maec.bundle.bundle Module

Version: 4.1.0.17

Classes¶

class maec.bundle.bundle.Bundle(id=None, defined_subject=False, schema_version='4.1', content_type=None, malware_instance_object=None)¶

Bases: maec.Entity

add_action(action, action_collection_name=None)¶: Add an Action to an existing named Action Collection in the Collections entity. If it does not exist, add it to the top-level Actions entity.

add_av_classification(av_classification)¶: Add an AV Classification to the top-level AV_Classifications entity in the Bundle.

add_behavior(behavior, behavior_collection_name=None)¶: Add a Behavior to an existing named Behavior Collection in the Collections entity. If it does not exist, add it to the top-level Behaviors entity.

add_candidate_indicator(candidate_indicator, candidate_indicator_collection_name=None)¶: Add a Candidate Indicator to an existing named Candidate Indicator Collection in the Collections entity. If it does not exist, add it to the top-level Candidate Indicators entity.

add_capability(capability)¶: Add a Capability to the top-level Capabilities entity in the Bundle.

add_named_action_collection(collection_name, collection_id=None)¶: Add a new named Action Collection to the top-level Collections entity in the Bundle.

add_named_behavior_collection(collection_name, collection_id=None)¶: Add a new named Behavior Collection to the Collections entity in the Bundle.

add_named_candidate_indicator_collection(collection_name, collection_id=None)¶: Add a new named Candidate Indicator Collection to the Collections entity in the Bundle.

add_named_object_collection(collection_name, collection_id=None)¶: Add a new named Object Collection to the Collections entity in the Bundle.

add_object(object, object_collection_name=None)¶: Add an Object to an existing named Object Collection in the Collections entity. If it does not exist, add it to the top-level Object entity.

classmethod compare(bundle_list, match_on=None, case_sensitive=True)¶: Compare the Bundle to a list of other Bundles, returning a BundleComparator object.

deduplicate()¶: Deduplicate all Objects in the Bundle. Add duplicate Objects to new “Deduplicated Objects” Object Collection, and replace duplicate entries with references to corresponding Object.

dereference_objects(extra_objects=[])¶: Dereference any Objects in the Bundle by replacing them with the entities they reference.

get_action_objects(action_name_list)¶: Get all Objects corresponding to one or more types of Actions, specified via a list of Action names.

get_all_actions(bin=False)¶: Return a list of all Actions in the Bundle.

get_all_actions_on_object(object)¶: Return a list of all of the Actions in the Bundle that operate on a particular input Object.

get_all_multiple_referenced_objects()¶: Return a list of all Objects in the Bundle that are referenced more than once.

get_all_non_reference_objects()¶: Return a list of all Objects in the Bundle that are not references (i.e. all of the actual Objects in the Bundle).

get_all_objects(include_actions=False)¶: Return a list of all Objects in the Bundle.

get_object_by_id(id, extra_objects=[], ignore_actions=False)¶: Find and return the Entity (Action, Object, etc.) with the specified ID.

get_object_history()¶: Build and return the Object history for the Bundle.

normalize_objects()¶: Normalize all Objects in the Bundle, using the CybOX normalize module.

set_malware_instance_object_attributes(malware_instance_object)¶: Set the top-level Malware Instance Object Attributes entity in the Bundle.

set_process_tree(process_tree)¶: Set the Process Tree, in the top-level <Process_Tree> element.

class maec.bundle.bundle.ActionList(*args)¶: Bases: mixbox.entities.EntityList

class maec.bundle.bundle.BehaviorList(*args)¶: Bases: mixbox.entities.EntityList

class maec.bundle.bundle.ObjectList(*args)¶: Bases: mixbox.entities.EntityList

class maec.bundle.bundle.BaseCollection(name=None)¶: Bases: maec.Entity

class maec.bundle.bundle.ActionCollection(name=None, id=None)¶

Bases: maec.bundle.bundle.BaseCollection

add_action(action)¶: Add an input Action to the Collection.

class maec.bundle.bundle.BehaviorCollection(name=None, id=None)¶

Bases: maec.bundle.bundle.BaseCollection

add_behavior(behavior)¶: Add an input Behavior to the Collection.

class maec.bundle.bundle.ObjectCollection(name=None, id=None)¶

Bases: maec.bundle.bundle.BaseCollection

add_object(object)¶: Add an input Object to the Collection.

class maec.bundle.bundle.CandidateIndicatorCollection(name=None, id=None)¶

Bases: maec.bundle.bundle.BaseCollection

add_candidate_indicator(candidate_indicator)¶: Add an input Candidate Indicator to the Collection.

class maec.bundle.bundle.BehaviorCollectionList¶

Bases: mixbox.entities.EntityList

get_named_collection(collection_name)¶: Return a specific named Collection from the list, based on its name.

has_collection(collection_name)¶: Checks for the existence of a specific named Collection in the list, based on the its name.

to_obj(ns_info=None)¶

Convert to a GenerateDS binding object.

Subclasses can override this function.

Returns:	An instance of this Entity’s `_binding_class` with properties set from this Entity.

class maec.bundle.bundle.ActionCollectionList¶

Bases: mixbox.entities.EntityList

get_named_collection(collection_name)¶: Return a specific named Collection from the list, based on its name.

has_collection(collection_name)¶: Checks for the existence of a specific named Collection in the list, based on the its name.

to_obj(ns_info=None)¶

Convert to a GenerateDS binding object.

Subclasses can override this function.

Returns:	An instance of this Entity’s `_binding_class` with properties set from this Entity.

class maec.bundle.bundle.ObjectCollectionList¶

Bases: mixbox.entities.EntityList

get_named_collection(collection_name)¶: Return a specific named Collection from the list, based on its name.

has_collection(collection_name)¶: Checks for the existence of a specific named Collection in the list, based on the its name.

to_obj(ns_info=None)¶

Convert to a GenerateDS binding object.

Subclasses can override this function.

Returns:	An instance of this Entity’s `_binding_class` with properties set from this Entity.

class maec.bundle.bundle.CandidateIndicatorCollectionList¶

Bases: mixbox.entities.EntityList

get_named_collection(collection_name)¶: Return a specific named Collection from the list, based on its name.

has_collection(collection_name)¶: Checks for the existence of a specific named Collection in the list, based on the its name.

to_obj(ns_info=None)¶

Convert to a GenerateDS binding object.

Subclasses can override this function.

Returns:	An instance of this Entity’s `_binding_class` with properties set from this Entity.

class maec.bundle.bundle.Collections¶

Bases: maec.Entity

add_named_action_collection(action_collection_name, collection_id=None)¶: Add a new named Action Collection to the Collections instance.

add_named_behavior_collection(behavior_collection_name, collection_id=None)¶: Add a new named Behavior Collection to the Collections instance.

add_named_candidate_indicator_collection(candidate_indicator_collection_name, collection_id=None)¶: Add a new named Candidate Indicator Collection to the Collections instance.

add_named_object_collection(object_collection_name, collection_id=None)¶: Add a new named Object Collection to the Collections instance.

has_content()¶: Returns true if any Collections instance inside of the Collection has len > 0.

class maec.bundle.bundle.BehaviorReference¶: Bases: maec.Entity