From 7b08727ac8958f8bb68049e4942268a5171fbe04 Mon Sep 17 00:00:00 2001
From: Michael Chisholm <chisholm@mitre.org>
Date: Sun, 1 Mar 2020 17:06:22 -0500
Subject: [PATCH] STIX 2.1 spec update: change usage of malware-analysis SDO
 property "av_result" to properties "result" and "result_name".

---
 maec2stix/translator.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/maec2stix/translator.py b/maec2stix/translator.py
index bb30147..24c5833 100644
--- a/maec2stix/translator.py
+++ b/maec2stix/translator.py
@@ -538,7 +538,7 @@ def _start_stix_malware_analysis_from_maec_analysis(
                 all_stix_ids |= stix_ids
 
         if "conclusion" in maec_analysis:
-            stix_malware_analysis["av_result"] = \
+            stix_malware_analysis["result"] = \
                 _translate_maec_analysis_conclusion(
                     maec_analysis["conclusion"]
                 )
@@ -608,9 +608,12 @@ def _start_stix_malware_analysis_from_sco_extension(
     # The extension has boolean yes/no detection value, so we can't distinguish
     # between "malicious" and "suspicious".  Just use "malicious" if detected
     # and "benign" if not.
-    stix_malware_analysis["av_result"] = "malicious" if \
+    stix_malware_analysis["result"] = "malicious" if \
         extension["is_detected"] else "benign"
 
+    if "classification_name" in extension:
+        stix_malware_analysis["result_name"] = extension["classification_name"]
+
     if "av_version" in extension:
         stix_malware_analysis["version"] = extension["av_version"]