AnalysisTypeMAEC Package Schema

The AnalysisType provides a way of capturing the information associated with the analysis of a malware instance, such as the subject, authors, start datetime, and other relevant data.


Field Name Type Description
@idrequired QName

The required id field specifies a unique ID for this Analysis.

@typeoptional AnalysisTypeEnum

The type field specifies the type of malware analysis being performed.

@methodoptional AnalysisMethodEnum

The method field specifies the analysis method used in the analysis.

@ordinal_positionoptional positiveInteger

The ordinal_position field specifies the ordering of the analysis with respect to the other analyses performed on the Malware Subject.

@start_datetimeoptional dateTime

The start_datetime field specifies the date/time the analysis was started.

@complete_datetimeoptional dateTime

The complete_datetime field specifies the date/time the analysis was completed.

@lastupdate_datetimeoptional dateTime

The lastupdate_datetime field specifies the date/time the analysis was last updated.

Source0..1 SourceType

The Source field specifies information about the internal or external source of the analysis, if applicable.

Analysts0..1 PersonnelType

The Analysts field specifies the analyst(s) who performed the analysis.

Summary0..1 StructuredTextType

The Summary field specifies a summary of the analysis that was performed. It should be high-level and concise. It should summarize the contents of the Report field, if present, and otherwise should provide a brief synopsis of the analysis that was performed and any highlights.

Comments0..1 CommentListType

The Comments field specifies any comments regarding the analysis that was performed. A comment should be attributable to a specific analyst and should reflect particular insights of the author that are significant from an analysis standpoint. The contents of comments are typically not contained in the Report.

Findings_Bundle_Reference0..n BundleReferenceType

The Findings_Bundle_Reference field specifies a reference to the Bundle which encompasses the results and output of the Analysis in terms of its corresponding MAEC entities, such as Behaviors and Actions. More than one Bundle may be referenced by using multiple occurrences of this field.

Tools0..1 ToolListType

The Tools field specifies information about the tool(s) used in the analysis, via the Cyber Observable eXpression (CybOX™) ToolInformationType. If only a single Tool is specified, then this implies that this tool was responsible for all of the findings contained in the Bundle referenced by the Findings_Bundle_Reference element.

Dynamic_Analysis_Metadata0..1 DynamicAnalysisMetadataType

The Dynamic_Analysis_Metadata field specifies metadata pertaining to the dynamic analysis of the subject binary, such as the command line used, the duration of the analysis, etc.

Analysis_Environment0..1 AnalysisEnvironmentType

The Analysis_Environment field specifies attributes for characterizing the analysis environment in which the analysis was performed.

Report0..1 StructuredTextType

The Report field specifies the textual report regarding the analysis performed on the malware. The Report should correspond to the human-readable prose document that captures key aspects and outcomes of the analysis.