Synapse Data Model - Forms

Forms

Forms are derived from types, or base types. Forms represent node types in the graph.

auth:access

An instance of using creds to access a resource.

The base type for the form can be found at auth:access.

Properties:

name

type

doc

:creds

auth:creds

The credentials used to attempt access.

:time

time

The time of the access attempt.

:success

bool

Set to true if the access was successful.

:person

ps:person

The person who attempted access.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

auth:creds

A unique set of credentials used to access a resource.

The base type for the form can be found at auth:creds.

Properties:

name

type

doc

:email

inet:email

The email address used to identify the user.

:user

inet:user

The user name used to identify the user.

:phone

tel:phone

The phone number used to identify the user.

:passwd

inet:passwd

The password used to authenticate.

:passwdhash

it:auth:passwdhash

The password hash used to authenticate.

:account

it:account

The account that the creds allow access to.

:website

inet:url

The base URL of the website that the credentials allow access to.

:host

it:host

The host that the credentials allow access to.

:wifi:ssid

inet:wifi:ssid

The WiFi SSID that the credentials allow access to.

:web:acct

inet:web:acct

The web account that the credentials allow access to.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

belief:subscriber

A contact which subscribes to a belief system.

The base type for the form can be found at belief:subscriber.

Properties:

name

type

doc

:contact

ps:contact

The contact which subscribes to the belief system.

:system

belief:system

The belief system to which the contact subscribes.

:began

time

The time that the contact began to be a subscriber to the belief system.

:ended

time

The time when the contact ceased to be a subscriber to the belief system.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

belief:subscriber

-(follows)>

belief:tenet

The subscriber is assessed to generally adhere to the specific tenet.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

belief:system

A belief system such as an ideology, philosophy, or religion.

The base type for the form can be found at belief:system.

Properties:

name

type

doc

opts

:name

onespace: True
lower: True

The name of the belief system.

:desc

str

A description of the belief system.

Display: {'hint': 'text'}

:type

belief:system:type:taxonomy

A taxonometric type for the belief system.

:began

time

The time that the belief system was first observed.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

belief:system

-(has)>

belief:tenet

The belief system includes the tenet.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

belief:system:type:taxonomy

A hierarchical taxonomy of belief system types.

The base type for the form can be found at belief:system:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

belief:system:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

belief:tenet

A concrete tenet potentially shared by multiple belief systems.

The base type for the form can be found at belief:tenet.

Properties:

name

type

doc

opts

:name

onespace: True
lower: True

The name of the tenet.

:desc

str

A description of the tenet.

Display: {'hint': 'text'}

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

belief:subscriber

-(follows)>

belief:tenet

The subscriber is assessed to generally adhere to the specific tenet.

belief:system

-(has)>

belief:tenet

The belief system includes the tenet.

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

biz:bundle

A bundle allows construction of products which bundle instances of other products.

The base type for the form can be found at biz:bundle.

Properties:

name

type

doc

opts

:count

int

The number of instances of the product or service included in the bundle.

:price

econ:price

The price of the bundle.

:product

biz:product

The product included in the bundle.

:service

biz:service

The service included in the bundle.

:deal

biz:deal

Deprecated. Please use econ:receipt:item for instances of bundles being sold.

Deprecated: True

:purchase

econ:purchase

Deprecated. Please use econ:receipt:item for instances of bundles being sold.

Deprecated: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

biz:deal

A sales or procurement effort in pursuit of a purchase.

The base type for the form can be found at biz:deal.

Properties:

name

type

doc

opts

:title

str

A title for the deal.

:type

biz:dealtype

The type of deal.

Display: {'hint': 'taxonomy'}

:status

biz:dealstatus

The status of the deal.

Display: {'hint': 'taxonomy'}

:updated

time

The last time the deal had a significant update.

:contacted

time

The last time the contacts communicated about the deal.

:rfp

biz:rfp

The RFP that the deal is in response to.

:buyer

ps:contact

The primary contact information for the buyer.

:buyer:org

ou:org

The buyer org.

:buyer:orgname

ou:name

The reported ou:name of the buyer org.

:buyer:orgfqdn

inet:fqdn

The reported inet:fqdn of the buyer org.

:seller

ps:contact

The primary contact information for the seller.

:seller:org

ou:org

The seller org.

:seller:orgname

ou:name

The reported ou:name of the seller org.

:seller:orgfqdn

inet:fqdn

The reported inet:fqdn of the seller org.

:currency

econ:currency

The currency of econ:price values associated with the deal.

:buyer:budget

econ:price

The buyers budget for the eventual purchase.

:buyer:deadline

time

When the buyer intends to make a decision.

