Capability indicates that the malware instance is able to defraud a user or a system.

enumeration

persistence

The 'persistence' Capability indicates that the malware instance is able to persist and remain on a system regardless of system events.

enumeration

machine access/control

The 'machine access/control' Capability indicates that the malware instance is able to provide the means to access or control the machine on which it is resident.

Used by

Complex Type

maecBundle:CapabilityType

Source

<xs:attribute name="name" type="maecVocabs:MalwareCapabilityEnum-1.0">
  <xs:annotation>
    <xs:documentation>The name field captures the name of the Capability. It uses the MalwareCapabilityEnum-1.0 enumeration from the MAEC Vocabularies schema.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CVEVulnerabilityType / @cve_id

Namespace

No namespace

Annotations

The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.

Type

xs:string

Used by

Complex Type

maecBundle:CVEVulnerabilityType

Source

<xs:attribute name="cve_id" type="xs:string" use="required">
  <xs:annotation>
    <xs:documentation>The cve_id attribute contains the ID of the CVE that is being referenced, e.g., CVE-1999-0002.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ExploitType / @known_vulnerability

Namespace

No namespace

Annotations

The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.

Type

xs:boolean

Used by

Complex Type

maecBundle:ExploitType

Source

<xs:attribute name="known_vulnerability" type="xs:boolean">
  <xs:annotation>
    <xs:documentation>The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. If so, it should be referenced via a CVE ID in the CVE element. If not, the platform(s) targeted by the vulnerability exploitation behavior may be specified in the Targeted_Platforms element.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BaseCollectionType / @name

Namespace

No namespace

Annotations

The name field specifies the name of the collection.

Type

xs:string

Used by

Complex Type

maecBundle:BaseCollectionType

Source

<xs:attribute name="name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The name field specifies the name of the collection.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ParameterType / @ordinal_position

Namespace

No namespace

Annotations

This field refers to the ordinal position of the parameter with respect to the function where it is used.

Type

xs:positiveInteger

Used by

Complex Type

maecBundle:ParameterType

Source

<xs:attribute name="ordinal_position" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>This field refers to the ordinal position of the parameter with respect to the function where it is used.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ParameterType / @name

Namespace

No namespace

Annotations

The name field specifies the name of the parameter.

Type

xs:string

Used by

Complex Type

maecBundle:ParameterType

Source

<xs:attribute name="name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The name field specifies the name of the parameter.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ParameterType / @value

Namespace

No namespace

Annotations

The value field specifies the actual value of the parameter.

Type

xs:string

Used by

Complex Type

maecBundle:ParameterType

Source

<xs:attribute name="value" type="xs:string">
  <xs:annotation>
    <xs:documentation>The value field specifies the actual value of the parameter.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:APICallType / @function_name

Namespace

No namespace

Annotations

The function_name field contains the exact name of the API function called, e.g. CreateFileEx.

Type

xs:string

Used by

Complex Type

maecBundle:APICallType

Source

<xs:attribute name="function_name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The function_name field contains the exact name of the API function called, e.g. CreateFileEx.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:APICallType / @normalized_function_name

Namespace

No namespace

Annotations

The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.

Type

xs:string

Used by

Complex Type

maecBundle:APICallType

Source

<xs:attribute name="normalized_function_name" type="xs:string">
  <xs:annotation>
    <xs:documentation>The normalized_function_name field contains the normalized name of the API function called, e.g. CreateFile.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ActionImplementationType / @id

Namespace

No namespace

Annotations

The id field specifies a unique ID for this Action Implementation.

Type

xs:QName

Used by

Complex Type

maecBundle:ActionImplementationType

Source

<xs:attribute name="id" use="optional" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The id field specifies a unique ID for this Action Implementation.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ActionImplementationType / @type

Namespace

No namespace

Annotations

The required type field refers to the type of Action Implementation being characterized in this element.

Type

maecBundle:ActionImplementationTypeEnum

Facets

enumeration

api call

The api call value specifies that the action was implemented using some particular API call, details of which may be captured in the API_Call element.

enumeration

code

The Code value specifies that the action was implemented using some particular code snippet, details of which may be captured in the Code element

Used by

Complex Type

maecBundle:ActionImplementationType

Source

<xs:attribute name="type" use="required" type="maecBundle:ActionImplementationTypeEnum">
  <xs:annotation>
    <xs:documentation>The required type field refers to the type of Action Implementation being characterized in this element.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ActionCollectionType / @id

Namespace

No namespace

Annotations

The id field specifies a unique ID for this Action Collection.

Type

xs:QName

Used by

Complex Type

maecBundle:ActionCollectionType

Source

<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The id field specifies a unique ID for this Action Collection.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BehavioralActionType / @behavioral_ordering

Namespace

No namespace

Annotations

The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.

