The AnalysisType provides a way of capturing the information associated with the analysis of a malware instance, such as the subject, authors, start datetime, and other relevant data.
| Field Name | Type | Description |
|---|---|---|
| @idrequired | QName |
The required id field specifies a unique ID for this Analysis. |
| @typeoptional | AnalysisTypeEnum |
The type field specifies the type of malware analysis being performed. |
| @methodoptional | AnalysisMethodEnum |
The method field specifies the analysis method used in the analysis. |
| @ordinal_positionoptional | positiveInteger |
The ordinal_position field specifies the ordering of the analysis with respect to the other analyses performed on the Malware Subject. |
| @start_datetimeoptional | dateTime |
The start_datetime field specifies the date/time the analysis was started. |
| @complete_datetimeoptional | dateTime |
The complete_datetime field specifies the date/time the analysis was completed. |
| @lastupdate_datetimeoptional | dateTime |
The lastupdate_datetime field specifies the date/time the analysis was last updated. |
| Source0..1 | SourceType |
The Source field specifies information about the internal or external source of the analysis, if applicable. |
| Analysts0..1 | PersonnelType |
The Analysts field specifies the analyst(s) who performed the analysis. |
| Summary0..1 | StructuredTextType |
The Summary field specifies a summary of the analysis that was performed. It should be high-level and concise. It should summarize the contents of the Report field, if present, and otherwise should provide a brief synopsis of the analysis that was performed and any highlights. |
| Comments0..1 | CommentListType |
The Comments field specifies any comments regarding the analysis that was performed. A comment should be attributable to a specific analyst and should reflect particular insights of the author that are significant from an analysis standpoint. The contents of comments are typically not contained in the Report. |
| Findings_Bundle_Reference0..n | BundleReferenceType |
The Findings_Bundle_Reference field specifies a reference to the Bundle which encompasses the results and output of the Analysis in terms of its corresponding MAEC entities, such as Behaviors and Actions. More than one Bundle may be referenced by using multiple occurrences of this field. |
| Tools0..1 | ToolListType |
The Tools field specifies information about the tool(s) used in the analysis, via the Cyber Observable eXpression (CybOXâ„¢) ToolInformationType. If only a single Tool is specified, then this implies that this tool was responsible for all of the findings contained in the Bundle referenced by the Findings_Bundle_Reference element. |
| Dynamic_Analysis_Metadata0..1 | DynamicAnalysisMetadataType |
The Dynamic_Analysis_Metadata field specifies metadata pertaining to the dynamic analysis of the subject binary, such as the command line used, the duration of the analysis, etc. |
| Analysis_Environment0..1 | AnalysisEnvironmentType |
The Analysis_Environment field specifies attributes for characterizing the analysis environment in which the analysis was performed. |
| Report0..1 | StructuredTextType |
The Report field specifies the textual report regarding the analysis performed on the malware. The Report should correspond to the human-readable prose document that captures key aspects and outcomes of the analysis. |