:offer:price

econ:price

The total price of the offered products.

:offer:expires

time

When the offer expires.

:purchase

econ:purchase

Records a purchase resulting from the deal.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

biz:dealstatus

A deal/rfp status taxonomy.

The base type for the form can be found at biz:dealstatus.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

biz:dealstatus

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

biz:dealtype

A deal type taxonomy.

The base type for the form can be found at biz:dealtype.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

biz:dealtype

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

biz:listing

A product or service being listed for sale at a given price by a specific seller.

The base type for the form can be found at biz:listing.

Properties:

name

type

doc

:seller

ps:contact

The contact information for the seller.

:product

biz:product

The product being offered.

:service

biz:service

The service being offered.

:current

bool

Set to true if the offer is still current.

:time

time

The first known offering of this product/service by the organization for the asking price.

:expires

time

Set if the offer has a known expiration date.

:price

econ:price

The asking price of the product or service.

:currency

econ:currency

The currency of the asking price.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

biz:prodtype

A product type taxonomy.

The base type for the form can be found at biz:prodtype.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

biz:prodtype

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

biz:product

A product which is available for purchase.

The base type for the form can be found at biz:product.

Properties:

name

type

doc

opts

:name

str

The name of the product.

:type

biz:prodtype

The type of product.

Display: {'hint': 'taxonomy'}

:summary

str

A brief summary of the product.

Display: {'hint': 'text'}

:maker

ps:contact

A contact for the maker of the product.

:madeby:org

ou:org

Deprecated. Please use biz:product:maker.

Deprecated: True

:madeby:orgname

ou:name

Deprecated. Please use biz:product:maker.

Deprecated: True

:madeby:orgfqdn

inet:fqdn

Deprecated. Please use biz:product:maker.

Deprecated: True

:price:retail

econ:price

The MSRP price of the product.

:price:bottom

econ:price

The minimum offered or observed price of the product.

:price:currency

econ:currency

The currency of the retail and bottom price properties.

:bundles

uniq: True
sorted: True

An array of bundles included with the product.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

biz:rfp

An RFP (Request for Proposal) soliciting proposals.

The base type for the form can be found at biz:rfp.

Properties:

name

type

doc

opts

:ext:id

str

An externally specified identifier for the RFP.

:title

str

The title of the RFP.

:summary

str

A brief summary of the RFP.

Display: {'hint': 'text'}

:status

biz:dealstatus

The status of the RFP.

Display: {'hint': 'enum'}

:url

inet:url

The official URL for the RFP.

:file

file:bytes

The RFP document.

:posted

time

The date/time that the RFP was posted.

:quesdue

time

The date/time that questions are due.

:propdue

time

The date/time that proposals are due.

:contact

ps:contact

The contact information given for the org requesting offers.

:purchases

uniq: True
sorted: True

Any known purchases that resulted from the RFP.

:requirements

type: ou:goal
uniq: True
sorted: True

A typed array which indexes each field.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

biz:service

A service which is performed by a specific organization.

The base type for the form can be found at biz:service.

Properties:

name

type

doc

opts

:provider

ps:contact

The contact info of the entity which performs the service.

:name

lower: True
onespace: True

The name of the service being performed.

:summary

str

A brief summary of the service.

Display: {'hint': 'text'}

:type

biz:service:type:taxonomy

A taxonomy of service types.

:launched

time

The time when the operator first made the service available.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

biz:stake

A stake or partial ownership in a company.

The base type for the form can be found at biz:stake.

Properties:

name

type

doc

:vitals

ou:vitals

The ou:vitals snapshot this stake is part of.

:org

ou:org

The resolved org.

:orgname

ou:name

The org name as reported by the source of the vitals.

:orgfqdn

inet:fqdn

The org FQDN as reported by the source of the vitals.

:name

str

An arbitrary name for this stake. Can be non-contact like “pool”.

:asof

time

The time the stake is being measured. Likely as part of an ou:vitals.

:shares

int

The number of shares represented by the stake.

:invested

econ:price

The amount of money invested in the cap table iteration.

:value

econ:price

The monetary value of the stake.

:percent

hugenum

The percentage ownership represented by this stake.

:owner

ps:contact

Contact information of the owner of the stake.

:purchase

econ:purchase

The purchase event for the stake.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:algorithm

A cryptographic algorithm name.

The base type for the form can be found at crypto:algorithm.

An example of crypto:algorithm:

  • aes256

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:currency:address

An individual crypto currency address.

The base type for the form can be found at crypto:currency:address.

An example of crypto:currency:address:

  • btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

Properties:

name

type

doc

opts

:coin

crypto:currency:coin

The crypto coin to which the address belongs.

Read Only: True

:seed

crypto:key

The cryptographic key and or password used to generate the address.

:iden

str

The coin specific address identifier.

Read Only: True

:desc

str

A free-form description of the address.

:contact

ps:contact

Contact information associated with the address.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:currency:block

An individual crypto currency block record on the blockchain.

The base type for the form can be found at crypto:currency:block.

Properties:

name

type

doc

opts

:coin

crypto:currency:coin

The coin/blockchain this block resides on.

Read Only: True

:offset

int

The index of this block.

Read Only: True

:hash

hex

The unique hash for the block.

:minedby

crypto:currency:address

The address which mined the block.

:time

time

Time timestamp embedded in the block by the miner.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:currency:client

A fused node representing a crypto currency address used by an Internet client.

The base type for the form can be found at crypto:currency:client.

An example of crypto:currency:client:

  • (1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))

Properties:

name

type

doc

opts

:inetaddr

inet:client

The Internet client address observed using the crypto currency address.

Read Only: True

:coinaddr

crypto:currency:address

The crypto currency address observed in use by the Internet client.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:currency:coin

An individual crypto currency type.

The base type for the form can be found at crypto:currency:coin.

An example of crypto:currency:coin:

  • btc

Properties:

name

type

doc

:name

str

The full name of the crypto coin.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:currency:transaction

An individual crypto currency transaction recorded on the blockchain.

The base type for the form can be found at crypto:currency:transaction.

Properties:

name

type

doc

opts

:hash

hex

The unique transaction hash for the transaction.

:desc

str

An analyst specified description of the transaction.

:block

crypto:currency:block

The block which records the transaction.

:block:coin

crypto:currency:coin

The coin/blockchain of the block which records this transaction.

:block:offset

int

The offset of the block which records this transaction.

:success

bool

Set to true if the transaction was successfully executed and recorded.

:status:code

int

A coin specific status code which may represent an error reason.

:status:message

str

A coin specific status message which may contain an error reason.

:to

crypto:currency:address

The destination address of the transaction.

:from

crypto:currency:address

The source address of the transaction.

:inputs

sorted: True
uniq: True

Deprecated. Please use crypto:payment:input:transaction.

Deprecated: True

:outputs

sorted: True
uniq: True

Deprecated. Please use crypto:payment:output:transaction.

Deprecated: True

:fee

econ:price

The total fee paid to execute the transaction.

:value

econ:price

The total value of the transaction.

:time

time

The time this transaction was initiated.

:eth:gasused

int

The amount of gas used to execute this transaction.

:eth:gaslimit

int

The ETH gas limit specified for this transaction.

:eth:gasprice

econ:price

The gas price (in ETH) specified for this transaction.

:contract:input

file:bytes

Input value to a smart contract call.

:contract:output

file:bytes

Output value of a smart contract call.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:key

A cryptographic key and algorithm.

The base type for the form can be found at crypto:key.

Properties:

name

type

doc

opts

:algorithm

crypto:algorithm

The cryptographic algorithm which uses the key material.

Example: aes256

:mode

lower: True
onespace: True

The algorithm specific mode in use.

:iv

hex

The hex encoded initialization vector.

:public

hex

The hex encoded public key material if the algorithm has a public/private key pair.

:public:md5

hash:md5

The MD5 hash of the public key in raw binary form.

:public:sha1

hash:sha1

The SHA1 hash of the public key in raw binary form.

:public:sha256

hash:sha256

The SHA256 hash of the public key in raw binary form.

:private

hex

The hex encoded private key material. All symmetric keys are private.

:private:md5

hash:md5

The MD5 hash of the private key in raw binary form.

:private:sha1

hash:sha1

The SHA1 hash of the private key in raw binary form.

:private:sha256

hash:sha256

The SHA256 hash of the private key in raw binary form.

:seed:passwd

inet:passwd

The seed password used to generate the key material.

:seed:algorithm

crypto:algorithm

The algorithm used to generate the key from the seed password.

Example: pbkdf2

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:payment:input

A payment made into a transaction.

The base type for the form can be found at crypto:payment:input.

Properties:

name

type

doc

:transaction

crypto:currency:transaction

The transaction the payment was input to.

:address

crypto:currency:address

The address which paid into the transaction.

:value

econ:price

The value of the currency paid into the transaction.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:payment:output

A payment received from a transaction.

The base type for the form can be found at crypto:payment:output.

Properties:

name

type

doc

:transaction

crypto:currency:transaction

The transaction the payment was output from.

:address

crypto:currency:address

The address which received payment from the transaction.