Type

xs:positiveInteger

Used by

Complex Type

maecBundle:BehavioralActionType

Source

<xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BehavioralActionReferenceType / @behavioral_ordering

Namespace

No namespace

Annotations

The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.

Type

xs:positiveInteger

Used by

Complex Type

maecBundle:BehavioralActionReferenceType

Source

<xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the Behavior. For example, an Action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BehavioralActionEquivalenceReferenceType / @action_equivalence_idref

Namespace

No namespace

Annotations

The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.

Type

xs:QName

Used by

Complex Type

maecBundle:BehavioralActionEquivalenceReferenceType

Source

<xs:attribute name="action_equivalence_idref" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The action_equivalence_idref field specifies the ID of an Action Equivalence contained in the same MAEC document as the Behavior that utilizes it.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BehavioralActionEquivalenceReferenceType / @behavioral_ordering

Namespace

No namespace

Annotations

The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.

Type

xs:positiveInteger

Used by

Complex Type

maecBundle:BehavioralActionEquivalenceReferenceType

Source

<xs:attribute name="behavioral_ordering" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The behavioral_ordering field defines the ordering of the Action Equivalency with respect to the other actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an action with a behavioral_ordering of "2", etc.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BehaviorRelationshipType / @type

Namespace

No namespace

Annotations

The type field specifies the nature of the relationship between Behaviors that is being captured.

Type

restriction of cyboxVocabs:ActionRelationshipTypeEnum-1.0

Type hierarchy

xs:string
- cyboxVocabs:ActionRelationshipTypeEnum-1.0

Facets

enumeration	Preceded_By
enumeration	Followed_By
enumeration	Related_To
enumeration	Dependent_On

Used by

Complex Type

maecBundle:BehaviorRelationshipType

Source

<xs:attribute name="type" use="optional">
  <xs:annotation>
    <xs:documentation>The type field specifies the nature of the relationship between Behaviors that is being captured.</xs:documentation>
  </xs:annotation>
  <xs:simpleType>
    <xs:restriction base="cyboxVocabs:ActionRelationshipTypeEnum-1.0">
      <xs:enumeration value="Preceded_By"/>
      <xs:enumeration value="Followed_By"/>
      <xs:enumeration value="Related_To"/>
      <xs:enumeration value="Dependent_On"/>
    </xs:restriction>
  </xs:simpleType>
</xs:attribute>

Attribute maecBundle:BehaviorType / @id

Namespace

No namespace

Annotations

The required id field specifies a unique ID for this Behavior.

Type

xs:QName

Used by

Complex Type

maecBundle:BehaviorType

Source

<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The required id field specifies a unique ID for this Behavior.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BehaviorType / @ordinal_position

Namespace

No namespace

Annotations

The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.

Type

xs:positiveInteger

Used by

Complex Type

maecBundle:BehaviorType

Source

<xs:attribute name="ordinal_position" type="xs:positiveInteger">
  <xs:annotation>
    <xs:documentation>The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BehaviorType / @status

Namespace

No namespace

Annotations

The status field specifies the execution status of the Behavior being characterized.

Type

cybox:ActionStatusTypeEnum

Facets

enumeration

Success

Specifies a cyber observable action that was successful.

enumeration

Fail

Specifies a cyber observable action that failed.

enumeration

Error

Specifies a cyber observable action that resulted in an error.

enumeration

Complete/Finish

Specifies a cyber observable action that completed or finished. This action status does not specify the result of the action (e.g., Success/Error).

enumeration

Pending

Specifies a cyber observable action is pending.

enumeration

Ongoing

Specifies a cyber observable action that is ongoing.

enumeration

Unknown

Specifies a cyber observable action with an unknown status.

Used by

Complex Type

maecBundle:BehaviorType

Source

<xs:attribute name="status" type="cybox:ActionStatusTypeEnum">
  <xs:annotation>
    <xs:documentation>The status field specifies the execution status of the Behavior being characterized.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BehaviorType / @duration

Namespace

No namespace

Annotations

The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.

Type

xs:duration

Used by

Complex Type

maecBundle:BehaviorType

Source

<xs:attribute name="duration" type="xs:duration">
  <xs:annotation>
    <xs:documentation>The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CandidateIndicatorCompositionType / @operator

Namespace

No namespace

Annotations

The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.

Type

cybox:OperatorTypeEnum

Facets

enumeration

AND

Specifies the AND logical composition operation.

enumeration

Specifies the OR logical composition operation.

Used by

Complex Type

maecBundle:CandidateIndicatorCompositionType

Source

<xs:attribute name="operator" type="cybox:OperatorTypeEnum">
  <xs:annotation>
    <xs:documentation>The operator field specifies the Boolean operator for this level of the Candidate Indicator's composition.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CandidateIndicatorType / @id

Namespace

No namespace

Annotations

The id field specifies a unique ID for this Candidate Indicator.

