Class: Malware
The Malware object describes the classification of known malicious software,
which is intentionally designed to cause damage to a computer, server, client,
or computer network.
URI: ocsf:Malware
classDiagram
class Malware
click Malware href "../Malware/"
Entity <|-- Malware
click Entity href "../Entity/"
Malware : classification_ids
Malware --> "1..*" MalwareClassificationIdsEnum : classification_ids
click MalwareClassificationIdsEnum href "../MalwareClassificationIdsEnum/"
Malware : classifications
Malware : cves
Malware --> "*" Cve : cves
click Cve href "../Cve/"
Malware : files
Malware --> "*" File : files
click File href "../File/"
Malware : name
Malware : num_infected
Malware : path
Malware : provider
Malware : severity
Malware : severity_id
Malware --> "0..1 _recommended_" SeverityIdEnum : severity_id
click SeverityIdEnum href "../SeverityIdEnum/"
Malware : uid
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| classification_ids | 1..* MalwareClassificationIdsEnum |
The list of normalized identifiers of the malware classifications | direct |
| classifications | * String |
The list of malware classifications, normalized to the captions of the | direct |
| cves | * Cve |
The list of Common Vulnerabilities and Exposures (CVE) identifiers associated | direct |
| files | * File |
The list of file objects representing files that were identified as infected ... | direct |
| name | 0..1 recommended String |
The malware name, as reported by the detection engine | direct |
| num_infected | 0..1 Integer |
The number of files that were identified to be infected by the malware | direct |
| path | 0..1 recommended String |
The filesystem path of the malware that was observed | direct |
| provider | 0..1 recommended String |
The name or identifier of the security solution or service that provided the | direct |
| severity | 0..1 String |
The severity of the malware, normalized to the captions of the | direct |
| severity_id | 0..1 recommended SeverityIdEnum |
The normalized identifier of the malware severity | direct |
| uid | 0..1 recommended String |
A unique identifier for the specific malware instance, as assigned by the | direct |
Usages
In Subsets
Aliases
- Malware
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Malware |
| native | ocsf:Malware |
| exact | stix:Malware |
| related | capec:AttackPattern |
| close | attack:Software, uco_master:MaliciousTool |
LinkML Source
Direct
name: Malware
description: 'The Malware object describes the classification of known malicious software,
which is intentionally designed to cause damage to a computer, server, client,
or computer network.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware
exact_mappings:
- stix:Malware
close_mappings:
- attack:Software
- uco_master:MaliciousTool
related_mappings:
- capec:AttackPattern
is_a: Entity
slots:
- classification_ids
- classifications
- cves
- files
- name
- num_infected
- path
- provider
- severity
- severity_id
- uid
slot_usage:
classification_ids:
name: classification_ids
description: The list of normalized identifiers of the malware classifications.
range: MalwareClassificationIdsEnum
required: true
classifications:
name: classifications
description: 'The list of malware classifications, normalized to the captions
of the
<code>classification_ids</code> values. In the case of ''Other'', they are
defined by the event source.'
cves:
name: cves
description: 'The list of Common Vulnerabilities and Exposures (CVE) identifiers
associated
with the malware. Reference: <a target=''_blank''
href=''https://cve.mitre.org/''>CVE</a>'
files:
name: files
description: 'The list of file objects representing files that were identified
as infected by
the malware.'
name:
name: name
description: The malware name, as reported by the detection engine.
num_infected:
name: num_infected
description: The number of files that were identified to be infected by the malware.
path:
name: path
description: The filesystem path of the malware that was observed.
deprecated: Use <code>file.path</code> attribute available via <code>files</code>.
recommended: true
provider:
name: provider
description: 'The name or identifier of the security solution or service that
provided the
malware detection information.'
recommended: true
severity:
name: severity
description: 'The severity of the malware, normalized to the captions of the
<code>severity_id</code> values. In the case of ''Other'', they are defined
by
the event source.'
severity_id:
name: severity_id
description: The normalized identifier of the malware severity.
recommended: true
uid:
name: uid
description: 'A unique identifier for the specific malware instance, as assigned
by the
detection engine (e.g., virus signature ID or IPS rule ID).'