:value

econ:price

The value of the currency received from the transaction.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:smart:contract

A smart contract.

The base type for the form can be found at crypto:smart:contract.

Properties:

name

type

doc

:transaction

crypto:currency:transaction

The transaction which created the contract.

:address

crypto:currency:address

The address of the contract.

:bytecode

file:bytes

The bytecode which implements the contract.

:token:name

str

The ERC-20 token name.

:token:symbol

str

The ERC-20 token symbol.

:token:totalsupply

hugenum

The ERC-20 totalSupply value.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:smart:effect:burntoken

A smart contract effect which destroys a non-fungible token.

The base type for the form can be found at crypto:smart:effect:burntoken.

Properties:

name

type

doc

:token

crypto:smart:token

The non-fungible token that was destroyed.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:smart:effect:edittokensupply

A smart contract effect which increases or decreases the supply of a fungible token.

The base type for the form can be found at crypto:smart:effect:edittokensupply.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:amount

hugenum

The number of tokens added or removed if negative.

:totalsupply

hugenum

The total supply of tokens after this modification.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:smart:effect:minttoken

A smart contract effect which creates a new non-fungible token.

The base type for the form can be found at crypto:smart:effect:minttoken.

Properties:

name

type

doc

:token

crypto:smart:token

The non-fungible token that was created.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:smart:effect:proxytoken

A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token.

The base type for the form can be found at crypto:smart:effect:proxytoken.

Properties:

name

type

doc

:owner

crypto:currency:address

The address granting proxy authority to manipulate non-fungible tokens.

:proxy

crypto:currency:address

The address granted proxy authority to manipulate non-fungible tokens.

:token

crypto:smart:token

The specific token being granted access to.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:smart:effect:proxytokenall

A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner.

The base type for the form can be found at crypto:smart:effect:proxytokenall.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:owner

crypto:currency:address

The address granting/denying proxy authority to manipulate all non-fungible tokens of the owner.

:proxy

crypto:currency:address

The address granted/denied proxy authority to manipulate all non-fungible tokens of the owner.

:approval

bool

The approval status.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:smart:effect:proxytokens

A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens.

The base type for the form can be found at crypto:smart:effect:proxytokens.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:owner

crypto:currency:address

The address granting proxy authority to manipulate fungible tokens.

:proxy

crypto:currency:address

The address granted proxy authority to manipulate fungible tokens.

:amount

hex

The hex encoded amount of tokens the proxy is allowed to manipulate.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:smart:effect:transfertoken

A smart contract effect which transfers ownership of a non-fungible token.

The base type for the form can be found at crypto:smart:effect:transfertoken.

Properties:

name

type

doc

:token

crypto:smart:token

The non-fungible token that was transferred.

:from

crypto:currency:address

The address the NFT was transferred from.

:to

crypto:currency:address

The address the NFT was transferred to.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:smart:effect:transfertokens

A smart contract effect which transfers fungible tokens.

The base type for the form can be found at crypto:smart:effect:transfertokens.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:from

crypto:currency:address

The address the tokens were transferred from.

:to

crypto:currency:address

The address the tokens were transferred to.

:amount

hugenum

The number of tokens transferred.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:smart:token

A token managed by a smart contract.

The base type for the form can be found at crypto:smart:token.

Properties:

name

type

doc

opts

:contract

crypto:smart:contract

The smart contract which defines and manages the token.

Read Only: True

:tokenid

hugenum

The token ID.

Read Only: True

:owner

crypto:currency:address

The address which currently owns the token.

:nft:url

inet:url

The URL which hosts the NFT metadata.

:nft:meta

data

The raw NFT metadata.

:nft:meta:name

str

The name field from the NFT metadata.

:nft:meta:description

str

The description field from the NFT metadata.

Display: {'hint': 'text'}

:nft:meta:image

inet:url

The image URL from the NFT metadata.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:x509:cert

A unique X.509 certificate.

The base type for the form can be found at crypto:x509:cert.

Properties:

name

type

doc

:file

file:bytes

The file that the certificate metadata was parsed from.

:subject

str

The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.

:issuer

str

The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.

:issuer:cert

crypto:x509:cert

The certificate used by the issuer to sign this certificate.

:serial

zeropad: 40

The certificate serial number as a big endian hex value.

:version

enums: ((0, 'v1'), (2, 'v3'))

The version integer in the certificate. (ex. 2 == v3 ).

:validity:notbefore

time

The timestamp for the beginning of the certificate validity period.

:validity:notafter

time

The timestamp for the end of the certificate validity period.

:md5

hash:md5

The MD5 fingerprint for the certificate.