Type

xs:QName

Used by

Complex Type

maecBundle:CandidateIndicatorType

Source

<xs:attribute name="id" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The id field specifies a unique ID for this Candidate Indicator.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CandidateIndicatorType / @creation_datetime

Namespace

No namespace

Annotations

The creation_datetime field specifies the date/time that the Candidate Indicator was created.

Type

xs:dateTime

Used by

Complex Type

maecBundle:CandidateIndicatorType

Source

<xs:attribute name="creation_datetime" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>The creation_datetime field specifies the date/time that the Candidate Indicator was created.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CandidateIndicatorType / @lastupdate_datetime

Namespace

No namespace

Annotations

The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.

Type

xs:dateTime

Used by

Complex Type

maecBundle:CandidateIndicatorType

Source

<xs:attribute name="lastupdate_datetime" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CandidateIndicatorType / @version

Namespace

No namespace

Annotations

The version field specifies the version of the Candidate Indicator.

Type

xs:string

Used by

Complex Type

maecBundle:CandidateIndicatorType

Source

<xs:attribute name="version" type="xs:string">
  <xs:annotation>
    <xs:documentation>The version field specifies the version of the Candidate Indicator.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BehaviorCollectionType / @id

Namespace

No namespace

Annotations

The id field specifies a unique ID for this Behavior Collection.

Type

xs:QName

Used by

Complex Type

maecBundle:BehaviorCollectionType

Source

<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The id field specifies a unique ID for this Behavior Collection.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:ObjectCollectionType / @id

Namespace

No namespace

Annotations

The id attribute specifies a unique ID for this Object Collection.

Type

xs:QName

Used by

Complex Type

maecBundle:ObjectCollectionType

Source

<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The id attribute specifies a unique ID for this Object Collection.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:CandidateIndicatorCollectionType / @id

Namespace

No namespace

Annotations

The id field specifies a unique ID for this Candidate Indicator Collection.

Type

xs:QName

Used by

Complex Type

maecBundle:CandidateIndicatorCollectionType

Source

<xs:attribute name="id" type="xs:QName" use="required">
  <xs:annotation>
    <xs:documentation>The id field specifies a unique ID for this Candidate Indicator Collection.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BundleType / @id

Namespace

No namespace

Annotations

The required id field specifies a unique ID for this MAEC Bundle.

Type

xs:QName

Used by

Complex Type

maecBundle:BundleType

Source

<xs:attribute name="id" use="required" type="xs:QName">
  <xs:annotation>
    <xs:documentation>The required id field specifies a unique ID for this MAEC Bundle.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BundleType / @schema_version

Namespace

No namespace

Annotations

The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.

Type

xs:string

Used by

Complex Type

maecBundle:BundleType

Source

<xs:attribute name="schema_version" type="xs:string" use="required" fixed="4.1">
  <xs:annotation>
    <xs:documentation>The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BundleType / @defined_subject

Namespace

No namespace

Annotations

The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).

Type

xs:boolean

Used by

Complex Type

maecBundle:BundleType

Source

<xs:attribute name="defined_subject" type="xs:boolean" use="required">
  <xs:annotation>
    <xs:documentation>The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BundleType / @content_type

Namespace

No namespace

Annotations

The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.

Type

maecBundle:BundleContentTypeEnum

Facets

enumeration

dynamic analysis tool output

The dynamic analysis tool output value specifies that the Bundle primarily captures some form of dynamic analysis tool output, such as from a sandbox.

enumeration

static analysis tool output

The static analysis tool output value specifies that the Bundle primarily captures some form of static analysis tool output, such as from a packer detection tool.

enumeration

manual analysis output

The manual analysis output value specifies that the Bundle primarily captures some form of manual analysis output, which may or may not involve the use of tools.

enumeration

extracted from subject

The extracted from subject value specifies that the Bundle primarily captures some data that extracted from the Malware Subject, such as some PE Header fields.

enumeration

mixed

The mixed value specifies that the Bundle captures some mixed forms of analysis or tool output for the Malware Subject, such as both dynamic and static analysis tool output.

enumeration

other

The other value specifies that the Bundle captures some other form of analysis or tool output that is not represented by the other enumeration values.

Used by

Complex Type

maecBundle:BundleType

Source

<xs:attribute name="content_type" type="maecBundle:BundleContentTypeEnum">
  <xs:annotation>
    <xs:documentation>The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.</xs:documentation>
  </xs:annotation>
</xs:attribute>

Attribute maecBundle:BundleType / @timestamp

Namespace

No namespace

Annotations

The timestamp field specifies the date/time that the bundle was generated.

Type

xs:dateTime

Used by

Complex Type

maecBundle:BundleType

Source

<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>The timestamp field specifies the date/time that the bundle was generated.</xs:documentation>
  </xs:annotation>
</xs:attribute>