BundleTypeMAEC Bundle Schema

The BundleType serves as the high-level construct which encapsulates all Bundle elements, and represents some characterized analysis data (from any arbitrary set of analyses) for a single malware instance in terms of its MAEC Components (e.g., Behaviors, Actions, Objects, etc.).

Field Name Type Description
@idrequired QName

The required id field specifies a unique ID for this MAEC Bundle.

@schema_versionrequired string

The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.

@defined_subjectrequired boolean

The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).

@content_typeoptional BundleContentTypeEnum

The content_type field specifies the general type of content contained in this Bundle, e.g., static analysis tool output, dynamic analysis tool output, etc.

@timestampoptional dateTime

The timestamp field specifies the date/time that the bundle was generated.

Malware_Instance_Object_Attributes0..1 ObjectType

The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.

AV_Classifications0..1 AVClassificationsType

The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object.

Process_Tree0..1 ProcessTreeType

The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable.

Capabilities0..1 CapabilityListType

The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance.

Behaviors0..1 BehaviorListType

The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance.

Actions0..1 ActionListType

The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance.

Objects0..1 ObjectListType

The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance.

Candidate_Indicators0..1 CandidateIndicatorListType

The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance.

Collections0..1 CollectionsType

The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators.