EMA Semantic MediaWiki Guide to Form Fields

From ema
Jump to: navigation, search

FIELD NAME

APPLIES TO

FIELD TYPE

DESCRIPTION

Name

Capabilities, Subcapabilities, Behaviors, Obfuscation Methods, Attributes

Free-form text

The Name field captures the name assigned to the entity and should comprise one or more individual words, all in lowercase, with the exception of acronyms, which may be in uppercase. E.g., “prevent API unhooking”.

Description

All

Free-form text

The Description field captures a brief technical description of the entity. Ideally, descriptions should be limited to no more than a few sentences for the sake of brevity, and follow the format of “The ‘x’ Entity Name …” (where ‘x’ refers to the name of the entity being described, and Entity Name is the type of the entity, such as Behavior). E.g., “The 'prevent execution in VM' Behavior prevents the execution of the malware instance in a virtual machine (VM).”

Associated Attributes

Capabilities, Subcapabilities, Behaviors, Obfuscation Methods

Selectable hierarchy

(w/ check boxes)

The Associated Attributes field captures Attributes that apply to the entity.

Associated Capabilities

Subcapabilities

Text w/ autocomplete drop-down list

The Associated Capabilities field captures Capabilities that are associated with the Subcapability, selectable from a drop-down list of existing Capabilities. Multiple Capabilities can be associated with a Subcapability in this manner.

Associated Capabilities/Subcapabilities

Behaviors

Selectable hierarchy

(w/ check boxes)

The Associated Capabilities/Subcapabilities field captures Capabilities and Subcapabilities that are associated with the Behavior. Multiple selections can be made from a hierarchy view. A Behavior can be associated directly with a Capability or with that Capability’s Subcapabilities, but it should not be associated with both, as associating it with a Subcapability implicitly associates it with the parent Capability of the Subcapability.

Aliases

Capabilities, Subcapabilities, Behaviors, Obfuscation Methods

Free-form text

The Alias field captures any known aliases for the entity. Multiple aliases should be separated by commas. E.g., “c2, c^2”.

Notes

Capabilities, Subcapabilities, Behaviors, Obfuscation Methods

Free-form text

The Notes field captures any notes about the entity.

References

Capabilities, Subcapabilities, Behaviors, Obfuscation Methods

 

The Reference field captures a reference associated with the entity and contains three optional subfields: Date, Malware Family, and URL (see below). Multiple references can be captured in separate Reference fields (by clicking “Add New Reference”).

 

Date

Free-form text w/ selectable calendar

The Date field corresponds to the date of the reference (not the date the Reference field was added to the wiki).

 

Malware Family

Free-form text w/ selectable drop-down list

The Malware Family field captures the name of the malware family associated with the entity. Previously used values are available via a drop-down list for selection or a new value can be created. E.g., “Stuxnet”.

 

URL

Free-form text

The URL field captures a URL to an article, webpage, or report that provides some description of the Capability, Subcapability, Behavior, or Obfuscation Method.

Type

Attributes

Radio button

The Type field captures the type of the Attribute: ‘Free-Form String’ or ‘Enumerable List.’

Enumerable Values

Attributes

Selectable hierarchy

(w/ check boxes)

The Enumerable Values field is available for Attributes of TypeEnumerable List’ and captures attribute values that are valid for the Attribute.