CandidateIndicatorTypeMAEC Bundle Schema

The CandidateIndicatorType provides a way of defining a MAEC entity-based Candidate Indicator, which specifies the particular components that may signify the presence of the malware instance on a host system or network.

Field Name Type Description
@idrequired QName

The id field specifies a unique ID for this Candidate Indicator.

@creation_datetimeoptional dateTime

The creation_datetime field specifies the date/time that the Candidate Indicator was created.

@lastupdate_datetimeoptional dateTime

The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated.

@versionoptional string

The version field specifies the version of the Candidate Indicator.

Importance0..1 ControlledVocabularyStringType

The Importance field specifies the relative importance of the Candidate Indicator.

This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is ImportanceTypeVocab-1.0 in the namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL

Numeric_Importance0..1 positiveInteger

The Numeric_Importance field specifies the specific numeric importance of the Candidate Indicator.

Author0..1 string

The Author field specifies the author of the Candidate Indicator.

Description0..1 string

The Description field provides a brief description of the Candidate Indicator.

Malware_Entity0..1 MalwareEntityType

The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc.

Composition0..1 CandidateIndicatorCompositionType

The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle.