Version: 4.1.0.13

maec.bundle.bundle Module

Classes

class maec.bundle.bundle.Bundle(id=None, defined_subject=False, schema_version='4.1', content_type=None, malware_instance_object=None)

Bases: maec.Entity

add_action(action, action_collection_name=None)

Add an Action to an existing named Action Collection in the Collections entity. If it does not exist, add it to the top-level Actions entity.

add_av_classification(av_classification)

Add an AV Classification to the top-level AV_Classifications entity in the Bundle.

add_behavior(behavior, behavior_collection_name=None)

Add a Behavior to an existing named Behavior Collection in the Collections entity. If it does not exist, add it to the top-level Behaviors entity.

add_candidate_indicator(candidate_indicator, candidate_indicator_collection_name=None)

Add a Candidate Indicator to an existing named Candidate Indicator Collection in the Collections entity. If it does not exist, add it to the top-level Candidate Indicators entity.

add_capability(capability)

Add a Capability to the top-level Capabilities entity in the Bundle.

add_named_action_collection(collection_name, collection_id=None)

Add a new named Action Collection to the top-level Collections entity in the Bundle.

add_named_behavior_collection(collection_name, collection_id=None)

Add a new named Behavior Collection to the Collections entity in the Bundle.

add_named_candidate_indicator_collection(collection_name, collection_id=None)

Add a new named Candidate Indicator Collection to the Collections entity in the Bundle.

add_named_object_collection(collection_name, collection_id=None)

Add a new named Object Collection to the Collections entity in the Bundle.

add_object(object, object_collection_name=None)

Add an Object to an existing named Object Collection in the Collections entity. If it does not exist, add it to the top-level Object entity.

classmethod compare(bundle_list, match_on=None, case_sensitive=True)

Compare the Bundle to a list of other Bundles, returning a BundleComparator object.

deduplicate()

Deduplicate all Objects in the Bundle. Add duplicate Objects to new “Deduplicated Objects” Object Collection, and replace duplicate entries with references to corresponding Object.

dereference_objects(extra_objects=[])

Dereference any Objects in the Bundle by replacing them with the entities they reference.

get_action_objects(action_name_list)

Get all Objects corresponding to one or more types of Actions, specified via a list of Action names.

get_all_actions(bin=False)

Return a list of all Actions in the Bundle.

get_all_actions_on_object(object)

Return a list of all of the Actions in the Bundle that operate on a particular input Object.

get_all_multiple_referenced_objects()

Return a list of all Objects in the Bundle that are referenced more than once.

get_all_non_reference_objects()

Return a list of all Objects in the Bundle that are not references (i.e. all of the actual Objects in the Bundle).

get_all_objects(include_actions=False)

Return a list of all Objects in the Bundle.

get_object_by_id(id, extra_objects=[], ignore_actions=False)

Find and return the Entity (Action, Object, etc.) with the specified ID.

get_object_history()

Build and return the Object history for the Bundle.

normalize_objects()

Normalize all Objects in the Bundle, using the CybOX normalize module.

set_malware_instance_object_attributes(malware_instance_object)

Set the top-level Malware Instance Object Attributes entity in the Bundle.

set_process_tree(process_tree)

Set the Process Tree, in the top-level <Process_Tree> element.

class maec.bundle.bundle.ActionList(*args)

Bases: mixbox.entities.EntityList

class maec.bundle.bundle.BehaviorList(*args)

Bases: mixbox.entities.EntityList

class maec.bundle.bundle.ObjectList(*args)

Bases: mixbox.entities.EntityList

class maec.bundle.bundle.BaseCollection(name=None)

Bases: maec.Entity

class maec.bundle.bundle.ActionCollection(name=None, id=None)

Bases: maec.bundle.bundle.BaseCollection

add_action(action)

Add an input Action to the Collection.

class maec.bundle.bundle.BehaviorCollection(name=None, id=None)

Bases: maec.bundle.bundle.BaseCollection

add_behavior(behavior)

Add an input Behavior to the Collection.

class maec.bundle.bundle.ObjectCollection(name=None, id=None)

Bases: maec.bundle.bundle.BaseCollection

add_object(object)

Add an input Object to the Collection.

class maec.bundle.bundle.CandidateIndicatorCollection(name=None, id=None)

Bases: maec.bundle.bundle.BaseCollection

add_candidate_indicator(candidate_indicator)

Add an input Candidate Indicator to the Collection.

class maec.bundle.bundle.BehaviorCollectionList

Bases: mixbox.entities.EntityList

get_named_collection(collection_name)

Return a specific named Collection from the list, based on its name.

has_collection(collection_name)

Checks for the existence of a specific named Collection in the list, based on the its name.

class maec.bundle.bundle.ActionCollectionList

Bases: mixbox.entities.EntityList

get_named_collection(collection_name)

Return a specific named Collection from the list, based on its name.

has_collection(collection_name)

Checks for the existence of a specific named Collection in the list, based on the its name.

class maec.bundle.bundle.ObjectCollectionList

Bases: mixbox.entities.EntityList

get_named_collection(collection_name)

Return a specific named Collection from the list, based on its name.

has_collection(collection_name)

Checks for the existence of a specific named Collection in the list, based on the its name.

class maec.bundle.bundle.CandidateIndicatorCollectionList

Bases: mixbox.entities.EntityList

get_named_collection(collection_name)

Return a specific named Collection from the list, based on its name.

has_collection(collection_name)

Checks for the existence of a specific named Collection in the list, based on the its name.

class maec.bundle.bundle.Collections

Bases: maec.Entity

add_named_action_collection(action_collection_name, collection_id=None)

Add a new named Action Collection to the Collections instance.

add_named_behavior_collection(behavior_collection_name, collection_id=None)

Add a new named Behavior Collection to the Collections instance.

add_named_candidate_indicator_collection(candidate_indicator_collection_name, collection_id=None)

Add a new named Candidate Indicator Collection to the Collections instance.

add_named_object_collection(object_collection_name, collection_id=None)

Add a new named Object Collection to the Collections instance.

has_content()

Returns true if any Collections instance inside of the Collection has len > 0.

class maec.bundle.bundle.BehaviorReference

Bases: maec.Entity