The BundleType serves as the high-level construct which encapsulates all Bundle elements, and represents some characterized analysis data (from any arbitrary set of analyses) for a single malware instance in terms of its MAEC Components (e.g., Behaviors, Actions, Objects, etc.).
The required id field specifies a unique ID for this MAEC Bundle.
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).
The content_type field specifies the general type of content contained in this Bundle, e.g., static analysis tool output, dynamic analysis tool output, etc.
The timestamp field specifies the date/time that the bundle was generated.
The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.
The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.
The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.
The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance.
The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.
The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.
The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance.
The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.
The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators.