Synapse Data Model - Forms
Forms
Forms are derived from types, or base types. Forms represent node types in the graph.
auth:access
An instance of using creds to access a resource.
The base type for the form can be found at auth:access.
- Properties:
name
type
doc
:creds
The credentials used to attempt access.
:time
The time of the access attempt.
:success
Set to true if the access was successful.
:person
The person who attempted access.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
auth:creds
A unique set of credentials used to access a resource.
The base type for the form can be found at auth:creds.
- Properties:
name
type
doc
opts
The email address used to identify the user.
:user
The user name used to identify the user.
:phone
The phone number used to identify the user.
:passwd
The password used to authenticate.
:passwdhash
The password hash used to authenticate.
:account
The account that the creds allow access to.
:website
The base URL of the website that the credentials allow access to.
:host
The host that the credentials allow access to.
:wifi:ssid
The WiFi SSID that the credentials allow access to.
:web:acct
Deprecated. Use :service:account.
Deprecated:
True
:service:account
The service account that the credentials allow access to.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
belief:subscriber
A contact which subscribes to a belief system.
The base type for the form can be found at belief:subscriber.
- Properties:
name
type
doc
:contact
The contact which subscribes to the belief system.
:system
The belief system to which the contact subscribes.
:began
The time that the contact began to be a subscriber to the belief system.
:ended
The time when the contact ceased to be a subscriber to the belief system.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
belief:subscriber
-(follows)>
belief:tenet
The subscriber is assessed to generally adhere to the specific tenet.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
belief:system
A belief system such as an ideology, philosophy, or religion.
The base type for the form can be found at belief:system.
- Properties:
name
type
doc
opts
:name
The name of the belief system.
:desc
A description of the belief system.
Display:
{'hint': 'text'}
:type
A taxonometric type for the belief system.
:began
The time that the belief system was first observed.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
belief:system
-(has)>
belief:tenet
The belief system includes the tenet.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
belief:system:type:taxonomy
A hierarchical taxonomy of belief system types.
The base type for the form can be found at belief:system:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
belief:tenet
A concrete tenet potentially shared by multiple belief systems.
The base type for the form can be found at belief:tenet.
- Properties:
name
type
doc
opts
:name
The name of the tenet.
:desc
A description of the tenet.
Display:
{'hint': 'text'}
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
belief:subscriber
-(follows)>
belief:tenet
The subscriber is assessed to generally adhere to the specific tenet.
belief:system
-(has)>
belief:tenet
The belief system includes the tenet.
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
biz:bundle
A bundle allows construction of products which bundle instances of other products.
The base type for the form can be found at biz:bundle.
- Properties:
name
type
doc
opts
:count
The number of instances of the product or service included in the bundle.
:price
The price of the bundle.
:product
The product included in the bundle.
:service
The service included in the bundle.
:deal
Deprecated. Please use econ:receipt:item for instances of bundles being sold.
Deprecated:
True
:purchase
Deprecated. Please use econ:receipt:item for instances of bundles being sold.
Deprecated:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
biz:deal
A sales or procurement effort in pursuit of a purchase.
The base type for the form can be found at biz:deal.
- Properties:
name
type
doc
opts
:id
strip:True
An identifier for the deal.
:title
A title for the deal.
:type
The type of deal.
Display:
{'hint': 'taxonomy'}
:status
The status of the deal.
Display:
{'hint': 'taxonomy'}
:updated
The last time the deal had a significant update.
:contacted
The last time the contacts communicated about the deal.
:rfp
The RFP that the deal is in response to.
:buyer
The primary contact information for the buyer.
:buyer:org
The buyer org.
:buyer:orgname
The reported ou:name of the buyer org.
:buyer:orgfqdn
The reported inet:fqdn of the buyer org.
:seller
The primary contact information for the seller.
:seller:org
The seller org.
:seller:orgname
The reported ou:name of the seller org.
:seller:orgfqdn
The reported inet:fqdn of the seller org.
:currency
The currency of econ:price values associated with the deal.
:buyer:budget
The buyers budget for the eventual purchase.
:buyer:deadline
When the buyer intends to make a decision.
:offer:price
The total price of the offered products.
:offer:expires
When the offer expires.
:purchase
Records a purchase resulting from the deal.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
biz:dealstatus
A deal/rfp status taxonomy.
The base type for the form can be found at biz:dealstatus.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
biz:dealtype
A deal type taxonomy.
The base type for the form can be found at biz:dealtype.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
biz:listing
A product or service being listed for sale at a given price by a specific seller.
The base type for the form can be found at biz:listing.
- Properties:
name
type
doc
:seller
The contact information for the seller.
:product
The product being offered.
:service
The service being offered.
:current
Set to true if the offer is still current.
:time
The first known offering of this product/service by the organization for the asking price.
:expires
Set if the offer has a known expiration date.
:price
The asking price of the product or service.
:currency
The currency of the asking price.
:count:total
min:0
The number of instances for sale.
:count:remaining
min:0
The current remaining number of instances for sale.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
biz:prodtype
A product type taxonomy.
The base type for the form can be found at biz:prodtype.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
biz:product
A product which is available for purchase.
The base type for the form can be found at biz:product.
- Properties:
name
type
doc
opts
:name
The name of the product.
:type
The type of product.
Display:
{'hint': 'taxonomy'}
:summary
A brief summary of the product.
Display:
{'hint': 'text'}
:maker
A contact for the maker of the product.
:madeby:org
Deprecated. Please use biz:product:maker.
Deprecated:
True
:madeby:orgname
Deprecated. Please use biz:product:maker.
Deprecated:
True
:madeby:orgfqdn
Deprecated. Please use biz:product:maker.
Deprecated:
True
:price:retail
The MSRP price of the product.
:price:bottom
The minimum offered or observed price of the product.
:price:currency
The currency of the retail and bottom price properties.
:bundles
An array of bundles included with the product.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
biz:rfp
An RFP (Request for Proposal) soliciting proposals.
The base type for the form can be found at biz:rfp.
- Properties:
name
type
doc
opts
:ext:id
An externally specified identifier for the RFP.
:title
The title of the RFP.
:summary
A brief summary of the RFP.
Display:
{'hint': 'text'}
:status
The status of the RFP.
Display:
{'hint': 'enum'}
:url
The official URL for the RFP.
:file
The RFP document.
:posted
The date/time that the RFP was posted.
:quesdue
The date/time that questions are due.
:propdue
The date/time that proposals are due.
:contact
The contact information given for the org requesting offers.
:purchases
Any known purchases that resulted from the RFP.
:requirements
A typed array which indexes each field.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
biz:service
A service which is performed by a specific organization.
The base type for the form can be found at biz:service.
- Properties:
name
type
doc
opts
:provider
The contact info of the entity which performs the service.
:name
The name of the service being performed.
:summary
A brief summary of the service.
Display:
{'hint': 'text'}
:type
A taxonomy of service types.
:launched
The time when the operator first made the service available.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
biz:stake
A stake or partial ownership in a company.
The base type for the form can be found at biz:stake.
- Properties:
name
type
doc
:vitals
The ou:vitals snapshot this stake is part of.
:org
The resolved org.
:orgname
The org name as reported by the source of the vitals.
:orgfqdn
The org FQDN as reported by the source of the vitals.
:name
An arbitrary name for this stake. Can be non-contact like “pool”.
:asof
The time the stake is being measured. Likely as part of an ou:vitals.
:shares
The number of shares represented by the stake.
:invested
The amount of money invested in the cap table iteration.
:value
The monetary value of the stake.
:percent
The percentage ownership represented by this stake.
:owner
Contact information of the owner of the stake.
:purchase
The purchase event for the stake.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:algorithm
A cryptographic algorithm name.
The base type for the form can be found at crypto:algorithm.
An example of crypto:algorithm
:
aes256
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:currency:address
An individual crypto currency address.
The base type for the form can be found at crypto:currency:address.
An example of crypto:currency:address
:
btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2
- Properties:
name
type
doc
opts
:coin
The crypto coin to which the address belongs.
Read Only:
True
:seed
The cryptographic key and or password used to generate the address.
:iden
The coin specific address identifier.
Read Only:
True
:desc
A free-form description of the address.
:contact
The primary contact for the crypto currency address.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:currency:block
An individual crypto currency block record on the blockchain.
The base type for the form can be found at crypto:currency:block.
- Properties:
name
type
doc
opts
:coin
The coin/blockchain this block resides on.
Read Only:
True
:offset
The index of this block.
Read Only:
True
:hash
The unique hash for the block.
:minedby
The address which mined the block.
:time
Time timestamp embedded in the block by the miner.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:currency:client
A fused node representing a crypto currency address used by an Internet client.
The base type for the form can be found at crypto:currency:client.
An example of crypto:currency:client
:
(1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))
- Properties:
name
type
doc
opts
:inetaddr
The Internet client address observed using the crypto currency address.
Read Only:
True
:coinaddr
The crypto currency address observed in use by the Internet client.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:currency:coin
An individual crypto currency type.
The base type for the form can be found at crypto:currency:coin.
An example of crypto:currency:coin
:
btc
- Properties:
name
type
doc
:name
The full name of the crypto coin.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:currency:transaction
An individual crypto currency transaction recorded on the blockchain.
The base type for the form can be found at crypto:currency:transaction.
- Properties:
name
type
doc
opts
:hash
The unique transaction hash for the transaction.
:desc
An analyst specified description of the transaction.
:block
The block which records the transaction.
:block:coin
The coin/blockchain of the block which records this transaction.
:block:offset
The offset of the block which records this transaction.
:success
Set to true if the transaction was successfully executed and recorded.
:status:code
A coin specific status code which may represent an error reason.
:status:message
A coin specific status message which may contain an error reason.
:to
The destination address of the transaction.
:from
The source address of the transaction.
:inputs
Deprecated. Please use crypto:payment:input:transaction.
Deprecated:
True
:outputs
Deprecated. Please use crypto:payment:output:transaction.
Deprecated:
True
:fee
The total fee paid to execute the transaction.
:value
The total value of the transaction.
:time
The time this transaction was initiated.
:eth:gasused
The amount of gas used to execute this transaction.
:eth:gaslimit
The ETH gas limit specified for this transaction.
:eth:gasprice
The gas price (in ETH) specified for this transaction.
:contract:input
Input value to a smart contract call.
:contract:output
Output value of a smart contract call.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:key
A cryptographic key and algorithm.
The base type for the form can be found at crypto:key.
- Properties:
name
type
doc
opts
:algorithm
The cryptographic algorithm which uses the key material.
Example:
aes256
:mode
The algorithm specific mode in use.
:iv
The hex encoded initialization vector.
:iv:text
Set only if the :iv property decodes to ASCII.
:public
The hex encoded public key material if the algorithm has a public/private key pair.
:public:text
Set only if the :public property decodes to ASCII.
:public:md5
The MD5 hash of the public key in raw binary form.
:public:sha1
The SHA1 hash of the public key in raw binary form.
:public:sha256
The SHA256 hash of the public key in raw binary form.
:private
The hex encoded private key material. All symmetric keys are private.
:private:text
Set only if the :private property decodes to ASCII.
:private:md5
The MD5 hash of the private key in raw binary form.
:private:sha1
The SHA1 hash of the private key in raw binary form.
:private:sha256
The SHA256 hash of the private key in raw binary form.
:seed:passwd
The seed password used to generate the key material.
:seed:algorithm
The algorithm used to generate the key from the seed password.
Example:
pbkdf2
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:payment:input
A payment made into a transaction.
The base type for the form can be found at crypto:payment:input.
- Properties:
name
type
doc
:transaction
The transaction the payment was input to.
:address
The address which paid into the transaction.
:value
The value of the currency paid into the transaction.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:payment:output
A payment received from a transaction.
The base type for the form can be found at crypto:payment:output.
- Properties:
name
type
doc
:transaction
The transaction the payment was output from.
:address
The address which received payment from the transaction.
:value
The value of the currency received from the transaction.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:smart:contract
A smart contract.
The base type for the form can be found at crypto:smart:contract.
- Properties:
name
type
doc
:transaction
The transaction which created the contract.
:address
The address of the contract.
:bytecode
The bytecode which implements the contract.
:token:name
The ERC-20 token name.
:token:symbol
The ERC-20 token symbol.
:token:totalsupply
The ERC-20 totalSupply value.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:smart:effect:burntoken
A smart contract effect which destroys a non-fungible token.
The base type for the form can be found at crypto:smart:effect:burntoken.
- Properties:
name
type
doc
:token
The non-fungible token that was destroyed.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:smart:effect:edittokensupply
A smart contract effect which increases or decreases the supply of a fungible token.
The base type for the form can be found at crypto:smart:effect:edittokensupply.
- Properties:
name
type
doc
:contract
The contract which defines the tokens.
:amount
The number of tokens added or removed if negative.
:totalsupply
The total supply of tokens after this modification.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:smart:effect:minttoken
A smart contract effect which creates a new non-fungible token.
The base type for the form can be found at crypto:smart:effect:minttoken.
- Properties:
name
type
doc
:token
The non-fungible token that was created.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:smart:effect:proxytoken
A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token.
The base type for the form can be found at crypto:smart:effect:proxytoken.
- Properties:
name
type
doc
:owner
The address granting proxy authority to manipulate non-fungible tokens.