Induced
name: Malware
description: 'The Malware object describes the classification of known malicious software,
which is intentionally designed to cause damage to a computer, server, client,
or computer network.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware
exact_mappings:
- stix:Malware
close_mappings:
- attack:Software
- uco_master:MaliciousTool
related_mappings:
- capec:AttackPattern
is_a: Entity
slot_usage:
classification_ids:
name: classification_ids
description: The list of normalized identifiers of the malware classifications.
range: MalwareClassificationIdsEnum
required: true
classifications:
name: classifications
description: 'The list of malware classifications, normalized to the captions
of the
<code>classification_ids</code> values. In the case of ''Other'', they are
defined by the event source.'
cves:
name: cves
description: 'The list of Common Vulnerabilities and Exposures (CVE) identifiers
associated
with the malware. Reference: <a target=''_blank''
href=''https://cve.mitre.org/''>CVE</a>'
files:
name: files
description: 'The list of file objects representing files that were identified
as infected by
the malware.'
name:
name: name
description: The malware name, as reported by the detection engine.
num_infected:
name: num_infected
description: The number of files that were identified to be infected by the malware.
path:
name: path
description: The filesystem path of the malware that was observed.
deprecated: Use <code>file.path</code> attribute available via <code>files</code>.
recommended: true
provider:
name: provider
description: 'The name or identifier of the security solution or service that
provided the
malware detection information.'
recommended: true
severity:
name: severity
description: 'The severity of the malware, normalized to the captions of the
<code>severity_id</code> values. In the case of ''Other'', they are defined
by
the event source.'
severity_id:
name: severity_id
description: The normalized identifier of the malware severity.
recommended: true
uid:
name: uid
description: 'A unique identifier for the specific malware instance, as assigned
by the
detection engine (e.g., virus signature ID or IPS rule ID).'
attributes:
classification_ids:
name: classification_ids
annotations:
sibling:
tag: sibling
value: classifications
description: The list of normalized identifiers of the malware classifications.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Classification IDs
rank: 1000
alias: classification_ids
owner: Malware
domain_of:
- Malware
range: MalwareClassificationIdsEnum
required: true
multivalued: true
classifications:
name: classifications
description: 'The list of malware classifications, normalized to the captions
of the
<code>classification_ids</code> values. In the case of ''Other'', they are
defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Classifications
rank: 1000
alias: classifications
owner: Malware
domain_of:
- Malware
range: string
multivalued: true
cves:
name: cves
description: 'The list of Common Vulnerabilities and Exposures (CVE) identifiers
associated
with the malware. Reference: <a target=''_blank''
href=''https://cve.mitre.org/''>CVE</a>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- CVE List
rank: 1000
alias: cves
owner: Malware
domain_of:
- Malware
range: Cve
multivalued: true
files:
name: files
description: 'The list of file objects representing files that were identified
as infected by
the malware.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Files
rank: 1000
alias: files
owner: Malware
domain_of:
- Email
- Malware
range: File
multivalued: true
name:
name: name
description: The malware name, as reported by the detection engine.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Malware
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
num_infected:
name: num_infected
description: The number of files that were identified to be infected by the malware.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Number of Infected Entities
rank: 1000
alias: num_infected
owner: Malware
domain_of:
- Malware
- MalwareScanInfo
range: integer
path:
name: path
description: The filesystem path of the malware that was observed.
deprecated: Use <code>file.path</code> attribute available via <code>files</code>.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Path
rank: 1000
alias: path
owner: Malware
domain_of:
- Url
- AffectedPackage
- File
- HttpCookie
- Image
- Kernel
- Malware
- ProcessEntity
- Product
- RegKey
- RegValue
range: string
recommended: true
provider:
name: provider
description: 'The name or identifier of the security solution or service that
provided the
malware detection information.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Provider
rank: 1000
alias: provider
owner: Malware
domain_of:
- Reputation
- AuthFactor
- Cloud
- Enrichment
- Location
- Malware
- ResourceDetails
range: string
recommended: true
severity:
name: severity
description: 'The severity of the malware, normalized to the captions of the
<code>severity_id</code> values. In the case of ''Other'', they are defined
by
the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity
rank: 1000
alias: severity
owner: Malware
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Vulnerability
- Check
- Cvss
- KbArticle
- Malware
- BaseEvent
range: string
severity_id:
name: severity_id
annotations:
sibling:
tag: sibling
value: severity
description: The normalized identifier of the malware severity.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity ID
rank: 1000
alias: severity_id
owner: Malware
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Check
- Malware
- BaseEvent
range: SeverityIdEnum
recommended: true
uid:
name: uid
description: 'A unique identifier for the specific malware instance, as assigned
by the
detection engine (e.g., virus signature ID or IPS rule ID).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Malware
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true