The BundleType serves as the high-level construct which encapsulates all Bundle elements, and represents some characterized analysis data (from any arbitrary set of analyses) for a single malware instance in terms of its MAEC Components (e.g., Behaviors, Actions, Objects, etc.).
| Field Name | Type | Description |
|---|---|---|
| @idrequired | QName |
The required id field specifies a unique ID for this MAEC Bundle. |
| @schema_versionrequired | string |
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation. |
| @defined_subjectrequired | boolean |
The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package). |
| @content_typeoptional | BundleContentTypeEnum |
The content_type field specifies the general type of content contained in this Bundle, e.g., static analysis tool output, dynamic analysis tool output, etc. |
| @timestampoptional | dateTime |
The timestamp field specifies the date/time that the bundle was generated. |
| Malware_Instance_Object_Attributes0..1 | ObjectType |
The Malware_Instance_Object_Attributes field characterizes the attributes of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Malware_Instance_Object_Attributes inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'. |
| AV_Classifications0..1 | AVClassificationsType |
The AV_Classifications field contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object. |
| Process_Tree0..1 | ProcessTreeType |
The Process_Tree field specifies the observed process tree of execution for the malware instance, along with references to any corresponding actions that were initiated, if applicable. |
| Capabilities0..1 | CapabilityListType |
The Capabilities field contains 1-n CapabilityType objects, which serve to describe the high-level capabilities and objectives of the malware instance. |
| Behaviors0..1 | BehaviorListType |
The Behaviors field contains 1-n BehaviorType objects, which function as the MAEC representation for any behaviors that were observed for the malware instance. |
| Actions0..1 | ActionListType |
The Actions field contains 1-n ActionType objects, which function as the MAEC representation for any lower-level actions that were observed for the malware instance. |
| Objects0..1 | ObjectListType |
The Objects field contains 1-n ObjectType objects, which function as the MAEC representation for any objects associated with the malware instance. |
| Candidate_Indicators0..1 | CandidateIndicatorListType |
The Candidate_Indicators field contains 1-n CandidateIndicatorType objects, which function as the MAEC representation of any candidate indicators associated with the malware instance. |
| Collections0..1 | CollectionsType |
The Collections field contains the collection element types for Behaviors, Actions, Objects, and Candidate Indicators. |