:proxy
The address granted proxy authority to manipulate non-fungible tokens.
:token
The specific token being granted access to.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:smart:effect:proxytokenall
A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner.
The base type for the form can be found at crypto:smart:effect:proxytokenall.
- Properties:
name
type
doc
:contract
The contract which defines the tokens.
:owner
The address granting/denying proxy authority to manipulate all non-fungible tokens of the owner.
:proxy
The address granted/denied proxy authority to manipulate all non-fungible tokens of the owner.
:approval
The approval status.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:smart:effect:proxytokens
A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens.
The base type for the form can be found at crypto:smart:effect:proxytokens.
- Properties:
name
type
doc
:contract
The contract which defines the tokens.
:owner
The address granting proxy authority to manipulate fungible tokens.
:proxy
The address granted proxy authority to manipulate fungible tokens.
:amount
The hex encoded amount of tokens the proxy is allowed to manipulate.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:smart:effect:transfertoken
A smart contract effect which transfers ownership of a non-fungible token.
The base type for the form can be found at crypto:smart:effect:transfertoken.
- Properties:
name
type
doc
:token
The non-fungible token that was transferred.
:from
The address the NFT was transferred from.
:to
The address the NFT was transferred to.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:smart:effect:transfertokens
A smart contract effect which transfers fungible tokens.
The base type for the form can be found at crypto:smart:effect:transfertokens.
- Properties:
name
type
doc
:contract
The contract which defines the tokens.
:from
The address the tokens were transferred from.
:to
The address the tokens were transferred to.
:amount
The number of tokens transferred.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:smart:token
A token managed by a smart contract.
The base type for the form can be found at crypto:smart:token.
- Properties:
name
type
doc
opts
:contract
The smart contract which defines and manages the token.
Read Only:
True
:tokenid
The token ID.
Read Only:
True
:owner
The address which currently owns the token.
:nft:url
The URL which hosts the NFT metadata.
:nft:meta
The raw NFT metadata.
:nft:meta:name
The name field from the NFT metadata.
:nft:meta:description
The description field from the NFT metadata.
Display:
{'hint': 'text'}
:nft:meta:image
The image URL from the NFT metadata.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:x509:cert
A unique X.509 certificate.
The base type for the form can be found at crypto:x509:cert.
- Properties:
name
type
doc
:file
The file that the certificate metadata was parsed from.
:subject
The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.
:issuer
The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.
:issuer:cert
The certificate used by the issuer to sign this certificate.
:serial
zeropad:40
The certificate serial number as a big endian hex value.
:version
enums:((0, 'v1'), (2, 'v3'))
The version integer in the certificate. (ex. 2 == v3 ).
:validity:notbefore
The timestamp for the beginning of the certificate validity period.
:validity:notafter
The timestamp for the end of the certificate validity period.
:md5
The MD5 fingerprint for the certificate.
:sha1
The SHA1 fingerprint for the certificate.
:sha256
The SHA256 fingerprint for the certificate.
:rsa:key
The optional RSA public key associated with the certificate.
:algo
The X.509 signature algorithm OID.
:signature
The hexadecimal representation of the digital signature.
:ext:sans
The Subject Alternate Names (SANs) listed in the certificate.
:ext:crls
A list of Subject Alternate Names (SANs) for Distribution Points.
:identities:fqdns
The fused list of FQDNs identified by the cert CN and SANs.
:identities:emails
The fused list of e-mail addresses identified by the cert CN and SANs.
:identities:ipv4s
The fused list of IPv4 addresses identified by the cert CN and SANs.
:identities:ipv6s
The fused list of IPv6 addresses identified by the cert CN and SANs.
:identities:urls
The fused list of URLs identified by the cert CN and SANs.
:crl:urls
The extracted URL values from the CRLs extension.
:selfsigned
Whether this is a self-signed certificate.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:x509:crl
A unique X.509 Certificate Revocation List.
The base type for the form can be found at crypto:x509:crl.
- Properties:
name
type
doc
:file
The file containing the CRL.
:url
The URL where the CRL was published.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:x509:revoked
A revocation relationship between a CRL and an X.509 certificate.
The base type for the form can be found at crypto:x509:revoked.
- Properties:
name
type
doc
opts
:crl
The CRL which revoked the certificate.
Read Only:
True
:cert
The certificate revoked by the CRL.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
crypto:x509:signedfile
A digital signature relationship between an X.509 certificate and a file.
The base type for the form can be found at crypto:x509:signedfile.
- Properties:
name
type
doc
opts
:cert
The certificate for the key which signed the file.
Read Only:
True
:file
The file which was signed by the certificates key.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
doc:policy
Guiding principles used to reach a set of goals.
The base type for the form can be found at doc:policy.
- Properties:
name
type
doc
:id
strip:True
The policy ID.
:name
The policy name.
:type
The type of policy.
:text
The text of the policy.
:file
The file which contains the policy.
:created
The time that the policy was created.
:updated
The time that the policy was last updated.
:author
The contact information of the primary author.
:contributors
An array of contacts which contributed to the policy.
:version
The version of the policy.
:supersedes
An array of policies which are superseded by this policy.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
doc:policy:type:taxonomy
A taxonomy of policy types.
The base type for the form can be found at doc:policy:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
doc:requirement
A single requirement, often defined by a standard.
The base type for the form can be found at doc:requirement.
- Properties:
name
type
doc
opts
:summary
A summary of the requirement definition.
Display:
{'hint': 'text'}
:optional
Set to true if the requirement is optional as defined by the standard.
:priority
The priority of the requirement as defined by the standard.
:standard
The standard which defined the requirement.
:id
strip:True
The requirement ID.
:name
The requirement name.
:type
The type of requirement.
:text
The text of the requirement.
:file
The file which contains the requirement.
:created
The time that the requirement was created.
:updated
The time that the requirement was last updated.
:author
The contact information of the primary author.
:contributors
An array of contacts which contributed to the requirement.
:version
The version of the requirement.
:supersedes
An array of requirements which are superseded by this requirement.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
doc:requirement:type:taxonomy
A taxonomy of requirement types.
The base type for the form can be found at doc:requirement:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
doc:resume
A CV/resume document.
The base type for the form can be found at doc:resume.
- Properties:
name
type
doc
opts
:contact
Contact information for subject of the resume.
:summary
The summary of qualifications from the resume.
Display:
{'hint': 'text'}
:workhist
Work history described in the resume.
:education
Education experience described in the resume.
:achievements
Achievements described in the resume.
:id
strip:True
The resume ID.
:name
The resume name.
:type
The type of resume.
:text
The text of the resume.
:file
The file which contains the resume.
:created
The time that the resume was created.
:updated
The time that the resume was last updated.
:author
The contact information of the primary author.
:contributors
An array of contacts which contributed to the resume.
:version
The version of the resume.
:supersedes
An array of resumes which are superseded by this resume.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
doc:resume:type:taxonomy
A taxonomy of resume types.
The base type for the form can be found at doc:resume:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
doc:standard
A group of requirements which define how to implement a policy or goal.
The base type for the form can be found at doc:standard.
- Properties:
name
type
doc
:policy
The policy which was used to derive the standard.
:id
strip:True
The standard ID.
:name
The standard name.
:type
The type of standard.
:text
The text of the standard.
:file
The file which contains the standard.
:created
The time that the standard was created.
:updated
The time that the standard was last updated.
:author
The contact information of the primary author.
:contributors
An array of contacts which contributed to the standard.
:version
The version of the standard.
:supersedes
An array of standards which are superseded by this standard.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
doc:standard:type:taxonomy
A taxonomy of standard types.
The base type for the form can be found at doc:standard:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:acct:balance
A snapshot of the balance of an account at a point in time.
The base type for the form can be found at econ:acct:balance.
- Properties:
name
type
doc
:time
The time the balance was recorded.
:pay:card
The payment card holding the balance.
:crypto:address
The crypto currency address holding the balance.
:amount
The account balance at the time.
:currency
The currency of the balance amount.
:delta
The change since last regular sample.
:total:received
The total amount of currency received by the account.
:total:sent
The total amount of currency sent from the account.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:acct:invoice
An invoice issued requesting payment.
The base type for the form can be found at econ:acct:invoice.
- Properties:
name
type
doc
:issued
The time that the invoice was issued to the recipient.
:issuer
The contact information for the entity who issued the invoice.
:purchase
The purchase that the invoice is requesting payment for.
:recipient
The contact information for the intended recipient of the invoice.
:due
The time by which the payment is due.
:paid
Set to true if the invoice has been paid in full.
:amount
The balance due.
:currency
The currency that the invoice specifies for payment.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:acct:payment
A payment or crypto currency transaction.
The base type for the form can be found at econ:acct:payment.
- Properties:
name
type
doc
opts
:txnid
strip:True
A payment processor specific transaction id.
:fee
The transaction fee paid by the recipient to the payment processor.
:from:cash
Set to true if the payment input was in cash.
:to:instrument
The payment instrument which received funds from the payment.
:from:instrument
The payment instrument used to make the payment.
:from:account
Deprecated. Please use :from:instrument.
Deprecated:
True
:from:pay:card
Deprecated. Please use :from:instrument.
Deprecated:
True
:from:contract
A contract used as an aggregate payment source.
:from:coinaddr
Deprecated. Please use :from:instrument.
Deprecated:
True
:from:contact
Contact information for the entity making the payment.
:to:cash
Set to true if the payment output was in cash.
:to:account
Deprecated. Please use :to:instrument.
Deprecated:
True
:to:coinaddr
Deprecated. Please use :to:instrument.
Deprecated:
True
:to:contact
Contact information for the person/org being paid.
:to:contract
A contract used as an aggregate payment destination.
:time
The time the payment was processed.
:purchase
The purchase which the payment was paying for.
:amount
The amount of money transferred in the payment.
:currency
The currency of the payment.
:memo
A small note specified by the payer common in financial transactions.
:crypto:transaction
A crypto currency transaction that initiated the payment.
:invoice
The invoice that the payment applies to.
:receipt
The receipt that was issued for the payment.
:place
The place where the payment occurred.
:place:name
The name of the place where the payment occurred.
:place:address
The address of the place where the payment occurred.
:place:loc
The loc of the place where the payment occurred.
:place:latlong
The latlong where the payment occurred.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:bank:statement
-(has)>
econ:acct:payment
The bank statement includes the payment.
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:acct:receipt
A receipt issued as proof of payment.
The base type for the form can be found at econ:acct:receipt.
- Properties:
name
type
doc
:issued
The time the receipt was issued.
:purchase
The purchase that the receipt confirms payment for.
:issuer
The contact information for the entity who issued the receipt.
:recipient
The contact information for the entity who received the receipt.
:currency
The currency that the receipt uses to specify the price.
:amount
The price that the receipt confirms was paid.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:acquired
Deprecated. Please use econ:purchase -(acquired)> *.
The base type for the form can be found at econ:acquired.
- Properties:
name
type
doc
opts
:purchase
The purchase event which acquired an item.
Read Only:
True
:item
A reference to the item that was acquired.
Read Only:
True
:item:form
The form of item purchased.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:bank:aba:rtn
An American Bank Association (ABA) routing transit number (RTN).
The base type for the form can be found at econ:bank:aba:rtn.
- Properties:
name
type
doc
:bank
The bank which was issued the ABA RTN.
:bank:name
The name which is registered for this ABA RTN.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:bank:account
A bank account.
The base type for the form can be found at econ:bank:account.
- Properties:
name
type
doc
:type
The type of bank account.
:aba:rtn
The ABA routing transit number for the bank which issued the account.
:number
regex:[0-9]+
The account number.
:iban
The IBAN for the account.
:issuer
The bank which issued the account.
:issuer:name
The name of the bank which issued the account.
:currency
The currency of the account balance.
:balance
The most recently known bank balance information.
:contact
The primary contact for the bank account.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:bank:account:type:taxonomy
A bank account type taxonomy.
The base type for the form can be found at econ:bank:account:type:taxonomy.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:bank:balance
A balance contained by a bank account at a point in time.
The base type for the form can be found at econ:bank:balance.
- Properties:
name
type
doc
:time
The time that the account balance was observed.
:amount
The amount of currency available at the time.
:account
The bank account which contained the balance amount.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:bank:iban
An International Bank Account Number.
The base type for the form can be found at econ:bank:iban.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:bank:statement
A statement of bank account payment activity over a period of time.
The base type for the form can be found at econ:bank:statement.
- Properties:
name
type
doc
:account
The bank account used to compute the statement.
:period
The period that the statement includes.
:starting:balance
The account balance at the beginning of the statement period.
:ending:balance
The account balance at the end of the statement period.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
econ:bank:statement
-(has)>
econ:acct:payment
The bank statement includes the payment.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:bank:swift:bic
A Society for Worldwide Interbank Financial Telecommunication (SWIFT) Business Identifier Code (BIC).
The base type for the form can be found at econ:bank:swift:bic.
- Properties:
name
type
doc
:business
The business which is the registered owner of the SWIFT BIC.
:office
The branch or office which is specified in the last 3 digits of the SWIFT BIC.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:currency
The name of a system of money in general use.
The base type for the form can be found at econ:currency.
An example of econ:currency
:
usd
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:fin:bar
A sample of the open, close, high, low prices of a security in a specific time window.
The base type for the form can be found at econ:fin:bar.
- Properties:
name
type
doc
:security
The security measured by the bar.
:ival
The interval of measurement.
:price:open
The opening price of the security.
:price:close
The closing price of the security.
:price:low
The low price of the security.
:price:high
The high price of the security.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:fin:exchange
A financial exchange where securities are traded.
The base type for the form can be found at econ:fin:exchange.
- Properties:
name
type
doc
opts
:name
A simple name for the exchange.
Example:
nasdaq
:org
The organization that operates the exchange.
:currency
The currency used for all transactions in the exchange.
Example:
usd
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:fin:security
A financial security which is typically traded on an exchange.
The base type for the form can be found at econ:fin:security.
- Properties:
name
type
doc
:exchange
The exchange on which the security is traded.
:ticker
The identifier for this security within the exchange.
:type
A user defined type such as stock, bond, option, future, or forex.
:price
The last known/available price of the security.
:time
The time of the last know price sample.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:fin:tick
A sample of the price of a security at a single moment in time.
The base type for the form can be found at econ:fin:tick.
- Properties:
name
type
doc
:security
The security measured by the tick.
:time
The time the price was sampled.
:price
The price of the security at the time.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:pay:card
A single payment card.
The base type for the form can be found at econ:pay:card.
- Properties:
name
type
doc
:pan
The payment card number.
:pan:mii
The payment card MII.
:pan:iin
The payment card IIN.
:name
The name as it appears on the card.
:expr
The expiration date for the card.
:cvv
The Card Verification Value on the card.
:pin
The Personal Identification Number on the card.
:account
A bank account associated with the payment card.
:contact
The primary contact for the payment card.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:pay:iin
An Issuer Id Number (IIN).
The base type for the form can be found at econ:pay:iin.
- Properties:
name
type
doc
:org
The issuer organization.
:name
lower:True
The registered name of the issuer.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:purchase
A purchase event.
The base type for the form can be found at econ:purchase.
- Properties:
name
type
doc
:by:contact
The contact information used to make the purchase.
:from:contact
The contact information used to sell the item.
:time
The time of the purchase.
:place
The place where the purchase took place.
:paid
Set to True if the purchase has been paid in full.
:paid:time
The point in time where the purchase was paid in full.
:settled
The point in time where the purchase was settled.
:campaign
The campaign that the purchase was in support of.
:price
The econ:price of the purchase.
:currency
The econ:price of the purchase.
:listing
The purchase was made based on the given listing.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
econ:receipt:item
A line item included as part of a purchase.
The base type for the form can be found at econ:receipt:item.
- Properties:
name
type
doc
:purchase
The purchase that contains this line item.
:count
min:1
The number of items included in this line item.
:price
The total cost of this receipt line item.
:product
The product being being purchased in this line item.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
edge:has
A digraph edge which records that N1 has N2.
The base type for the form can be found at edge:has.
- Properties:
name
type
doc
opts
:n1
The node definition type for a (form,valu) compound field.
Read Only:
True
:n1:form
The base string type.
Read Only:
True
:n2
The node definition type for a (form,valu) compound field.
Read Only:
True
:n2:form
The base string type.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
edge:refs
A digraph edge which records that N1 refers to or contains N2.
The base type for the form can be found at edge:refs.
- Properties:
name
type
doc
opts
:n1
The node definition type for a (form,valu) compound field.
Read Only:
True
:n1:form
The base string type.
Read Only:
True
:n2
The node definition type for a (form,valu) compound field.
Read Only:
True
:n2:form
The base string type.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
edge:wentto
A digraph edge which records that N1 went to N2 at a specific time.
The base type for the form can be found at edge:wentto.
- Properties:
name
type
doc
opts
:n1
The node definition type for a (form,valu) compound field.
Read Only:
True
:n1:form
The base string type.
Read Only:
True
:n2
The node definition type for a (form,valu) compound field.
Read Only:
True
:n2:form
The base string type.
Read Only:
True
:time
A date/time value.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
edu:class
An instance of an edu:course taught at a given time.
The base type for the form can be found at edu:class.
- Properties:
name
type
doc
:course
The course being taught in the class.
:instructor
The primary instructor for the class.
:assistants
An array of assistant/co-instructor contacts.
:date:first
The date of the first day of class.
:date:last
The date of the last day of class.
:isvirtual
Set if the class is known to be virtual.
:virtual:url
The URL a student would use to attend the virtual class.
:virtual:provider
Contact info for the virtual infrastructure provider.
:place
The place that the class is held.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
edu:course
A course of study taught by an org.
The base type for the form can be found at edu:course.
- Properties:
name
type
doc
opts
:name
The name of the course.
Example:
organic chemistry for beginners
:desc
A brief course description.
:code
The course catalog number or designator.
Example:
chem101
:institution
The org or department which teaches the course.
:prereqs
The pre-requisite courses for taking this course.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
entity:name
A name used to refer to an entity.
The base type for the form can be found at entity:name.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:archive:entry
An archive entry representing a file and metadata within a parent archive file.
The base type for the form can be found at file:archive:entry.
- Properties:
name
type
doc
:parent
The parent archive file.
:file
The file contained within the archive.
:path
The file path of the archived file.
:user
The name of the user who owns the archived file.
:added
The time that the file was added to the archive.
:created
The created time of the archived file.
:modified
The modified time of the archived file.
:comment
The comment field for the file entry within the archive.
:posix:uid
The POSIX UID of the user who owns the archived file.
:posix:gid
The POSIX GID of the group who owns the archived file.
:posix:perms
The POSIX permissions mask of the archived file.
:archived:size
The encoded or compressed size of the archived file within the parent.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:attachment
A file attachment.
The base type for the form can be found at file:attachment.
- Properties:
name
type
doc
:name
The name of the attached file.
:text
Any text associated with the file such as alt-text for images.
:file
The file which was attached.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:base
A file name with no path.
The base type for the form can be found at file:base.
An example of file:base
:
woot.exe
- Properties:
name
type
doc
opts
:ext
The file extension (if any).
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:bytes
The file bytes type with SHA256 based primary property.
The base type for the form can be found at file:bytes.
- Properties:
name
type
doc
:size
The file size in bytes.
:md5
The md5 hash of the file.
:sha1
The sha1 hash of the file.
:sha256
The sha256 hash of the file.
:sha512
The sha512 hash of the file.
:name
The best known base name for the file.
:mime
The “best” mime type name for the file.
:mime:x509:cn
The Common Name (CN) attribute of the x509 Subject.
:mime:pe:size
The size of the executable file according to the PE file header.
:mime:pe:imphash
The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .
:mime:pe:compiled
The compile time of the file according to the PE header.
:mime:pe:pdbpath
The PDB string according to the PE.
:mime:pe:exports:time
The export time of the file according to the PE.
:mime:pe:exports:libname
The export library name according to the PE.
:mime:pe:richhdr
The sha256 hash of the rich header bytes.
:exe:compiler
The software used to compile the file.
:exe:packer
The packer software used to encode the file.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
file:bytes
-(refs)>
it:dev:str
The source file contains the target string.
file:bytes
-(uses)>
math:algorithm
The file uses the algorithm.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:filepath
The fused knowledge of the association of a file:bytes node and a file:path.
The base type for the form can be found at file:filepath.
- Properties:
name
type
doc
opts
:file
The file seen at a path.
Read Only:
True
:path
The path a file was seen at.
Read Only:
True
:path:dir
The parent directory.
Read Only:
True
:path:base
The name of the file.
Read Only:
True
:path:base:ext
The extension of the file name.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:ismime
Records one, of potentially multiple, mime types for a given file.
The base type for the form can be found at file:ismime.
- Properties:
name
type
doc
opts
:file
The file node that is an instance of the named mime type.
Read Only:
True
:mime
The mime type of the file.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime
A file mime name string.
The base type for the form can be found at file:mime.
An example of file:mime
:
text/plain
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:gif
The GUID of a set of mime metadata for a .gif file.
The base type for the form can be found at file:mime:gif.
- Properties:
name
type
doc
:desc
MIME specific description field extracted from metadata.
:comment
MIME specific comment field extracted from metadata.
:created
MIME specific creation timestamp extracted from metadata.
:imageid
MIME specific unique identifier extracted from metadata.
:author
MIME specific contact information extracted from metadata.
:latlong
MIME specific lat/long information extracted from metadata.
:altitude
MIME specific altitude information extracted from metadata.
:text
The text contained within the image.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:jpg
The GUID of a set of mime metadata for a .jpg file.
The base type for the form can be found at file:mime:jpg.
- Properties:
name
type
doc
:desc
MIME specific description field extracted from metadata.
:comment
MIME specific comment field extracted from metadata.
:created
MIME specific creation timestamp extracted from metadata.
:imageid
MIME specific unique identifier extracted from metadata.
:author
MIME specific contact information extracted from metadata.
:latlong
MIME specific lat/long information extracted from metadata.
:altitude
MIME specific altitude information extracted from metadata.
:text
The text contained within the image.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:lnk
The GUID of the metadata pulled from a Windows shortcut or LNK file.
The base type for the form can be found at file:mime:lnk.
- Properties:
name
type
doc
opts
:flags
The flags specified by the LNK header that control the structure of the LNK file.
:entry:primary
The primary file path contained within the FileEntry structure of the LNK file.
:entry:secondary
The secondary file path contained within the FileEntry structure of the LNK file.
:entry:extended
The extended file path contained within the extended FileEntry structure of the LNK file.
:entry:localized
The localized file path reconstructed from references within the extended FileEntry structure of the LNK file.
:entry:icon
The icon file path contained within the StringData structure of the LNK file.
:environment:path
The target file path contained within the EnvironmentVariableDataBlock structure of the LNK file.
:environment:icon
The icon file path contained within the IconEnvironmentDataBlock structure of the LNK file.
:iconindex
A resource index for an icon within an icon location.
:working
The working directory used when activating the link target.
:relative
strip:True
The relative target path string contained within the StringData structure of the LNK file.
:arguments
The command line arguments passed to the target file when the LNK file is activated.
:desc
The description of the LNK file contained within the StringData section of the LNK file.
Display:
{'hint': 'text'}
:target:attrs
The attributes of the target file according to the LNK header.
:target:size
The size of the target file according to the LNK header. The LNK format specifies that this is only the lower 32 bits of the target file size.
:target:created
The creation time of the target file according to the LNK header.
:target:accessed
The access time of the target file according to the LNK header.
:target:written
The write time of the target file according to the LNK header.
:driveserial
The drive serial number of the volume the link target is stored on.
:machineid
The NetBIOS name of the machine where the link target was last located.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:macho:loadcmd
A generic load command pulled from the Mach-O headers.
The base type for the form can be found at file:mime:macho:loadcmd.
- Properties:
name
type
doc
:file
The Mach-O file containing the load command.
:type
enums:((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
The type of the load command.
:size
The size of the load command structure in bytes.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:macho:section
A section inside a Mach-O binary denoting a named region of bytes inside a segment.
The base type for the form can be found at file:mime:macho:section.
- Properties:
name
type
doc
:segment
The Mach-O segment that contains this section.
:name
Name of the section.
:size
Size of the section in bytes.
:type
enums:((0, 'regular'), (1, 'zero fill on demand'), (2, 'only literal C strings'), (3, 'only 4 byte literals'), (4, 'only 8 byte literals'), (5, 'only pointers to literals'), (6, 'only non-lazy symbol pointers'), (7, 'only lazy symbol pointers'), (8, 'only symbol stubs'), (9, 'only function pointers for init'), (10, 'only function pointers for fini'), (11, 'contains symbols to be coalesced'), (12, 'zero fill on deman (greater than 4gb)'), (13, 'only pairs of function pointers for interposing'), (14, 'only 16 byte literals'), (15, 'dtrace object format'), (16, 'only lazy symbols pointers to lazy dynamic libraries'))
The type of the section.
:sha256
The sha256 hash of the bytes of the Mach-O section.
:offset
The file offset to the beginning of the section.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:macho:segment
A named region of bytes inside a Mach-O binary.
The base type for the form can be found at file:mime:macho:segment.
- Properties:
name
type
doc
:name
The name of the Mach-O segment.
:memsize
The size of the segment in bytes, when resident in memory, according to the load command structure.
:disksize
The size of the segment in bytes, when on disk, according to the load command structure.
:sha256
The sha256 hash of the bytes of the segment.
:offset
The file offset to the beginning of the segment.
:file
The Mach-O file containing the load command.
:type
enums:((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
The type of the load command.
:size
The size of the load command structure in bytes.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:macho:uuid
A specific load command denoting a UUID used to uniquely identify the Mach-O binary.
The base type for the form can be found at file:mime:macho:uuid.
- Properties:
name
type
doc
:uuid
The UUID of the Mach-O application (as defined in an LC_UUID load command).
:file
The Mach-O file containing the load command.
:type
enums:((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
The type of the load command.
:size
The size of the load command structure in bytes.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:macho:version
A specific load command used to denote the version of the source used to build the Mach-O binary.
The base type for the form can be found at file:mime:macho:version.
- Properties:
name
type
doc
:version
The version of the Mach-O file encoded in an LC_VERSION load command.
:file
The Mach-O file containing the load command.
:type
enums:((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
The type of the load command.
:size
The size of the load command structure in bytes.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:msdoc
The GUID of a set of mime metadata for a Microsoft Word file.
The base type for the form can be found at file:mime:msdoc.
- Properties:
name
type
doc
:title
The title extracted from Microsoft Office metadata.
:author
The author extracted from Microsoft Office metadata.
:subject
The subject extracted from Microsoft Office metadata.
:application
The creating_application extracted from Microsoft Office metadata.
:created
The create_time extracted from Microsoft Office metadata.
:lastsaved
The last_saved_time extracted from Microsoft Office metadata.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:msppt
The GUID of a set of mime metadata for a Microsoft Powerpoint file.
The base type for the form can be found at file:mime:msppt.
- Properties:
name
type
doc
:title
The title extracted from Microsoft Office metadata.
:author
The author extracted from Microsoft Office metadata.
:subject
The subject extracted from Microsoft Office metadata.
:application
The creating_application extracted from Microsoft Office metadata.
:created
The create_time extracted from Microsoft Office metadata.
:lastsaved
The last_saved_time extracted from Microsoft Office metadata.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:msxls
The GUID of a set of mime metadata for a Microsoft Excel file.
The base type for the form can be found at file:mime:msxls.
- Properties:
name
type
doc
:title
The title extracted from Microsoft Office metadata.
:author
The author extracted from Microsoft Office metadata.
:subject
The subject extracted from Microsoft Office metadata.
:application
The creating_application extracted from Microsoft Office metadata.
:created
The create_time extracted from Microsoft Office metadata.
:lastsaved
The last_saved_time extracted from Microsoft Office metadata.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:pe:export
The fused knowledge of a file:bytes node containing a pe named export.
The base type for the form can be found at file:mime:pe:export.
- Properties:
name
type
doc
opts
:file
The file containing the export.
Read Only:
True
:name
The name of the export in the file.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:pe:resource
The fused knowledge of a file:bytes node containing a pe resource.
The base type for the form can be found at file:mime:pe:resource.
- Properties:
name
type
doc
opts
:file
The file containing the resource.
Read Only:
True
:type
The typecode for the resource.
Read Only:
True
:langid
The language code for the resource.
Read Only:
True
:resource
The sha256 hash of the resource bytes.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:pe:section
The fused knowledge a file:bytes node containing a pe section.
The base type for the form can be found at file:mime:pe:section.
- Properties:
name
type
doc
opts
:file
The file containing the section.
Read Only:
True
:name
The textual name of the section.
Read Only:
True
:sha256
The sha256 hash of the section. Relocations must be zeroed before hashing.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:pe:vsvers:info
knowledge of a file:bytes node containing vsvers info.
The base type for the form can be found at file:mime:pe:vsvers:info.
- Properties:
name
type
doc
opts
:file
The file containing the vsversion keyval pair.
Read Only:
True
:keyval
The vsversion info keyval in this file:bytes node.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:pe:vsvers:keyval
A key value pair found in a PE vsversion info structure.
The base type for the form can be found at file:mime:pe:vsvers:keyval.
- Properties:
name
type
doc
opts
:name
The key for the vsversion keyval pair.
Read Only:
True
:value
The value for the vsversion keyval pair.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:png
The GUID of a set of mime metadata for a .png file.
The base type for the form can be found at file:mime:png.
- Properties:
name
type
doc
:desc
MIME specific description field extracted from metadata.
:comment
MIME specific comment field extracted from metadata.
:created
MIME specific creation timestamp extracted from metadata.
:imageid
MIME specific unique identifier extracted from metadata.
:author
MIME specific contact information extracted from metadata.
:latlong
MIME specific lat/long information extracted from metadata.
:altitude
MIME specific altitude information extracted from metadata.
:text
The text contained within the image.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:rtf
The GUID of a set of mime metadata for a .rtf file.
The base type for the form can be found at file:mime:rtf.
- Properties:
name
type
doc
:guid
The parsed GUID embedded in the .rtf file.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:mime:tif
The GUID of a set of mime metadata for a .tif file.
The base type for the form can be found at file:mime:tif.
- Properties:
name
type
doc
:desc
MIME specific description field extracted from metadata.
:comment
MIME specific comment field extracted from metadata.
:created
MIME specific creation timestamp extracted from metadata.
:imageid
MIME specific unique identifier extracted from metadata.
:author
MIME specific contact information extracted from metadata.
:latlong
MIME specific lat/long information extracted from metadata.
:altitude
MIME specific altitude information extracted from metadata.
:text
The text contained within the image.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:path
A normalized file path.
The base type for the form can be found at file:path.
An example of file:path
:
c:/windows/system32/calc.exe
- Properties:
name
type
doc
opts
:dir
The parent directory.
Read Only:
True
:base
The file base name.
Read Only:
True
:base:ext
The file extension.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:string
Deprecated. Please use the edge -(refs)> it:dev:str.
The base type for the form can be found at file:string.
- Properties:
name
type
doc
opts
:file
The file containing the string.
Read Only:
True
:string
The string contained in this file:bytes node.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
file:subfile
A parent file that fully contains the specified child file.
The base type for the form can be found at file:subfile.
- Properties:
name
type
doc
opts
:parent
The parent file containing the child file.
Read Only:
True
:child
The child file contained in the parent file.
Read Only:
True
:name
Deprecated, please use the :path property.
Deprecated:
True
:path
The path that the parent uses to refer to the child file.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
geo:name
An unstructured place name or address.
The base type for the form can be found at geo:name.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
geo:nloc
Records a node latitude/longitude in space-time.
The base type for the form can be found at geo:nloc.
- Properties:
name
type
doc
opts
:ndef
The node with location in geospace and time.
Read Only:
True
:ndef:form
The form of node referenced by the ndef.
Read Only:
True
:latlong
The latitude/longitude the node was observed.
Read Only:
True
:time
The time the node was observed at location.
Read Only:
True
:place
The place corresponding to the latlong property.
:loc
The geo-political location string for the node.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
geo:place
A GUID for a geographic place.
The base type for the form can be found at geo:place.
- Properties:
name
type
doc
opts
:id
strip:True
A type specific identifier such as an airport ID.
:name
The name of the place.
alts:
('names',)
:type
The type of place.
:names
An array of alternative place names.
:parent
Deprecated. Please use a -(contains)> edge.
Deprecated:
True
:desc
A long form description of the place.
:loc
The geo-political location string for the node.
:address
The street/mailing address for the place.
:geojson
A GeoJSON representation of the place.
:latlong
The lat/long position for the place.
:bbox
A bounding box which encompasses the place.
:radius
An approximate radius to use for bounding box calculation.
:photo
The image file to use as the primary image of the place.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
geo:place
-(contains)>
geo:place
The source place completely contains the target place.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
geo:place
-(contains)>
geo:place
None
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
geo:place:taxonomy
A taxonomy of place types.
The base type for the form can be found at geo:place:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
geo:telem
The geospatial position and physical characteristics of a node at a given time.
The base type for the form can be found at geo:telem.
- Properties:
name
type
doc
opts
:time
The time that the telemetry measurements were taken.
:desc
A description of the telemetry sample.
:latlong
Deprecated. Please use :place:latlong.
Deprecated:
True
:accuracy
Deprecated. Please use :place:latlong:accuracy.
Deprecated:
True
:node
The node that was observed at the associated time and place.
:phys:mass
The mass of the object.
:phys:volume
The cubed volume of the object.
:phys:length
The length of the object.
:phys:width
The width of the object.
:phys:height
The height of the object.
:place
The place where the object was located.
:place:loc
The geopolitical location of the object.
:place:name
The name of the place where the object was located.
:place:address
The postal address of the place where the object was located.
:place:latlong
The latlong where the object was located.
:place:latlong:accuracy
The accuracy of the latlong where the object was located.
:place:country
The country where the object was located.
:place:country:code
The country code where the object was located.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
gov:cn:icp
A Chinese Internet Content Provider ID.
The base type for the form can be found at gov:cn:icp.
- Properties:
name
type
doc
:org
The org with the Internet Content Provider ID.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
gov:cn:mucd
A Chinese PLA MUCD.
The base type for the form can be found at gov:cn:mucd.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
gov:us:cage
A Commercial and Government Entity (CAGE) code.
The base type for the form can be found at gov:us:cage.
- Properties:
name
type
doc
:name0
The name of the organization.
:name1
lower:True
Name Part 1.
:street
lower:True
The base string type.
:city
lower:True
The base string type.
:state
lower:True
The base string type.
:zip
A US Postal Zip Code.
:cc
The 2 digit ISO 3166 country code.
:country
lower:True
The base string type.
:phone0
A phone number.
:phone1
A phone number.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
gov:us:ssn
A US Social Security Number (SSN).
The base type for the form can be found at gov:us:ssn.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
gov:us:zip
A US Postal Zip Code.
The base type for the form can be found at gov:us:zip.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
graph:cluster
A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model.
The base type for the form can be found at graph:cluster.
- Properties:
name
type
doc
:name
lower:True
A human friendly name for the cluster.
:desc
lower:True
A human friendly long form description for the cluster.
:type
lower:True
An optional type field used to group clusters.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
graph:edge
A generic digraph edge to show relationships outside the model.
The base type for the form can be found at graph:edge.
- Properties:
name
type
doc
opts
:n1
The node definition type for a (form,valu) compound field.
Read Only:
True
:n1:form
The base string type.
Read Only:
True
:n2
The node definition type for a (form,valu) compound field.
Read Only:
True
:n2:form
The base string type.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
graph:event
A generic event node to represent events outside the model.
The base type for the form can be found at graph:event.
- Properties:
name
type
doc
:time
The time of the event.
:type
A arbitrary type string for the event.
:name
A name for the event.
:data
Arbitrary non-indexed msgpack data attached to the event.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
graph:node
A generic node used to represent objects outside the model.
The base type for the form can be found at graph:node.
- Properties:
name
type
doc
:type
The type name for the non-model node.
:name
A human readable name for this record.
:data
Arbitrary non-indexed msgpack data attached to the node.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
graph:timeedge
A generic digraph time edge to show relationships outside the model.
The base type for the form can be found at graph:timeedge.
- Properties:
name
type
doc
opts
:time
A date/time value.
Read Only:
True
:n1
The node definition type for a (form,valu) compound field.
Read Only:
True
:n1:form
The base string type.
Read Only:
True
:n2
The node definition type for a (form,valu) compound field.
Read Only:
True
:n2:form
The base string type.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
hash:md5
A hex encoded MD5 hash.
The base type for the form can be found at hash:md5.
An example of hash:md5
:
d41d8cd98f00b204e9800998ecf8427e
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
hash:sha1
A hex encoded SHA1 hash.
The base type for the form can be found at hash:sha1.
An example of hash:sha1
:
da39a3ee5e6b4b0d3255bfef95601890afd80709
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
hash:sha256
A hex encoded SHA256 hash.
The base type for the form can be found at hash:sha256.
An example of hash:sha256
:
ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
hash:sha384
A hex encoded SHA384 hash.
The base type for the form can be found at hash:sha384.
An example of hash:sha384
:
d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
hash:sha512
A hex encoded SHA512 hash.
The base type for the form can be found at hash:sha512.
An example of hash:sha512
:
ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:asn
An Autonomous System Number (ASN).
The base type for the form can be found at inet:asn.
- Properties:
name
type
doc
:name
lower:True
The name of the organization currently responsible for the ASN.
:owner
The guid of the organization currently responsible for the ASN.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:asnet4
An Autonomous System Number (ASN) and its associated IPv4 address range.
The base type for the form can be found at inet:asnet4.
An example of inet:asnet4
:
(54959, (1.2.3.4, 1.2.3.20))
- Properties:
name
type
doc
opts
:asn
The Autonomous System Number (ASN) of the netblock.
Read Only:
True
:net4
The IPv4 address range assigned to the ASN.
Read Only:
True
:net4:min
The first IPv4 in the range assigned to the ASN.
Read Only:
True
:net4:max
The last IPv4 in the range assigned to the ASN.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:asnet6
An Autonomous System Number (ASN) and its associated IPv6 address range.
The base type for the form can be found at inet:asnet6.
An example of inet:asnet6
:
(54959, (ff::00, ff::02))
- Properties:
name
type
doc
opts
:asn
The Autonomous System Number (ASN) of the netblock.
Read Only:
True
:net6
The IPv6 address range assigned to the ASN.
Read Only:
True
:net6:min
The first IPv6 in the range assigned to the ASN.
Read Only:
True
:net6:max
The last IPv6 in the range assigned to the ASN.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:cidr4
An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation.
The base type for the form can be found at inet:cidr4.
An example of inet:cidr4
:
1.2.3.0/24
- Properties:
name
type
doc
opts
:broadcast
The broadcast IP address from the CIDR notation.
Read Only:
True
:mask
The mask from the CIDR notation.
Read Only:
True
:network
The network IP address from the CIDR notation.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:cidr6
An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation.
The base type for the form can be found at inet:cidr6.
An example of inet:cidr6
:
2001:db8::/101
- Properties:
name
type
doc
opts
:broadcast
The broadcast IP address from the CIDR notation.
Read Only:
True
:mask
The mask from the CIDR notation.
Read Only:
True
:network
The network IP address from the CIDR notation.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:client
A network client address.
The base type for the form can be found at inet:client.
An example of inet:client
:
tcp://1.2.3.4:80
- Properties:
name
type
doc
opts
:proto
lower:True
The network protocol of the client.
Read Only:
True
:ipv4
The IPv4 of the client.
Read Only:
True
:ipv6
The IPv6 of the client.
Read Only:
True
:host
The it:host node for the client.
Read Only:
True
:port
The client tcp/udp port.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:a
The result of a DNS A record lookup.
The base type for the form can be found at inet:dns:a.
An example of inet:dns:a
:
(vertex.link,1.2.3.4)
- Properties:
name
type
doc
opts
:fqdn
The domain queried for its DNS A record.
Read Only:
True
:ipv4
The IPv4 address returned in the A record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:aaaa
The result of a DNS AAAA record lookup.
The base type for the form can be found at inet:dns:aaaa.
An example of inet:dns:aaaa
:
(vertex.link,2607:f8b0:4004:809::200e)
- Properties:
name
type
doc
opts
:fqdn
The domain queried for its DNS AAAA record.
Read Only:
True
:ipv6
The IPv6 address returned in the AAAA record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:answer
A single answer from within a DNS reply.
The base type for the form can be found at inet:dns:answer.
- Properties:
name
type
doc
:ttl
The base 64 bit signed integer type.
:request
A single instance of a DNS resolver request and optional reply info.
:a
The DNS A record returned by the lookup.
:ns
The DNS NS record returned by the lookup.
:rev
The DNS PTR record returned by the lookup.
:aaaa
The DNS AAAA record returned by the lookup.
:rev6
The DNS PTR record returned by the lookup of an IPv6 address.
:cname
The DNS CNAME record returned by the lookup.
:mx
The DNS MX record returned by the lookup.
:mx:priority
The DNS MX record priority.
:soa
The domain queried for its SOA record.
:txt
The DNS TXT record returned by the lookup.
:time
The time that the DNS response was transmitted.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:cname
The result of a DNS CNAME record lookup.
The base type for the form can be found at inet:dns:cname.
An example of inet:dns:cname
:
(foo.vertex.link,vertex.link)
- Properties:
name
type
doc
opts
:fqdn
The domain queried for its CNAME record.
Read Only:
True
:cname
The domain returned in the CNAME record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:dynreg
A dynamic DNS registration.
The base type for the form can be found at inet:dns:dynreg.
- Properties:
name
type
doc
:fqdn
The FQDN registered within a dynamic DNS provider.
:provider
The organization which provides the dynamic DNS FQDN.
:provider:name
The name of the organization which provides the dynamic DNS FQDN.
:provider:fqdn
The FQDN of the organization which provides the dynamic DNS FQDN.
:contact
The contact information of the registrant.
:created
The time that the dynamic DNS registration was first created.
:client
The network client address used to register the dynamic FQDN.
:client:ipv4
The client IPv4 address used to register the dynamic FQDN.
:client:ipv6
The client IPv6 address used to register the dynamic FQDN.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:mx
The result of a DNS MX record lookup.
The base type for the form can be found at inet:dns:mx.
An example of inet:dns:mx
:
(vertex.link,mail.vertex.link)
- Properties:
name
type
doc
opts
:fqdn
The domain queried for its MX record.
Read Only:
True
:mx
The domain returned in the MX record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:ns
The result of a DNS NS record lookup.
The base type for the form can be found at inet:dns:ns.
An example of inet:dns:ns
:
(vertex.link,ns.dnshost.com)
- Properties:
name
type
doc
opts
:zone
The domain queried for its DNS NS record.
Read Only:
True
:ns
The domain returned in the NS record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:query
A DNS query unique to a given client.
The base type for the form can be found at inet:dns:query.
An example of inet:dns:query
:
(1.2.3.4, woot.com, 1)
- Properties:
name
type
doc
opts
:client
A network client address.
Read Only:
True
:name
A DNS query name string. Likely an FQDN but not always.
Read Only:
True
:name:ipv4
An IPv4 address.
:name:ipv6
An IPv6 address.
:name:fqdn
A Fully Qualified Domain Name (FQDN).
:type
The base 64 bit signed integer type.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:request
A single instance of a DNS resolver request and optional reply info.
The base type for the form can be found at inet:dns:request.
- Properties:
name
type
doc
:time
A date/time value.
:query
A DNS query unique to a given client.
:query:name
A DNS query name string. Likely an FQDN but not always.
:query:name:ipv4
An IPv4 address.
:query:name:ipv6
An IPv6 address.
:query:name:fqdn
A Fully Qualified Domain Name (FQDN).
:query:type
The base 64 bit signed integer type.
:server
A network server address.
:reply:code
enums:((0, 'NOERROR'), (1, 'FORMERR'), (2, 'SERVFAIL'), (3, 'NXDOMAIN'), (4, 'NOTIMP'), (5, 'REFUSED'), (6, 'YXDOMAIN'), (7, 'YXRRSET'), (8, 'NXRRSET'), (9, 'NOTAUTH'), (10, 'NOTZONE'), (11, 'DSOTYPENI'), (16, 'BADSIG'), (17, 'BADKEY'), (18, 'BADTIME'), (19, 'BADMODE'), (20, 'BADNAME'), (21, 'BADALG'), (22, 'BADTRUNC'), (23, 'BADCOOKIE'))
enums:strict:False
The DNS server response code.
:exe
The file containing the code that attempted the DNS lookup.
:proc
The process that attempted the DNS lookup.
:host
The host that attempted the DNS lookup.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:rev
The transformed result of a DNS PTR record lookup.
The base type for the form can be found at inet:dns:rev.
An example of inet:dns:rev
:
(1.2.3.4,vertex.link)
- Properties:
name
type
doc
opts
:ipv4
The IPv4 address queried for its DNS PTR record.
Read Only:
True
:fqdn
The domain returned in the PTR record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:rev6
The transformed result of a DNS PTR record for an IPv6 address.
The base type for the form can be found at inet:dns:rev6.
An example of inet:dns:rev6
:
(2607:f8b0:4004:809::200e,vertex.link)
- Properties:
name
type
doc
opts
:ipv6
The IPv6 address queried for its DNS PTR record.
Read Only:
True
:fqdn
The domain returned in the PTR record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:soa
The result of a DNS SOA record lookup.
The base type for the form can be found at inet:dns:soa.
- Properties:
name
type
doc
:fqdn
The domain queried for its SOA record.
:ns
The domain (MNAME) returned in the SOA record.
The email address (RNAME) returned in the SOA record.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:txt
The result of a DNS TXT record lookup.
The base type for the form can be found at inet:dns:txt.
An example of inet:dns:txt
:
(hehe.vertex.link,"fancy TXT record")
- Properties:
name
type
doc
opts
:fqdn
The domain queried for its TXT record.
Read Only:
True
:txt
The string returned in the TXT record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:wild:a
A DNS A wild card record and the IPv4 it resolves to.
The base type for the form can be found at inet:dns:wild:a.
- Properties:
name
type
doc
opts
:fqdn
The domain containing a wild card record.
Read Only:
True
:ipv4
The IPv4 address returned by wild card resolutions.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:dns:wild:aaaa
A DNS AAAA wild card record and the IPv6 it resolves to.
The base type for the form can be found at inet:dns:wild:aaaa.
- Properties:
name
type
doc
opts
:fqdn
The domain containing a wild card record.
Read Only:
True
:ipv6
The IPv6 address returned by wild card resolutions.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:download
An instance of a file downloaded from a server.
The base type for the form can be found at inet:download.
- Properties:
name
type
doc
:time
The time the file was downloaded.
:fqdn
The FQDN used to resolve the server.
:file
The file that was downloaded.
:server
The inet:addr of the server.
:server:host
The it:host node for the server.
:server:ipv4
The IPv4 of the server.
:server:ipv6
The IPv6 of the server.
:server:port
The server tcp/udp port.
:server:proto
lower:True
The server network layer protocol.
:client
The inet:addr of the client.
:client:host
The it:host node for the client.
:client:ipv4
The IPv4 of the client.
:client:ipv6
The IPv6 of the client.
:client:port
The client tcp/udp port.
:client:proto
lower:True
The client network layer protocol.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:egress
A host using a specific network egress client address.
The base type for the form can be found at inet:egress.
- Properties:
name
type
doc
:host
The host that used the network egress.
:host:iface
The interface which the host used to connect out via the egress.
:account
The service account which used the client address to egress.
:client
The client address the host used as a network egress.
:client:ipv4
The client IPv4 address the host used as a network egress.
:client:ipv6
The client IPv6 address the host used as a network egress.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:email
An e-mail address.
The base type for the form can be found at inet:email.
- Properties:
name
type
doc
opts
:user
The username of the email address.
Read Only:
True
:fqdn
The domain of the email address.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:email:header
A unique email message header.
The base type for the form can be found at inet:email:header.
- Properties:
name
type
doc
opts
:name
The name of the email header.
Read Only:
True
:value
The value of the email header.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:email:message
An individual email message delivered to an inbox.
The base type for the form can be found at inet:email:message.
- Properties:
name
type
doc
opts
:id
strip:True
The ID parsed from the “message-id” header.
:to
The email address of the recipient.
:from
The email address of the sender.
:replyto
The email address parsed from the “reply-to” header.
:cc
Email addresses parsed from the “cc” header.
:subject
The email message subject parsed from the “subject” header.
:body
The body of the email message.
Display:
{'hint': 'text'}
:date
The time the email message was delivered.
:bytes
The file bytes which contain the email message.
:headers
type: inet:email:headerAn array of email headers from the message.
:received:from:ipv4
The sending SMTP server IPv4, potentially from the Received: header.
:received:from:ipv6
The sending SMTP server IPv6, potentially from the Received: header.
:received:from:fqdn
The sending server FQDN, potentially from the Received: header.
:flow
The inet:flow which delivered the message.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:email:message:attachment
A file which was attached to an email message.
The base type for the form can be found at inet:email:message:attachment.
- Properties:
name
type
doc
opts
:message
The message containing the attached file.
Read Only:
True
:file
The attached file.
Read Only:
True
:name
The name of the attached file.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:email:message:link
A url/link embedded in an email message.
The base type for the form can be found at inet:email:message:link.
- Properties:
name
type
doc
opts
:message
The message containing the embedded link.
Read Only:
True
:url
The url contained within the email message.
Read Only:
True
:text
The displayed hyperlink text if it was not the raw URL.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:flow
An individual network connection between a given source and destination.
The base type for the form can be found at inet:flow.
- Properties:
name
type
doc
opts
:time
The time the network connection was initiated.
:duration
The duration of the flow in seconds.
:from
The ingest source file/iden. Used for reparsing.
:dst
The destination address / port for a connection.
:dst:ipv4
The destination IPv4 address.
:dst:ipv6
The destination IPv6 address.
:dst:port
The destination port.
:dst:proto
lower:True
The destination protocol.
:dst:host
The guid of the destination host.
:dst:proc
The guid of the destination process.
:dst:exe
The file (executable) that received the connection.
:dst:txfiles
An array of files sent by the destination host.
:dst:txcount
The number of packets sent by the destination host.
:dst:txbytes
The number of bytes sent by the destination host.
:dst:handshake
A text representation of the initial handshake sent by the server.
Display:
{'hint': 'text'}
:src
The source address / port for a connection.
:src:ipv4
The source IPv4 address.
:src:ipv6
The source IPv6 address.
:src:port
The source port.
:src:proto
lower:True
The source protocol.
:src:host
The guid of the source host.
:src:proc
The guid of the source process.
:src:exe
The file (executable) that created the connection.
:src:txfiles
An array of files sent by the source host.
:src:txcount
The number of packets sent by the source host.
:src:txbytes
The number of bytes sent by the source host.
:tot:txcount
The number of packets sent in both directions.
:tot:txbytes
The number of bytes sent in both directions.
:src:handshake
A text representation of the initial handshake sent by the client.
Display:
{'hint': 'text'}
:dst:cpes
An array of NIST CPEs identified on the destination host.
:dst:softnames
An array of software names identified on the destination host.
:src:cpes
An array of NIST CPEs identified on the source host.
:src:softnames
An array of software names identified on the source host.
:ip:proto
The IP protocol number of the flow.
:ip:tcp:flags
An aggregation of observed TCP flags commonly provided by flow APIs.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
:src:ssl:cert
The x509 certificate sent by the client as part of an SSL/TLS negotiation.
:dst:ssl:cert
The x509 certificate sent by the server as part of an SSL/TLS negotiation.
:src:rdp:hostname
The hostname sent by the client as part of an RDP session setup.
:src:rdp:keyboard:layout
The keyboard layout sent by the client as part of an RDP session setup.
:src:ssh:key
The key sent by the client as part of an SSH session setup.
:dst:ssh:key
The key sent by the server as part of an SSH session setup.
:capture:host
The host which captured the flow.
:raw
A raw record used to create the flow which may contain additional protocol details.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:fqdn
A Fully Qualified Domain Name (FQDN).
The base type for the form can be found at inet:fqdn.
An example of inet:fqdn
:
vertex.link
- Properties:
name
type
doc
opts
:domain
The parent domain for the FQDN.
Read Only:
True
:host
lower:True
The host part of the FQDN.
