Behavior References in MAEC Report

[leotant]

Hello, I have implemented the MAEC reporting module in cuckoo 2.0 and I am able to generate the corresponding reports. However, I noticed that there aren't any behavior references linked to the capabilities included in the report (to see which particular action executed by the malware triggered a specific capability).

I had previously looked into the MAEC examples for cuckoo and stumbled upon this schema:
https://github.com/MAECProject/schemas/blob/master/examples/package_capability.json

This file contains the following snippet:

"capabilities": [
{
"name": "persistence",
"refined_capabilities": [
{
"name": "continuous-execution",
"behavior_refs": ["behavior--2099d4c1-0e8a-49d2-8d32-f0427e1ff817"]
}
]
}
],

Is there any way to generate reports that also include the aforementioned "behavior_refs" using Cuckoo and MAEC?

Thanks

[dzbeck]

Hi - Behaviors have not yet been captured in the MAEC reporting module for Cuckoo. The current (beta) release of the module is limited to the following data:

• Malware Instance
  * Labels
  * Capabilities
  * Analysis Metadata
  * Dynamic Features
  - Actions
  - Process Tree
  * Static Features
  - Strings
  * Triggered Signatures
• AV Classifications