BehavioralActionTypeMAEC Bundle Schema

The BehavioralActionType type defines an Action field that can be used as part of a Behavior. It extends the MAEC MalwareActionType type, which in turn extends the CybOX ActionType type.


Field Name Type Description
@idoptional QName

The id field specifies a unique id for this Action.

@idrefoptional QName

The idref field specifies a unique id reference to an Action defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.

@ordinal_positionoptional positiveInteger

The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.

@action_statusoptional ActionStatusTypeEnum

The action_status field enables description of the status of the action being described.

@contextoptional ActionContextTypeEnum

The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.

@timestampoptional dateTime

The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.

@timestamp_precisionoptional DateTimePrecisionEnum

Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.

Type0..1 ControlledVocabularyStringType

The Type field is optional and utilizes a standardized controlled vocabulary to specify the basic type of the action that was performed.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.

Name0..1 ControlledVocabularyStringType

The Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific name of the action that was performed.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.

Description0..1 StructuredTextType

The Description field contains a textual description of the action.

Action_Aliases0..1 ActionAliasesType

The Action_Aliases field is optional and enables identification of other potentially used names for this Action.

Action_Arguments0..1 ActionArgumentsType

The Action_Arguments field is optional and enables the specification of relevant arguments/parameters for this Action.

Location0..1 LocationType

The Location field specifies a relevant physical location.

This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.

Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.

Discovery_Method0..1 MeasureSourceType

The Discovery_Method field is optional and enables descriptive specification of how this Action was observed (in the case of a Cyber Observable Action instance) or could potentially be observed (in the case of a Cyber Observable Action pattern).

Associated_Objects0..1 AssociatedObjectsType

The Associated_Objects construct is optional and enables the description/specification of cyber Objects relevant (either initiating or affected by) this Action.

Relationships0..1 ActionRelationshipsType

The Relationships construct is optional and enables description of other cyber observable actions that are related to this Action.

Frequency0..1 FrequencyType

The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.

Implementation0..1 ActionImplementationType

The Implementation field is optional and serves to capture attributes that are relevant to how the Action is implemented in the malware, such as the specific API call that was used.

@behavioral_orderingoptional positiveInteger

The behavioral_ordering field defines the ordering of the Action with respect to the other Actions that make up the behavior. So an action with a behavioral_ordering of "1" would come before an Action with a behavioral_ordering of "2", etc.