Read Only:
True
:issuffix
True if the FQDN is considered a suffix.
:iszone
True if the FQDN is considered a zone.
:zone
The zone level parent for this FQDN.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:group
A group name string.
The base type for the form can be found at inet:group.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:http:param
An HTTP request path query parameter.
The base type for the form can be found at inet:http:param.
- Properties:
name
type
doc
opts
:name
lower:True
The name of the HTTP query parameter.
Read Only:
True
:value
The value of the HTTP query parameter.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:http:request
A single HTTP request.
The base type for the form can be found at inet:http:request.
- Properties:
name
type
doc
:method
The HTTP request method string.
:path
The requested HTTP path (without query parameters).
:url
The reconstructed URL for the request if known.
:query
The HTTP query string which optionally follows the path.
:headers
An array of HTTP headers from the request.
:body
The body of the HTTP request.
:referer
The referer URL parsed from the “Referer:” header in the request.
:cookies
An array of HTTP cookie values parsed from the “Cookies:” header in the request.
:response:time
A date/time value.
:response:code
The base 64 bit signed integer type.
:response:reason
The base string type.
:response:headers
An array of HTTP headers from the response.
:response:body
The file bytes type with SHA256 based primary property.
:session
The HTTP session this request was part of.
:flow
The raw inet:flow containing the request.
:client
The inet:addr of the client.
:client:ipv4
The server IPv4 address that the request was sent from.
:client:ipv6
The server IPv6 address that the request was sent from.
:client:host
The host that the request was sent from.
:server
The inet:addr of the server.
:server:ipv4
The server IPv4 address that the request was sent to.
:server:ipv6
The server IPv6 address that the request was sent to.
:server:port
The server port that the request was sent to.
:server:host
The host that the request was sent to.
:exe
The executable file which caused the activity.
:proc
The host process which caused the activity.
:thread
The host thread which caused the activity.
:host
The host on which the activity occurred.
:time
The time that the activity started.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:http:request:header
An HTTP request header.
The base type for the form can be found at inet:http:request:header.
- Properties:
name
type
doc
opts
:name
The name of the HTTP request header.
Read Only:
True
:value
The value of the HTTP request header.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:http:response:header
An HTTP response header.
The base type for the form can be found at inet:http:response:header.
- Properties:
name
type
doc
opts
:name
The name of the HTTP response header.
Read Only:
True
:value
The value of the HTTP response header.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:http:session
An HTTP session.
The base type for the form can be found at inet:http:session.
- Properties:
name
type
doc
:contact
The ps:contact which owns the session.
:cookies
An array of cookies used to identify this specific session.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:iface
A network interface with a set of associated protocol addresses.
The base type for the form can be found at inet:iface.
- Properties:
name
type
doc
opts
:host
The guid of the host the interface is associated with.
:name
strip:True
The interface name.
Example:
eth0
:network
The guid of the it:network the interface connected to.
:type
lower:True
The free-form interface type.
:mac
The ethernet (MAC) address of the interface.
:ipv4
The IPv4 address of the interface.
:ipv6
The IPv6 address of the interface.
:phone
The telephone number of the interface.
:wifi:ssid
The wifi SSID of the interface.
:wifi:bssid
The wifi BSSID of the interface.
:adid
An advertising ID associated with the interface.
:mob:imei
The IMEI of the interface.
:mob:imsi
The IMSI of the interface.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:ipv4
An IPv4 address.
The base type for the form can be found at inet:ipv4.
An example of inet:ipv4
:
1.2.3.4
- Properties:
name
type
doc
:asn
The ASN to which the IPv4 address is currently assigned.
:latlong
The best known latitude/longitude for the node.
:loc
The geo-political location string for the IPv4.
:place
The geo:place associated with the latlong property.
:type
The type of IP address (e.g., private, multicast, etc.).
:dns:rev
The most current DNS reverse lookup for the IPv4.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
inet:whois:iprec
-(ipwhois)>
inet:ipv4
The source IP whois record describes the target IPv4 address.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:ipv6
An IPv6 address.
The base type for the form can be found at inet:ipv6.
An example of inet:ipv6
:
2607:f8b0:4004:809::200e
- Properties:
name
type
doc
:asn
The ASN to which the IPv6 address is currently assigned.
:ipv4
The mapped ipv4.
:latlong
The last known latitude/longitude for the node.
:place
The geo:place associated with the latlong property.
:dns:rev
The most current DNS reverse lookup for the IPv6.
:loc
The geo-political location string for the IPv6.
:type
The type of IP address (e.g., private, multicast, etc.).
:scope
enums:reserved,interface-local,link-local,realm-local,admin-local,site-local,organization-local,global,unassigned
The IPv6 scope of the address (e.g., global, link-local, etc.).
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
inet:whois:iprec
-(ipwhois)>
inet:ipv6
The source IP whois record describes the target IPv6 address.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:mac
A 48-bit Media Access Control (MAC) address.
The base type for the form can be found at inet:mac.
An example of inet:mac
:
aa:bb:cc:dd:ee:ff
- Properties:
name
type
doc
:vendor
The vendor associated with the 24-bit prefix of a MAC address.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:passwd
A password string.
The base type for the form can be found at inet:passwd.
- Properties:
name
type
doc
opts
:md5
The MD5 hash of the password.
Read Only:
True
:sha1
The SHA1 hash of the password.
Read Only:
True
:sha256
The SHA256 hash of the password.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:proto
A network protocol name.
The base type for the form can be found at inet:proto.
- Properties:
name
type
doc
:port
The default port this protocol typically uses if applicable.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:rfc2822:addr
An RFC 2822 Address field.
The base type for the form can be found at inet:rfc2822:addr.
An example of inet:rfc2822:addr
:
"Visi Kenshoto" <visi@vertex.link>
- Properties:
name
type
doc
opts
:name
The name field parsed from an RFC 2822 address string.
Read Only:
True
The email field parsed from an RFC 2822 address string.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:search:query
An instance of a search query issued to a search engine.
The base type for the form can be found at inet:search:query.
- Properties:
name
type
doc
opts
:text
The search query text.
Display:
{'hint': 'text'}
:time
The time the web search was issued.
:acct
The account that the query was issued as.
:host
The host that issued the query.
:engine
lower:True
A simple name for the search engine used.
Example:
:request
The HTTP request used to issue the query.
:account
The account which initiated the action.
:success
Set to true if the action was successful.
:rule
The rule which allowed or denied the action.
:error:code
strip:True
The platform specific error code if the action was unsuccessful.
:error:reason
strip:True
The platform specific friendly error reason if the action was unsuccessful.
:platform
The platform where the action was initiated.
:instance
The platform instance where the action was initiated.
:session
The session which initiated the action.
:client
The network address of the client which initiated the action.
:client:host
The client host which initiated the action.
:server
The network address of the server which handled the action.
:server:host
The server host which handled the action.
:id
strip:True
A platform specific ID which identifies the node.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:search:result
A single result from a web search.
The base type for the form can be found at inet:search:result.
- Properties:
name
type
doc
:query
The search query that produced the result.
:title
lower:True
The title of the matching web page.
:rank
The rank/order of the query result.
:url
The URL hosting the matching content.
:text
lower:True
Extracted/matched text from the matched content.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:server
A network server address.
The base type for the form can be found at inet:server.
An example of inet:server
:
tcp://1.2.3.4:80
- Properties:
name
type
doc
opts
:proto
lower:True
The network protocol of the server.
Read Only:
True
:ipv4
The IPv4 of the server.
Read Only:
True
:ipv6
The IPv6 of the server.
Read Only:
True
:host
The it:host node for the server.
Read Only:
True
:port
The server tcp/udp port.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:servfile
A file hosted on a server for access over a network protocol.
The base type for the form can be found at inet:servfile.
- Properties:
name
type
doc
opts
:file
The file hosted by the server.
Read Only:
True
:server
The inet:addr of the server.
Read Only:
True
:server:proto
lower:True
The network protocol of the server.
Read Only:
True
:server:ipv4
The IPv4 of the server.
Read Only:
True
:server:ipv6
The IPv6 of the server.
Read Only:
True
:server:host
The it:host node for the server.
Read Only:
True
:server:port
The server tcp/udp port.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:access
Represents a user access request to a service resource.
The base type for the form can be found at inet:service:access.
- Properties:
name
type
doc
:resource
The resource which the account attempted to access.
:type
enums:((10, 'create'), (30, 'read'), (40, 'update'), (50, 'delete'), (60, 'list'), (70, 'execute'))
The type of access requested.
:time
The time that the account initiated the action.
:account
The account which initiated the action.
:success
Set to true if the action was successful.
:rule
The rule which allowed or denied the action.
:error:code
strip:True
The platform specific error code if the action was unsuccessful.
:error:reason
strip:True
The platform specific friendly error reason if the action was unsuccessful.
:platform
The platform where the action was initiated.
:instance
The platform instance where the action was initiated.
:session
The session which initiated the action.
:client
The network address of the client which initiated the action.
:client:host
The client host which initiated the action.
:server
The network address of the server which handled the action.
:server:host
The server host which handled the action.
:id
strip:True
A platform specific ID which identifies the node.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:account
An account within a service platform. Accounts may be instance specific.
The base type for the form can be found at inet:service:account.
- Properties:
name
type
doc
:user
The current user name of the account.
The current email address associated with the account.
:tenant
The tenant which contains the account.
:profile
The primary contact information for the account.
:url
The primary URL associated with the account.
:status
The status of the account.
:period
The period when the account existed.
:creator
The service account which created the account.
:remover
The service account which removed or decommissioned the account.
:id
strip:True
A platform specific ID which identifies the account.
:platform
The platform which defines the account.
:instance
The platform instance which defines the account.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:bucket
A file/blob storage object within a service architecture.
The base type for the form can be found at inet:service:bucket.
- Properties:
name
type
doc
:name
The name of the service resource.
:url
The primary URL associated with the bucket.
:status
The status of the bucket.
:period
The period when the bucket existed.
:creator
The service account which created the bucket.
:remover
The service account which removed or decommissioned the bucket.
:id
strip:True
A platform specific ID which identifies the bucket.
:platform
The platform which defines the bucket.
:instance
The platform instance which defines the bucket.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:bucket:item
An individual file stored within a bucket.
The base type for the form can be found at inet:service:bucket:item.
- Properties:
name
type
doc
:bucket
The bucket which contains the item.
:file
The bytes stored within the bucket item.
:file:name
The name of the file stored in the bucket item.
:url
The primary URL associated with the bucket item.
:status
The status of the bucket item.
:period
The period when the bucket item existed.
:creator
The service account which created the bucket item.
:remover
The service account which removed or decommissioned the bucket item.
:id
strip:True
A platform specific ID which identifies the bucket item.
:platform
The platform which defines the bucket item.
:instance
The platform instance which defines the bucket item.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:channel
A channel used to distribute messages.
The base type for the form can be found at inet:service:channel.
- Properties:
name
type
doc
:name
The name of the channel.
:period
The time period where the channel was available.
:url
The primary URL associated with the channel.
:status
The status of the channel.
:creator
The service account which created the channel.
:remover
The service account which removed or decommissioned the channel.
:id
strip:True
A platform specific ID which identifies the channel.
:platform
The platform which defines the channel.
:instance
The platform instance which defines the channel.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:channel:member
Represents a service account being a member of a channel.
The base type for the form can be found at inet:service:channel:member.
- Properties:
name
type
doc
:channel
The channel that the account was a member of.
:account
The account that was a member of the channel.
:period
The time period where the account was a member of the channel.
:url
The primary URL associated with the channel membership.
:status
The status of the channel membership.
:creator
The service account which created the channel membership.
:remover
The service account which removed or decommissioned the channel membership.
:id
strip:True
A platform specific ID which identifies the channel membership.
:platform
The platform which defines the channel membership.
:instance
The platform instance which defines the channel membership.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:emote
An emote or reaction by an account.
The base type for the form can be found at inet:service:emote.
- Properties:
name
type
doc
opts
:about
The node that the emote is about.
:text
strip:True
The unicode or emote text of the reaction.
Example:
:partyparrot:
:url
The primary URL associated with the emote.
:status
The status of the emote.
:period
The period when the emote existed.
:creator
The service account which created the emote.
:remover
The service account which removed or decommissioned the emote.
:id
strip:True
A platform specific ID which identifies the emote.
:platform
The platform which defines the emote.
:instance
The platform instance which defines the emote.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:group
A group or role which contains member accounts.
The base type for the form can be found at inet:service:group.
- Properties:
name
type
doc
:name
The name of the group on this platform.
:profile
Current detailed contact information for this group.
:url
The primary URL associated with the group.
:status
The status of the group.
:period
The period when the group existed.
:creator
The service account which created the group.
:remover
The service account which removed or decommissioned the group.
:id
strip:True
A platform specific ID which identifies the group.
:platform
The platform which defines the group.
:instance
The platform instance which defines the group.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:group:member
Represents a service account being a member of a group.
The base type for the form can be found at inet:service:group:member.
- Properties:
name
type
doc
:account
The account that is a member of the group.
:group
The group that the account is a member of.
:period
The time period when the account was a member of the group.
:url
The primary URL associated with the group membership.
:status
The status of the group membership.
:creator
The service account which created the group membership.
:remover
The service account which removed or decommissioned the group membership.