:sha1

hash:sha1

The SHA1 fingerprint for the certificate.

:sha256

hash:sha256

The SHA256 fingerprint for the certificate.

:rsa:key

rsa:key

The optional RSA public key associated with the certificate.

:algo

iso:oid

The X.509 signature algorithm OID.

:signature

hex

The hexadecimal representation of the digital signature.

:ext:sans

uniq: True
sorted: True

The Subject Alternate Names (SANs) listed in the certificate.

:ext:crls

uniq: True
sorted: True

A list of Subject Alternate Names (SANs) for Distribution Points.

:identities:fqdns

type: inet:fqdn
uniq: True
sorted: True

The fused list of FQDNs identified by the cert CN and SANs.

:identities:emails

uniq: True
sorted: True

The fused list of e-mail addresses identified by the cert CN and SANs.

:identities:ipv4s

type: inet:ipv4
uniq: True
sorted: True

The fused list of IPv4 addresses identified by the cert CN and SANs.

:identities:ipv6s

type: inet:ipv6
uniq: True
sorted: True

The fused list of IPv6 addresses identified by the cert CN and SANs.

:identities:urls

type: inet:url
uniq: True
sorted: True

The fused list of URLs identified by the cert CN and SANs.

:crl:urls

type: inet:url
uniq: True
sorted: True

The extracted URL values from the CRLs extension.

:selfsigned

bool

Whether this is a self-signed certificate.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:x509:crl

A unique X.509 Certificate Revocation List.

The base type for the form can be found at crypto:x509:crl.

Properties:

name

type

doc

:file

file:bytes

The file containing the CRL.

:url

inet:url

The URL where the CRL was published.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:x509:revoked

A revocation relationship between a CRL and an X.509 certificate.

The base type for the form can be found at crypto:x509:revoked.

Properties:

name

type

doc

opts

:crl

crypto:x509:crl

The CRL which revoked the certificate.

Read Only: True

:cert

crypto:x509:cert

The certificate revoked by the CRL.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

crypto:x509:signedfile

A digital signature relationship between an X.509 certificate and a file.

The base type for the form can be found at crypto:x509:signedfile.

Properties:

name

type

doc

opts

:cert

crypto:x509:cert

The certificate for the key which signed the file.

Read Only: True

:file

file:bytes

The file which was signed by the certificates key.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:acct:balance

A snapshot of the balance of an account at a point in time.

The base type for the form can be found at econ:acct:balance.

Properties:

name

type

doc

:time

time

The time the balance was recorded.

:pay:card

econ:pay:card

The payment card holding the balance.

:crypto:address

crypto:currency:address

The crypto currency address holding the balance.

:amount

econ:price

The account balance at the time.

:currency

econ:currency

The currency of the balance amount.

:delta

econ:price

The change since last regular sample.

:total:received

econ:price

The total amount of currency received by the account.

:total:sent

econ:price

The total amount of currency sent from the account.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:acct:payment

A payment or crypto currency transaction.

The base type for the form can be found at econ:acct:payment.

Properties:

name

type

doc

:txnid

strip: True

A payment processor specific transaction id.

:fee

econ:price

The transaction fee paid by the recipient to the payment processor.

:from:pay:card

econ:pay:card

The payment card making the payment.

:from:contract

ou:contract

A contract used as an aggregate payment source.

:from:coinaddr

crypto:currency:address

The crypto currency address making the payment.

:from:contact

ps:contact

Contact information for the entity making the payment.

:to:coinaddr

crypto:currency:address

The crypto currency address receiving the payment.

:to:contact

ps:contact

Contact information for the person/org being paid.

:to:contract

ou:contract

A contract used as an aggregate payment destination.

:time

time

The time the payment was processed.

:purchase

econ:purchase

The purchase which the payment was paying for.

:amount

econ:price

The amount of money transferred in the payment.

:currency

econ:currency

The currency of the payment.

:memo

str

A small note specified by the payer common in financial transactions.

:crypto:transaction

crypto:currency:transaction

A crypto currency transaction that initiated the payment.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:acquired

Deprecated. Please use econ:purchase -(acquired)> *.

The base type for the form can be found at econ:acquired.

Properties:

name

type

doc

opts

:purchase

econ:purchase

The purchase event which acquired an item.

Read Only: True

:item

ndef

A reference to the item that was acquired.

Read Only: True

:item:form

str

The form of item purchased.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:fin:bar

A sample of the open, close, high, low prices of a security in a specific time window.

The base type for the form can be found at econ:fin:bar.

Properties:

name

type

doc

:security

econ:fin:security

The security measured by the bar.

