Malware

malware

The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.

Contents

Attributes

Caption Name Type Is Array Default Description
Classification IDs classification_ids Integer The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types
0
Unknown
1
Adware
2
Backdoor
3
Bot
4
Bootkit
5
DDOS
6
Downloader
7
Dropper
8
Exploit-Kit
9
Keylogger
10
Ransomware
11
Remote-Access-Trojan
13
Resource-Exploitation
14
Rogue-Security-Software
15
Rootkit
16
Screen-Capture
17
Spyware
18
Trojan
19
Virus
20
Webshell
21
Wiper
22
Worm
99
Other
Classifications classifications String The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source.
CVE UIDs cve_uids String The common vulnerabilities and exposures (CVE) unique identifiers.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

CVE List cves CVE List of Common Vulnerabilities and Exposures (CVE).
Name name String The malware name, as reported by the detection engine.
Path path Path Name The filesystem path of the malware that was observed.
Provider provider String The provider of the malware information.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Unique ID uid String The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

Context

Malware

JSON

            
{
  "caption": "Malware",
  "description": "The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.",
  "extends": "_entity",
  "name": "malware",
  "attributes": {
    "classification_ids": {
      "requirement": "required",
      "enum": {
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Adware"
        },
        "2": {
          "caption": "Backdoor"
        },
        "3": {
          "caption": "Bot"
        },
        "4": {
          "caption": "Bootkit"
        },
        "5": {
          "caption": "DDOS"
        },
        "6": {
          "caption": "Downloader"
        },
        "7": {
          "caption": "Dropper"
        },
        "8": {
          "caption": "Exploit-Kit"
        },
        "9": {
          "caption": "Keylogger"
        },
        "10": {
          "caption": "Ransomware"
        },
        "11": {
          "caption": "Remote-Access-Trojan"
        },
        "13": {
          "caption": "Resource-Exploitation"
        },
        "14": {
          "caption": "Rogue-Security-Software"
        },
        "15": {
          "caption": "Rootkit"
        },
        "16": {
          "caption": "Screen-Capture"
        },
        "17": {
          "caption": "Spyware"
        },
        "18": {
          "caption": "Trojan"
        },
        "19": {
          "caption": "Virus"
        },
        "20": {
          "caption": "Webshell"
        },
        "21": {
          "caption": "Wiper"
        },
        "22": {
          "caption": "Worm"
        },
        "99": {
          "caption": "Other"
        }
      },
      "caption": "Classification IDs",
      "description": "The list of normalized identifiers of the malware classifications. Reference: <a target='_blank' href='https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_oxlc4df65spl'>STIX Malware Types</a> ",
      "is_array": true,
      "sibling": "classifications",
      "type": "integer_t"
    },
    "classifications": {
      "requirement": "optional",
      "caption": "Classifications",
      "description": "The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source.",
      "is_array": true,
      "type": "string_t"
    },
    "cves": {
      "requirement": "optional",
      "caption": "CVE List",
      "description": "List of Common Vulnerabilities and Exposures (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>).",
      "is_array": true,
      "type": "cve"
    },
    "name": {
      "description": "The malware name, as reported by the detection engine.",
      "requirement": "recommended",
      "caption": "Name",
      "type": "string_t"
    },
    "path": {
      "description": "The filesystem path of the malware that was observed.",
      "requirement": "recommended",
      "caption": "Path",
      "type": "path_t"
    },
    "provider": {
      "description": "The provider of the malware information.",
      "requirement": "recommended",
      "caption": "Provider",
      "type": "string_t"
    },
    "uid": {
      "description": "The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id.",
      "requirement": "recommended",
      "caption": "Unique ID",
      "type": "string_t"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    },
    "cve_uids": {
      "requirement": "optional",
      "caption": "CVE UIDs",
      "description": "The common vulnerabilities and exposures (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>) unique identifiers.",
      "is_array": true,
      "type": "string_t",
      "@deprecated": {
        "since": "1.1.0",
        "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
      }
    }
  },
  "constraints": {
    "at_least_one": [
      "name",
      "uid"
    ]
  }
}