:id
strip:True
A platform specific ID which identifies the group membership.
:platform
The platform which defines the group membership.
:instance
The platform instance which defines the group membership.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:instance
An instance of the platform such as Slack or Discord instances.
The base type for the form can be found at inet:service:instance.
- Properties:
name
type
doc
opts
:id
strip:True
A platform specific ID to identify the service instance.
Example:
B8ZS2
:platform
The platform which defines the service instance.
:url
The primary URL which identifies the service instance.
Example:
https://v.vtx.lk/slack
:name
The name of the service instance.
Example:
synapse users slack
:desc
A description of the service instance.
Display:
{'hint': 'text'}
:period
The time period where the instance existed.
:status
The status of this instance.
:creator
The service account which created the instance.
:owner
The service account which owns the instance.
:tenant
The tenant which contains the instance.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:login
A login event for a service account.
The base type for the form can be found at inet:service:login.
- Properties:
name
type
doc
:method
The type of authentication used for the login. For example “password” or “multifactor.sms”.
:time
The time that the account initiated the action.
:account
The account which initiated the action.
:success
Set to true if the action was successful.
:rule
The rule which allowed or denied the action.
:error:code
strip:True
The platform specific error code if the action was unsuccessful.
:error:reason
strip:True
The platform specific friendly error reason if the action was unsuccessful.
:platform
The platform where the action was initiated.
:instance
The platform instance where the action was initiated.
:session
The session which initiated the action.
:client
The network address of the client which initiated the action.
:client:host
The client host which initiated the action.
:server
The network address of the server which handled the action.
:server:host
The server host which handled the action.
:id
strip:True
A platform specific ID which identifies the node.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:message
A message or post created by an account.
The base type for the form can be found at inet:service:message.
- Properties:
name
type
doc
opts
:account
The account which sent the message.
:to
The destination account. Used for direct messages.
:url
The URL where the message may be viewed.
:group
The group that the message was sent to.
:channel
The channel that the message was sent to.
:thread
The thread which contains the message.
:public
Set to true if the message is publicly visible.
:title
The message title.
:text
The text body of the message.
Display:
{'hint': 'text'}
:status
The message status.
:replyto
The message that this message was sent in reply to. Used for message threading.
:repost
The original message reposted by this message.
:links
An array of links contained within the message.
:attachments
An array of files attached to the message.
:place
The place that the message was sent from.
:place:name
The name of the place that the message was sent from.
:client:address
Deprecated. Please use :client.
Deprecated:
True
:client:software
The client software version used to send the message.
:client:software:name
The name of the client software used to send the message.
:file
The raw file that the message was extracted from.
:type
The type of message.
:time
The time that the account initiated the action.
:success
Set to true if the action was successful.
:rule
The rule which allowed or denied the action.
:error:code
strip:True
The platform specific error code if the action was unsuccessful.
:error:reason
strip:True
The platform specific friendly error reason if the action was unsuccessful.
:platform
The platform where the action was initiated.
:instance
The platform instance where the action was initiated.
:session
The session which initiated the action.
:client
The network address of the client which initiated the action.
:client:host
The client host which initiated the action.
:server
The network address of the server which handled the action.
:server:host
The server host which handled the action.
:id
strip:True
A platform specific ID which identifies the node.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:message:attachment
A file attachment included within a message.
The base type for the form can be found at inet:service:message:attachment.
- Properties:
name
type
doc
:name
The name of the attached file.
:text
Any text associated with the file such as alt-text for images.
:file
The file which was attached to the message.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:message:link
A URL link included within a message.
The base type for the form can be found at inet:service:message:link.
- Properties:
name
type
doc
:title
strip:True
The title text for the link.
:url
The URL which was attached to the message.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:message:type:taxonomy
A message type taxonomy.
The base type for the form can be found at inet:service:message:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:permission
A permission which may be granted to a service account or role.
The base type for the form can be found at inet:service:permission.
- Properties:
name
type
doc
:name
The name of the permission.
:type
The type of permission.
:url
The primary URL associated with the permission.
:status
The status of the permission.
:period
The period when the permission existed.
:creator
The service account which created the permission.
:remover
The service account which removed or decommissioned the permission.
:id
strip:True
A platform specific ID which identifies the permission.
:platform
The platform which defines the permission.
:instance
The platform instance which defines the permission.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:permission:type:taxonomy
A permission type taxonomy.
The base type for the form can be found at inet:service:permission:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:platform
A network platform which provides services.
The base type for the form can be found at inet:service:platform.
- Properties:
name
type
doc
opts
:url
The primary URL of the platform.
Example:
https://twitter.com
:name
A friendly name for the platform.
Example:
:desc
A description of the service platform.
Display:
{'hint': 'text'}
:provider
The organization which operates the platform.
:provider:name
The name of the organization which operates the platform.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:relationship
A relationship between two service objects.
The base type for the form can be found at inet:service:relationship.
- Properties:
name
type
doc
opts
:source
The source object.
:target
The target object.
:type
The type of relationship between the source and the target.
Example:
follows
:url
The primary URL associated with the relationship.
:status
The status of the relationship.
:period
The period when the relationship existed.
:creator
The service account which created the relationship.
:remover
The service account which removed or decommissioned the relationship.
:id
strip:True
A platform specific ID which identifies the relationship.
:platform
The platform which defines the relationship.
:instance
The platform instance which defines the relationship.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:relationship:type:taxonomy
A service object relationship type taxonomy.
The base type for the form can be found at inet:service:relationship:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:resource
A generic resource provided by the service architecture.
The base type for the form can be found at inet:service:resource.
- Properties:
name
type
doc
opts
:name
The name of the service resource.
:desc
A description of the service resource.
Display:
{'hint': 'text'}
:url
The primary URL where the resource is available from the service.
:type
The resource type. For example “rpc.endpoint”.
:status
The status of the resource.
:period
The period when the resource existed.
:creator
The service account which created the resource.
:remover
The service account which removed or decommissioned the resource.
:id
strip:True
A platform specific ID which identifies the resource.
:platform
The platform which defines the resource.
:instance
The platform instance which defines the resource.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:resource:type:taxonomy
A taxonomy of inet service resource types.
The base type for the form can be found at inet:service:resource:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:rule
A rule which grants or denies a permission to a service account or role.
The base type for the form can be found at inet:service:rule.
- Properties:
name
type
doc
:permission
The permission which is granted.
:denied
Set to (true) to denote that the rule is an explicit deny.
:object
interface:inet:service:object
The object that the permission controls access to.
:grantee
forms:('inet:service:account', 'inet:service:group')
The user or role which is granted the permission.
:url
The primary URL associated with the rule.
:status
The status of the rule.
:period
The period when the rule existed.
:creator
The service account which created the rule.
:remover
The service account which removed or decommissioned the rule.
:id
strip:True
A platform specific ID which identifies the rule.
:platform
The platform which defines the rule.
:instance
The platform instance which defines the rule.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:mitigation
-(uses)>
inet:service:rule
The mitigation uses the service rule.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:session
An authenticated session.
The base type for the form can be found at inet:service:session.
- Properties:
name
type
doc
:creator
The account which authenticated to create the session.
:period
The period where the session was valid.
:http:session
The HTTP session associated with the service session.
:url
The primary URL associated with the session.
:status
The status of the session.
:remover
The service account which removed or decommissioned the session.
:id
strip:True
A platform specific ID which identifies the session.
:platform
The platform which defines the session.
:instance
The platform instance which defines the session.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:subscription
A subscription to a service platform or instance.
The base type for the form can be found at inet:service:subscription.
- Properties:
name
type
doc
:level
A platform specific subscription level.
:pay:instrument
The primary payment instrument used to pay for the subscription.
:subscriber
The subscriber who owns the subscription.
:url
The primary URL associated with the subscription.
:status
The status of the subscription.
:period
The period when the subscription existed.
:creator
The service account which created the subscription.
:remover
The service account which removed or decommissioned the subscription.
:id
strip:True
A platform specific ID which identifies the subscription.
:platform
The platform which defines the subscription.
:instance
The platform instance which defines the subscription.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:subscription:level:taxonomy
A taxonomy of platform specific subscription levels.
The base type for the form can be found at inet:service:subscription:level:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:tenant
A tenant which groups accounts and instances.
The base type for the form can be found at inet:service:tenant.
- Properties:
name
type
doc
:profile
The primary contact information for the tenant.
:url
The primary URL associated with the tenant.
:status
The status of the tenant.
:period
The period when the tenant existed.
:creator
The service account which created the tenant.
:remover
The service account which removed or decommissioned the tenant.
:id
strip:True
A platform specific ID which identifies the tenant.
:platform
The platform which defines the tenant.
:instance
The platform instance which defines the tenant.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:service:thread
A message thread.
The base type for the form can be found at inet:service:thread.
- Properties:
name
type
doc
:title
The title of the thread.
:channel
The channel that contains the thread.
:message
The message which initiated the thread.
:url
The primary URL associated with the thread.
:status
The status of the thread.
:period
The period when the thread existed.
:creator
The service account which created the thread.
:remover
The service account which removed or decommissioned the thread.
:id
strip:True
A platform specific ID which identifies the thread.
:platform
The platform which defines the thread.
:instance
The platform instance which defines the thread.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:ssl:cert
Deprecated. Please use inet:tls:servercert or inet:tls:clientcert.
The base type for the form can be found at inet:ssl:cert.
- Properties:
name
type
doc
opts
:file
The file bytes for the SSL certificate.
Read Only:
True
:server
The server that presented the SSL certificate.
Read Only:
True
:server:ipv4
The SSL server IPv4 address.
Read Only:
True
:server:ipv6
The SSL server IPv6 address.
Read Only:
True
:server:port
The SSL server listening port.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:ssl:jarmhash
A TLS JARM fingerprint hash.
The base type for the form can be found at inet:ssl:jarmhash.
- Properties:
name
type
doc
opts
:ciphers
The encoded cipher and TLS version of the server.
Read Only:
True
:extensions
The truncated SHA256 of the TLS server extensions.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:ssl:jarmsample
A JARM hash sample taken from a server.
The base type for the form can be found at inet:ssl:jarmsample.
- Properties:
name
type
doc
opts
:jarmhash
The JARM hash computed from the server responses.
Read Only:
True
:server
The server that was sampled to compute the JARM hash.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:tls:clientcert
An x509 certificate sent by a client for TLS.
The base type for the form can be found at inet:tls:clientcert.
An example of inet:tls:clientcert
:
(1.2.3.4:443, 3fdf364e081c14997b291852d1f23868)
- Properties:
name
type
doc
opts
:client
The client associated with the x509 certificate.
Read Only:
True
:cert
The x509 certificate sent by the client.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:tls:handshake
An instance of a TLS handshake between a server and client.
The base type for the form can be found at inet:tls:handshake.
- Properties:
name
type
doc
:time
The time the handshake was initiated.
:flow
The raw inet:flow associated with the handshake.
:server
The TLS server during the handshake.
:server:cert
The x509 certificate sent by the server during the handshake.
:server:fingerprint:ja3
The JA3S finger of the server.
:client
The TLS client during the handshake.
:client:cert
The x509 certificate sent by the client during the handshake.
:client:fingerprint:ja3
The JA3 fingerprint of the client.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:tls:ja3:sample
A JA3 sample taken from a client.
The base type for the form can be found at inet:tls:ja3:sample.
- Properties:
name
type
doc
opts
:client
The client that was sampled to produce the JA3 hash.
Read Only:
True
:ja3
The JA3 hash computed from the client’s TLS hello packet.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:tls:ja3s:sample
A JA3 sample taken from a server.
The base type for the form can be found at inet:tls:ja3s:sample.
- Properties:
name
type
doc
opts
:server
The server that was sampled to produce the JA3S hash.
Read Only:
True
:ja3s
The JA3S hash computed from the server’s TLS hello packet.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:tls:servercert
An x509 certificate sent by a server for TLS.
The base type for the form can be found at inet:tls:servercert.
An example of inet:tls:servercert
:
(1.2.3.4:443, c7437790af01ae1bb2f8f3b684c70bf8)
- Properties:
name
type
doc
opts
:server
The server associated with the x509 certificate.
Read Only:
True
:cert
The x509 certificate sent by the server.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:tunnel
A specific sequence of hosts forwarding connections such as a VPN or proxy.
The base type for the form can be found at inet:tunnel.
- Properties:
name
type
doc
:anon
Indicates that this tunnel provides anonymization.
:type
The type of tunnel such as vpn or proxy.
:ingress
The server where client traffic enters the tunnel.
:egress
The server where client traffic leaves the tunnel.
:operator
The contact information for the tunnel operator.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:tunnel:type:taxonomy
A taxonomy of network tunnel types.
The base type for the form can be found at inet:tunnel:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:url
A Universal Resource Locator (URL).
The base type for the form can be found at inet:url.
An example of inet:url
:
http://www.woot.com/files/index.html
- Properties:
name
type
doc
opts
:fqdn
The fqdn used in the URL (e.g., http://www.woot.com/page.html).
Read Only:
True
:ipv4
The IPv4 address used in the URL (e.g., http://1.2.3.4/page.html).
Read Only:
True
:ipv6
The IPv6 address used in the URL.
Read Only:
True
:passwd
The optional password used to access the URL.
