Malware
malware
The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Classification IDs | classification_ids | Integer |
The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types
|
||
| Classifications | classifications | String |
The list of malware classifications, normalized to the captions of the classification_ids values. In the case of 'Other', they are defined by the event source.
|
||
| CVE UIDs | cve_uids | String |
The common vulnerabilities and exposures (CVE) unique identifiers.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| CVE List | cves | CVE | List of Common Vulnerabilities and Exposures (CVE). | ||
| Name | name | String | The malware name, as reported by the detection engine. | ||
| Path | path | Path Name | The filesystem path of the malware that was observed. | ||
| Provider | provider | String | The provider of the malware information. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Unique ID | uid | String | The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
Referenced By
- Security Finding
- Detection Finding
- Data Security Finding
- Memory Activity
- Process Activity
- Kernel Activity
- File System Activity
- System Activity
- Scheduled Job Activity
- Event Log Activity
- Module Activity
- Kernel Extension Activity
- Web Resources Activity
- Datastore Activity
- Network File Activity
- Tunnel Activity
- RDP Activity
- HTTP Activity
- Email File Activity
- Network Activity
- DHCP Activity
- FTP Activity
- SSH Activity
- SMB Activity
- DNS Activity
- Email Activity
- NTP Activity
- Email URL Activity
- Network
- Windows Service Activity
- Windows Resource Activity
- Registry Key Activity
- Registry Value Activity
- Email Delivery Activity
Context
JSON
{
"caption": "Malware",
"description": "The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.",
"extends": "_entity",
"name": "malware",
"attributes": {
"classification_ids": {
"description": "The list of normalized identifiers of the malware classifications. Reference: <a target='_blank' href='https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_oxlc4df65spl'>STIX Malware Types</a> ",
"requirement": "required",
"enum": {
"1": {
"caption": "Adware"
},
"2": {
"caption": "Backdoor"
},
"3": {
"caption": "Bot"
},
"4": {
"caption": "Bootkit"
},
"5": {
"caption": "DDOS"
},
"6": {
"caption": "Downloader"
},
"7": {
"caption": "Dropper"
},
"8": {
"caption": "Exploit-Kit"
},
"9": {
"caption": "Keylogger"
},
"10": {
"caption": "Ransomware"
},
"11": {
"caption": "Remote-Access-Trojan"
},
"13": {
"caption": "Resource-Exploitation"
},
"14": {
"caption": "Rogue-Security-Software"
},
"15": {
"caption": "Rootkit"
},
"16": {
"caption": "Screen-Capture"
},
"17": {
"caption": "Spyware"
},
"18": {
"caption": "Trojan"
},
"19": {
"caption": "Virus"
},
"20": {
"caption": "Webshell"
},
"21": {
"caption": "Wiper"
},
"22": {
"caption": "Worm"
},
"0": {
"caption": "Unknown",
"description": "The classification is unknown."
},
"99": {
"caption": "Other",
"description": "The classification is not mapped. See the <code>classifications</code> attribute, which contains a data source specific value."
}
},
"caption": "Classification IDs",
"sibling": "classifications",
"type": "integer_t",
"is_array": true
},
"classifications": {
"description": "The list of malware classifications, normalized to the captions of the <code>classification_ids</code> values. In the case of 'Other', they are defined by the event source.",
"requirement": "optional",
"caption": "Classifications",
"type": "string_t",
"is_array": true
},
"cves": {
"requirement": "optional",
"caption": "CVE List",
"description": "List of Common Vulnerabilities and Exposures (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>).",
"type": "cve",
"is_array": true
},
"name": {
"description": "The malware name, as reported by the detection engine.",
"requirement": "recommended",
"caption": "Name",
"type": "string_t"
},
"path": {
"description": "The filesystem path of the malware that was observed.",
"requirement": "recommended",
"caption": "Path",
"type": "path_t"
},
"provider": {
"description": "The provider of the malware information.",
"requirement": "recommended",
"caption": "Provider",
"type": "string_t"
},
"uid": {
"description": "The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id.",
"requirement": "recommended",
"caption": "Unique ID",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
},
"cve_uids": {
"requirement": "optional",
"caption": "CVE UIDs",
"description": "The common vulnerabilities and exposures (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>) unique identifiers.",
"is_array": true,
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
}
},
"constraints": {
"at_least_one": [
"name",
"uid"
]
}
}