-
Notifications
You must be signed in to change notification settings - Fork 16
/
analysis-metadata.json
76 lines (76 loc) · 4.26 KB
/
analysis-metadata.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
{
"$schema": "http://json-schema.org/draft-04/schema#",
"definitions": {
"analysis-metadata": {
"title": "Analysis",
"type": "object",
"description": "Captures metadata associated with the analyses of a malware instance, such as the tools used, analysts, and other data.",
"properties": {
"is_automated": {
"type": "boolean",
"description": "Captures whether the analysis was completely automated (i.e., with no human analyst in the loop). If this property is set to true, the analysts property MUST NOT be included."
},
"start_time": {
"type": "string",
"format": "date-time",
"description": "Captures the date/time that the analysis was started."
},
"end_time": {
"type": "string",
"format": "date-time",
"description": "Captures the date/time that the analysis was completed."
},
"last_update_time": {
"type": "string",
"format": "date-time",
"description": "Captures the date/time that the analysis was last updated."
},
"confidence": {
"type": "string",
"description": "Captures the relative measure of confidence in the accuracy of the analysis results. The value for this property SHOULD come from the confidence-measure-ov vocabulary."
},
"analysts": {
"type": "array",
"items": {"type": "string"},
"description": "Captures the names of analysts who performed the analysis."
},
"analysis_type": {
"type": "string",
"description": "Captures the type of analysis performed. The value for this property SHOULD come from the analysis-type-ov vocabulary."
},
"comments": {
"type": "array",
"items": {"type": "string"},
"description": "Captures comments regarding the analysis that was performed. A comment SHOULD be attributable to a specific analyst and SHOULD reflect particular insights of the author that are significant from an analysis standpoint."
},
"tool_refs": {
"type": "array",
"items": {"type": "string"},
"description": "References the tools used in the analysis of a Malware Instance. The objects reference MUST be of STIX type software and MUST be specified in the observable-objects property of the Package."
},
"analysis_environment": {
"type": "object",
"description": "Captures any metadata, such as the host virtual machine, associated with the analysis environment used to perform the dynamic analysis of the Malware Instance. Each key in the dictionary SHOULD come from the analysis-environment-ov, and each corresponding key value SHOULD be a valid object-ref or list of object-ref. This property MUST NOT be included if analysis_type is set to a value of static."
},
"description": {
"type": "string",
"description": "Captures a textual description of the analysis that was performed."
},
"conclusions": {
"type": "array",
"items": {"type": "string"},
"description": "Captures analysis conclusions, such as whether the binary was found to be malicious. The value for this property SHOULD come from the analysis-conclusion-type-ov vocabulary."
},
"references": {
"type": "array",
"items": {"$ref": "external-reference.json#/definitions/external-reference"},
"description": "Captures any references to reports or other data sources pertaining to the analysis."
}
},
"required":[
"is_automated",
"analysis_type"
]
}
}
}