:ival

ival

The interval of measurement.

:price:open

econ:price

The opening price of the security.

:price:close

econ:price

The closing price of the security.

:price:low

econ:price

The low price of the security.

:price:high

econ:price

The high price of the security.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:fin:exchange

A financial exchange where securities are traded.

The base type for the form can be found at econ:fin:exchange.

Properties:

name

type

doc

opts

:name

lower: True
strip: True

A simple name for the exchange.

Example: nasdaq

:org

ou:org

The organization that operates the exchange.

:currency

econ:currency

The currency used for all transactions in the exchange.

Example: usd

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:fin:security

A financial security which is typically traded on an exchange.

The base type for the form can be found at econ:fin:security.

Properties:

name

type

doc

:exchange

econ:fin:exchange

The exchange on which the security is traded.

:ticker

lower: True
strip: True

The identifier for this security within the exchange.

:type

lower: True
strip: True

A user defined type such as stock, bond, option, future, or forex.

:price

econ:price

The last known/available price of the security.

:time

time

The time of the last know price sample.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:fin:tick

A sample of the price of a security at a single moment in time.

The base type for the form can be found at econ:fin:tick.

Properties:

name

type

doc

:security

econ:fin:security

The security measured by the tick.

:time

time

The time the price was sampled.

:price

econ:price

The price of the security at the time.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:pay:card

A single payment card.

The base type for the form can be found at econ:pay:card.

Properties:

name

type

doc

:pan

econ:pay:pan

The payment card number.

:pan:mii

econ:pay:mii

The payment card MII.

:pan:iin

econ:pay:iin

The payment card IIN.

:name

ps:name

The name as it appears on the card.

:expr

time

The expiration date for the card.

:cvv

econ:pay:cvv

The Card Verification Value on the card.

:pin

econ:pay:pin

The Personal Identification Number on the card.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:pay:iin

An Issuer Id Number (IIN).

The base type for the form can be found at econ:pay:iin.

Properties:

name

type

doc

:org

ou:org

The issuer organization.

:name

lower: True

The registered name of the issuer.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:purchase

A purchase event.

The base type for the form can be found at econ:purchase.

Properties:

name

type

doc

:by:contact

ps:contact

The contact information used to make the purchase.

:from:contact

ps:contact

The contact information used to sell the item.

:time

time

The time of the purchase.

:place

geo:place

The place where the purchase took place.

:paid

bool

Set to True if the purchase has been paid in full.

:paid:time

time

The point in time where the purchase was paid in full.

:settled

time

The point in time where the purchase was settled.

:campaign

ou:campaign

The campaign that the purchase was in support of.

:price

econ:price

The econ:price of the purchase.

:currency

econ:currency

The econ:price of the purchase.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

econ:receipt:item

A line item included as part of a purchase.

The base type for the form can be found at econ:receipt:item.

Properties:

name

type

doc

:purchase

econ:purchase

The purchase that contains this line item.

:count

min: 1

The number of items included in this line item.

:price

econ:price

The total cost of this receipt line item.

:product

biz:product

The product being being purchased in this line item.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

edge:has

A digraph edge which records that N1 has N2.

The base type for the form can be found at edge:has.

Properties:

name

type

doc

opts

:n1

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n1:form

str

The base string type.

Read Only: True

:n2

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n2:form

str

The base string type.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

edge:refs

A digraph edge which records that N1 refers to or contains N2.

The base type for the form can be found at edge:refs.

Properties:

name

type

doc

opts

:n1

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n1:form

str

The base string type.

Read Only: True

:n2

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n2:form

str

The base string type.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

edge:wentto

A digraph edge which records that N1 went to N2 at a specific time.

The base type for the form can be found at edge:wentto.

Properties:

name

type

doc

opts

:n1

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n1:form

str

The base string type.

Read Only: True

:n2

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n2:form

str

The base string type.

Read Only: True

:time

time

A date/time value.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

edu:class

An instance of an edu:course taught at a given time.

The base type for the form can be found at edu:class.

Properties:

name

type

doc

:course

edu:course

The course being taught in the class.

:instructor

ps:contact

The primary instructor for the class.

:assistants

uniq: True
sorted: True

An array of assistant/co-instructor contacts.

:date:first

time

The date of the first day of class.

:date:last

time

The date of the last day of class.

:isvirtual

bool

Set if the class is known to be virtual.

:virtual:url

inet:url

The URL a student would use to attend the virtual class.

:virtual:provider

ps:contact

Contact info for the virtual infrastructure provider.

:place

geo:place

The place that the class is held.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

edu:course

A course of study taught by an org.

