The CandidateIndicatorType provides a way of defining a MAEC entity-based Candidate Indicator, which specifies the particular components that may signify the presence of the malware instance on a host system or network.
| Field Name | Type | Description |
|---|---|---|
| @idrequired | QName |
The id field specifies a unique ID for this Candidate Indicator. |
| @creation_datetimeoptional | dateTime |
The creation_datetime field specifies the date/time that the Candidate Indicator was created. |
| @lastupdate_datetimeoptional | dateTime |
The lastupdate_datetime field specifies the last date/time that the Candidate Indicator was updated. |
| @versionoptional | string |
The version field specifies the version of the Candidate Indicator. |
| Importance0..1 | ControlledVocabularyStringType |
The Importance field specifies the relative importance of the Candidate Indicator. This field is implemented through the xsi:type controlled vocabulary extension Capability. The default vocabulary type is ImportanceTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd. |
| Numeric_Importance0..1 | positiveInteger |
The Numeric_Importance field specifies the specific numeric importance of the Candidate Indicator. |
| Author0..1 | string |
The Author field specifies the author of the Candidate Indicator. |
| Description0..1 | string |
The Description field provides a brief description of the Candidate Indicator. |
| Malware_Entity0..1 | MalwareEntityType |
The Malware_Entity field specifies the particular malware entity that the Candidate Indicator is written against, whether it be a malware instance, family, etc. |
| Composition0..1 | CandidateIndicatorCompositionType |
The Composition field specifies the actual observables that the Candidate Indicator is composed of, via a reference to a one or more MAEC entities contained in the Bundle. |
