This walkthrough will look at a simple MAEC document and look through it piece by piece to help describe basic MAEC concepts. Specifically, we’ll look at a watchlist for IP addresses to see how MAEC can be used to describe indicators of malicious activity.
Prior to going through this walkthrough, you should understand the general concept of what MAEC is, what problems it is designed to solve, and how it is used to solve those problems. The best place to do that is by going to the Getting Started page and reading through the whitepaper and other materials linked from there.
You also should have good XML tools in order to work with MAEC. Most of the MAEC team uses either Oxygen or XMLSpy, which are both commercial products. Eclipse is an open-source option that is somewhat less fully-featured but should get the job done.
Finally, this tutorial does assume intermediate knowledge of XML. You should know what elements are, what attributes are, what validation means, and other basic concepts. If you don’t, it’s suggested that you either use higher-level tooling when working with MAEC or read up on XML before looking into MAEC.