The base type for the form can be found at edu:course.

Properties:

name

type

doc

opts

:name

lower: True
onespace: True

The name of the course.

Example: organic chemistry for beginners

:desc

str

A brief course description.

:code

lower: True
strip: True

The course catalog number or designator.

Example: chem101

:institution

ps:contact

The org or department which teaches the course.

:prereqs

uniq: True
sorted: True

The pre-requisite courses for taking this course.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:archive:entry

An archive entry representing a file and metadata within a parent archive file.

The base type for the form can be found at file:archive:entry.

Properties:

name

type

doc

:parent

file:bytes

The parent archive file.

:file

file:bytes

The file contained within the archive.

:path

file:path

The file path of the archived file.

:user

inet:user

The name of the user who owns the archived file.

:added

time

The time that the file was added to the archive.

:created

time

The created time of the archived file.

:modified

time

The modified time of the archived file.

:comment

str

The comment field for the file entry within the archive.

:posix:uid

int

The POSIX UID of the user who owns the archived file.

:posix:gid

int

The POSIX GID of the group who owns the archived file.

:posix:perms

int

The POSIX permissions mask of the archived file.

:archived:size

int

The encoded or compressed size of the archived file within the parent.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:base

A file name with no path.

The base type for the form can be found at file:base.

An example of file:base:

  • woot.exe

Properties:

name

type

doc

opts

:ext

str

The file extension (if any).

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:bytes

The file bytes type with SHA256 based primary property.

The base type for the form can be found at file:bytes.

Properties:

name

type

doc

:size

int

The file size in bytes.

:md5

hash:md5

The md5 hash of the file.

:sha1

hash:sha1

The sha1 hash of the file.

:sha256

hash:sha256

The sha256 hash of the file.

:sha512

hash:sha512

The sha512 hash of the file.

:name

file:base

The best known base name for the file.

:mime

file:mime

The “best” mime type name for the file.

:mime:x509:cn

str

The Common Name (CN) attribute of the x509 Subject.

:mime:pe:size

int

The size of the executable file according to the PE file header.

:mime:pe:imphash

hash:md5

The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .

:mime:pe:compiled

time

The compile time of the file according to the PE header.

:mime:pe:pdbpath

file:path

The PDB string according to the PE.

:mime:pe:exports:time

time

The export time of the file according to the PE.

:mime:pe:exports:libname

str

The export library name according to the PE.

:mime:pe:richhdr

hash:sha256

The sha256 hash of the rich header bytes.

:exe:compiler

it:prod:softver

The software used to compile the file.

:exe:packer

it:prod:softver

The packer software used to encode the file.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:filepath

The fused knowledge of the association of a file:bytes node and a file:path.

The base type for the form can be found at file:filepath.

Properties:

name

type

doc

opts

:file

file:bytes

The file seen at a path.

Read Only: True

:path

file:path

The path a file was seen at.

Read Only: True

:path:dir

file:path

The parent directory.

Read Only: True

:path:base

file:base

The name of the file.

Read Only: True

:path:base:ext

str

The extension of the file name.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:ismime

Records one, of potentially multiple, mime types for a given file.

The base type for the form can be found at file:ismime.

Properties:

name

type

doc

opts

:file

file:bytes

The file node that is an instance of the named mime type.

Read Only: True

:mime

file:mime

The mime type of the file.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime

A file mime name string.

The base type for the form can be found at file:mime.

An example of file:mime:

  • text/plain

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:gif

The GUID of a set of mime metadata for a .gif file.

The base type for the form can be found at file:mime:gif.

Properties:

name

type

doc

:desc

str

MIME specific description field extracted from metadata.

:comment

str

MIME specific comment field extracted from metadata.

:created

time

MIME specific creation timestamp extracted from metadata.

:imageid

str

MIME specific unique identifier extracted from metadata.

:author

ps:contact

MIME specific contact information extracted from metadata.

:latlong

geo:latlong

MIME specific lat/long information extracted from metadata.

:altitude

geo:altitude

MIME specific altitude information extracted from metadata.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:jpg

The GUID of a set of mime metadata for a .jpg file.

The base type for the form can be found at file:mime:jpg.

Properties:

name

type

doc

:desc

str

MIME specific description field extracted from metadata.

:comment

str

MIME specific comment field extracted from metadata.

:created

time

MIME specific creation timestamp extracted from metadata.

:imageid

str

MIME specific unique identifier extracted from metadata.

:author

ps:contact

MIME specific contact information extracted from metadata.

:latlong

geo:latlong

MIME specific lat/long information extracted from metadata.

:altitude

geo:altitude

MIME specific altitude information extracted from metadata.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:macho:loadcmd

A generic load command pulled from the Mach-O headers.

The base type for the form can be found at file:mime:macho:loadcmd.

Properties:

name

type

doc

:file

file:bytes

The Mach-O file containing the load command.

:type

enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

The type of the load command.

:size

int

The size of the load command structure in bytes.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:macho:section

A section inside a Mach-O binary denoting a named region of bytes inside a segment.

The base type for the form can be found at file:mime:macho:section.

Properties:

name

type

doc

:segment

file:mime:macho:segment

The Mach-O segment that contains this section.

:name

str

Name of the section.

:size

int

Size of the section in bytes.

:type

enums: ((0, 'regular'), (1, 'zero fill on demand'), (2, 'only literal C strings'), (3, 'only 4 byte literals'), (4, 'only 8 byte literals'), (5, 'only pointers to literals'), (6, 'only non-lazy symbol pointers'), (7, 'only lazy symbol pointers'), (8, 'only symbol stubs'), (9, 'only function pointers for init'), (10, 'only function pointers for fini'), (11, 'contains symbols to be coalesced'), (12, 'zero fill on deman (greater than 4gb)'), (13, 'only pairs of function pointers for interposing'), (14, 'only 16 byte literals'), (15, 'dtrace object format'), (16, 'only lazy symbols pointers to lazy dynamic libraries'))

The type of the section.

:sha256

hash:sha256

The sha256 hash of the bytes of the Mach-O section.

:offset

int

The file offset to the beginning of the section.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:macho:segment

A named region of bytes inside a Mach-O binary.

The base type for the form can be found at file:mime:macho:segment.

Properties:

name

type

doc

:name

str

The name of the Mach-O segment.

:memsize

int

The size of the segment in bytes, when resident in memory, according to the load command structure.

:disksize

int

The size of the segment in bytes, when on disk, according to the load command structure.

:sha256

hash:sha256

The sha256 hash of the bytes of the segment.

:offset

int

The file offset to the beginning of the segment.

:file

file:bytes

The Mach-O file containing the load command.

:type

enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

The type of the load command.

:size

int

The size of the load command structure in bytes.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:macho:uuid

A specific load command denoting a UUID used to uniquely identify the Mach-O binary.

The base type for the form can be found at file:mime:macho:uuid.

Properties:

name

type

doc

:uuid

guid

The UUID of the Mach-O application (as defined in an LC_UUID load command).

:file

file:bytes

The Mach-O file containing the load command.

:type

enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

The type of the load command.

:size

int

The size of the load command structure in bytes.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:macho:version

A specific load command used to denote the version of the source used to build the Mach-O binary.

The base type for the form can be found at file:mime:macho:version.

Properties:

name

type

doc

:version

str

The version of the Mach-O file encoded in an LC_VERSION load command.

:file

file:bytes

The Mach-O file containing the load command.

:type

enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

The type of the load command.

:size

int

The size of the load command structure in bytes.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:msdoc

The GUID of a set of mime metadata for a Microsoft Word file.

The base type for the form can be found at file:mime:msdoc.

Properties:

name

type

doc

:title

str

The title extracted from Microsoft Office metadata.

:author

str

The author extracted from Microsoft Office metadata.

:subject

str

The subject extracted from Microsoft Office metadata.

:application

str

The creating_application extracted from Microsoft Office metadata.

:created

time

The create_time extracted from Microsoft Office metadata.

:lastsaved

time

The last_saved_time extracted from Microsoft Office metadata.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:msppt

The GUID of a set of mime metadata for a Microsoft Powerpoint file.

The base type for the form can be found at file:mime:msppt.

Properties:

name

type

doc

:title

str

The title extracted from Microsoft Office metadata.

:author

str

The author extracted from Microsoft Office metadata.

:subject

str

The subject extracted from Microsoft Office metadata.

:application

str

The creating_application extracted from Microsoft Office metadata.

:created

time

The create_time extracted from Microsoft Office metadata.

:lastsaved

time

The last_saved_time extracted from Microsoft Office metadata.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:msxls

The GUID of a set of mime metadata for a Microsoft Excel file.

The base type for the form can be found at file:mime:msxls.

Properties:

name

type

doc

:title

str

The title extracted from Microsoft Office metadata.

:author

str

The author extracted from Microsoft Office metadata.

:subject

str

The subject extracted from Microsoft Office metadata.

:application

str

The creating_application extracted from Microsoft Office metadata.

:created

time

The create_time extracted from Microsoft Office metadata.

:lastsaved

time

The last_saved_time extracted from Microsoft Office metadata.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

file:mime:pe:e