Read Only:
True
:base
The base scheme, user/pass, fqdn, port and path w/o parameters.
Read Only:
True
:path
The path in the URL w/o parameters.
Read Only:
True
:params
The URL parameter string.
Read Only:
True
:port
The port of the URL. URLs prefixed with http will be set to port 80 and URLs prefixed with https will be set to port 443 unless otherwise specified.
Read Only:
True
:proto
lower:True
The protocol in the URL.
Read Only:
True
:user
The optional username used to access the URL.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:dev:repo
-(has)>
inet:url
The repo has content hosted at the URL.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:url:mirror
A URL mirror site.
The base type for the form can be found at inet:url:mirror.
- Properties:
name
type
doc
opts
:of
The URL being mirrored.
Read Only:
True
:at
The URL of the mirror.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:urlfile
A file hosted at a specific Universal Resource Locator (URL).
The base type for the form can be found at inet:urlfile.
- Properties:
name
type
doc
opts
:url
The URL where the file was hosted.
Read Only:
True
:file
The file that was hosted at the URL.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:urlredir
A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response.
The base type for the form can be found at inet:urlredir.
An example of inet:urlredir
:
(http://foo.com/,http://bar.com/)
- Properties:
name
type
doc
opts
:src
The original/source URL before redirect.
Read Only:
True
:src:fqdn
The FQDN within the src URL (if present).
Read Only:
True
:dst
The redirected/destination URL.
Read Only:
True
:dst:fqdn
The FQDN within the dst URL (if present).
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:user
A username string.
The base type for the form can be found at inet:user.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:acct
An account with a given Internet-based site or service.
The base type for the form can be found at inet:web:acct.
An example of inet:web:acct
:
twitter.com/invisig0th
- Properties:
name
type
doc
opts
:avatar
The file representing the avatar (e.g., profile picture) for the account.
:banner
The file representing the banner for the account.
:dob
A self-declared date of birth for the account (if the account belongs to a person).
The email address associated with the account.
:linked:accts
Linked accounts specified in the account profile.
:latlong
The last known latitude/longitude for the node.
:place
The geo:place associated with the latlong property.
:loc
A self-declared location for the account.
:name
The localized name associated with the account (may be different from the account identifier, e.g., a display name).
:name:en
The English version of the name associated with the (may be different from the account identifier, e.g., a display name).
Deprecated:
True
:aliases
An array of alternate names for the user.
:occupation
lower:True
A self-declared occupation for the account.
:passwd
The current password for the account.
:phone
The phone number associated with the account.
:realname
The localized version of the real name of the account owner / registrant.
:realname:en
The English version of the real name of the account owner / registrant.
Deprecated:
True
:signup
The date and time the account was registered.
:signup:client
The client address used to sign up for the account.
:signup:client:ipv4
The IPv4 address used to sign up for the account.
:signup:client:ipv6
The IPv6 address used to sign up for the account.
:site
The site or service associated with the account.
Read Only:
True
:tagline
The text of the account status or tag line.
:url
The service provider URL where the account is hosted.
:user
The unique identifier for the account (may be different from the common name or display name).
Read Only:
True
:webpage
A related URL specified by the account (e.g., a personal or company web page, blog, etc.).
:recovery:email
An email address registered as a recovery email address for the account.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:action
An instance of an account performing an action at an Internet-based site or service.
The base type for the form can be found at inet:web:action.
- Properties:
name
type
doc
:act
The action performed by the account.
:acct
The web account associated with the action.
:acct:site
The site or service associated with the account.
:acct:user
The unique identifier for the account.
:time
The date and time the account performed the action.
:client
The source client address of the action.
:client:ipv4
The source IPv4 address of the action.
:client:ipv6
The source IPv6 address of the action.
:loc
The location of the user executing the web action.
:latlong
The latlong of the user when executing the web action.
:place
The geo:place of the user when executing the web action.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:attachment
An instance of a file being sent to a web service by an account.
The base type for the form can be found at inet:web:attachment.
- Properties:
name
type
doc
opts
:acct
The account that uploaded the file.
:post
The optional web post that the file was attached to.
:mesg
The optional web message that the file was attached to.
:proto
The protocol used to transmit the file to the web service.
Example:
https
:interactive
Set to true if the upload was interactive. False if automated.
:file
The file that was sent.
:name
The name of the file at the time it was sent.
:time
The time the file was sent.
:client
The client address which initiated the upload.
:client:ipv4
The IPv4 address of the client that initiated the upload.
:client:ipv6
The IPv6 address of the client that initiated the upload.
:place
The place the file was sent from.
:place:loc
The geopolitical location that the file was sent from.
:place:name
The reported name of the place that the file was sent from.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:channel
A channel within a web service or instance such as slack or discord.
The base type for the form can be found at inet:web:channel.
- Properties:
name
type
doc
opts
:url
The primary URL used to identify the channel.
Example:
https://app.slack.com/client/T2XK1223Y/C2XHHNDS7
:id
strip:True
The operator specified ID of this channel.
Example:
C2XHHNDS7
:instance
The instance which contains the channel.
:name
strip:True
The visible name of the channel.
Example:
general
:topic
strip:True
The visible topic of the channel.
Example:
Synapse Discussion - Feel free to invite others!
:created
The time the channel was created.
:creator
The account which created the channel.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:chprofile
A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node.
The base type for the form can be found at inet:web:chprofile.
- Properties:
name
type
doc
:acct
The web account associated with the change.
:acct:site
The site or service associated with the account.
:acct:user
The unique identifier for the account.
:client
The source address used to make the account change.
:client:ipv4
The source IPv4 address used to make the account change.
:client:ipv6
The source IPv6 address used to make the account change.
:time
The date and time when the account change occurred.
:pv
The prop=valu of the account property that was changed. Valu should be the old / original value, while the new value should be updated on the inet:web:acct form.
:pv:prop
The property that was changed.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:file
A file posted by a web account.
The base type for the form can be found at inet:web:file.
- Properties:
name
type
doc
opts
:acct
The account that owns or is associated with the file.
Read Only:
True
:acct:site
The site or service associated with the account.
Read Only:
True
:acct:user
The unique identifier for the account.
Read Only:
True
:file
The file owned by or associated with the account.
Read Only:
True
:name
The name of the file owned by or associated with the account.
:posted
Deprecated. Instance data belongs on inet:web:attachment.
Deprecated:
True
:client
Deprecated. Instance data belongs on inet:web:attachment.
Deprecated:
True
:client:ipv4
Deprecated. Instance data belongs on inet:web:attachment.
Deprecated:
True
:client:ipv6
Deprecated. Instance data belongs on inet:web:attachment.
Deprecated:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:follows
A web account follows or is connected to another web account.
The base type for the form can be found at inet:web:follows.
- Properties:
name
type
doc
opts
:follower
The account following an account.
Read Only:
True
:followee
The account followed by an account.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:group
A group hosted within or registered with a given Internet-based site or service.
The base type for the form can be found at inet:web:group.
An example of inet:web:group
:
somesite.com/mycoolgroup
- Properties:
name
type
doc
opts
:site
The site or service associated with the group.
Read Only:
True
:id
The site-specific unique identifier for the group (may be different from the common name or display name).
Read Only:
True
:name
The localized name associated with the group (may be different from the account identifier, e.g., a display name).
:aliases
An array of alternate names for the group.
:name:en
The English version of the name associated with the group (may be different from the localized name).
Deprecated:
True
:url
The service provider URL where the group is hosted.
:avatar
The file representing the avatar (e.g., profile picture) for the group.
:desc
The text of the description of the group.
:webpage
A related URL specified by the group (e.g., primary web site, etc.).
:loc
lower:True
A self-declared location for the group.
:latlong
The last known latitude/longitude for the node.
:place
The geo:place associated with the latlong property.
:signup
The date and time the group was created on the site.
:signup:client
The client address used to create the group.
:signup:client:ipv4
The IPv4 address used to create the group.
:signup:client:ipv6
The IPv6 address used to create the group.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:hashtag
A hashtag used in a web post.
The base type for the form can be found at inet:web:hashtag.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:instance
An instance of a web service such as slack or discord.
The base type for the form can be found at inet:web:instance.
- Properties:
name
type
doc
opts
:url
The primary URL used to identify the instance.
Example:
https://app.slack.com/client/T2XK1223Y
:id
strip:True
The operator specified ID of this instance.
Example:
T2XK1223Y
:name
strip:True
The visible name of the instance.
Example:
vertex synapse
:created
The time the instance was created.
:creator
The account which created the instance.
:owner
The organization which created the instance.
:owner:fqdn
The FQDN of the organization which created the instance. Used for entity resolution.
Example:
vertex.link
:owner:name
The name of the organization which created the instance. Used for entity resolution.
Example:
the vertex project, llc.
:operator
The organization which operates the instance.
:operator:name
The name of the organization which operates the instance. Used for entity resolution.
Example:
slack
:operator:fqdn
The FQDN of the organization which operates the instance. Used for entity resolution.
Example:
slack.com
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:logon
An instance of an account authenticating to an Internet-based site or service.
The base type for the form can be found at inet:web:logon.
- Properties:
name
type
doc
:acct
The web account associated with the logon event.
:acct:site
The site or service associated with the account.
:acct:user
The unique identifier for the account.
:time
The date and time the account logged into the service.
:client
The source address of the logon.
:client:ipv4
The source IPv4 address of the logon.
:client:ipv6
The source IPv6 address of the logon.
:logout
The date and time the account logged out of the service.
:loc
The location of the user executing the logon.
:latlong
The latlong of the user executing the logon.
:place
The geo:place of the user executing the logon.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:memb
Deprecated. Please use inet:web:member.
The base type for the form can be found at inet:web:memb.
- Properties:
name
type
doc
opts
:acct
The account that is a member of the group.
Read Only:
True
:group
The group that the account is a member of.
Read Only:
True
:title
lower:True
The title or status of the member (e.g., admin, new member, etc.).
:joined
The date / time the account joined the group.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:member
Represents a web account membership in a channel or group.
The base type for the form can be found at inet:web:member.
- Properties:
name
type
doc
:acct
The account that is a member of the group or channel.
:group
The group that the account is a member of.
:channel
The channel that the account is a member of.
:added
The date / time the account was added to the group or channel.
:removed
The date / time the account was removed from the group or channel.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:mesg
A message sent from one web account to another web account or channel.
The base type for the form can be found at inet:web:mesg.
An example of inet:web:mesg
:
((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)
- Properties:
name
type
doc
opts
:from
The web account that sent the message.
Read Only:
True
:to
The web account that received the message.
Read Only:
True
:client
The source address of the message.
:client:ipv4
The source IPv4 address of the message.
:client:ipv6
The source IPv6 address of the message.
:time
The date and time at which the message was sent.
Read Only:
True
:url
The URL where the message is posted / visible.
:text
The text of the message.
Display:
{'hint': 'text'}
:deleted
The message was deleted.
:file
The file attached to or sent with the message.
:place
The place that the message was reportedly sent from.
:place:name
The name of the place that the message was reportedly sent from. Used for entity resolution.
:instance
The instance where the message was sent.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:post
A post made by a web account.
The base type for the form can be found at inet:web:post.
- Properties:
name
type
doc
opts
:acct
The web account that made the post.
:acct:site
The site or service associated with the account.
:client
The source address of the post.
:client:ipv4
The source IPv4 address of the post.
:client:ipv6
The source IPv6 address of the post.
:acct:user
The unique identifier for the account.
:text
The text of the post.
Display:
{'hint': 'text'}
:time
The date and time that the post was made.
:deleted
The message was deleted by the poster.
:url
The URL where the post is published / visible.
:file
The file that was attached to the post.
:replyto
The post that this post is in reply to.
:repost
The original post that this is a repost of.
:hashtags
Hashtags mentioned within the post.
:mentions:users
Accounts mentioned within the post.
:mentions:groups
Groups mentioned within the post.
:loc
The location that the post was reportedly sent from.
:place
The place that the post was reportedly sent from.
:place:name
The name of the place that the post was reportedly sent from. Used for entity resolution.
:latlong
The place that the post was reportedly sent from.
:channel
The channel where the post was made.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:web:post:link
A link contained within post text.
The base type for the form can be found at inet:web:post:link.
- Properties:
name
type
doc
:post
The post containing the embedded link.
:url
The url that the link forwards to.
:text
The displayed hyperlink text if it was not the raw URL.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:whois:contact
An individual contact from a domain whois record.
The base type for the form can be found at inet:whois:contact.
- Properties:
name
type
doc
opts
:rec
The whois record containing the contact data.
Read Only:
True
:rec:fqdn
The domain associated with the whois record.
Read Only:
True
:rec:asof
The date of the whois record.
Read Only:
True
:type
lower:True
The contact type (e.g., registrar, registrant, admin, billing, tech, etc.).
Read Only:
True
:id
lower:True
The ID associated with the contact.
:name
lower:True
The name of the contact.
The email address of the contact.
:orgname
The name of the contact organization.
:address
lower:True
The content of the street address field(s) of the contact.
:city
lower:True
The content of the city field of the contact.
:state
lower:True
The content of the state field of the contact.
:country
lower:True
The two-letter country code of the contact.
:phone
The content of the phone field of the contact.
:fax
The content of the fax field of the contact.
:url
The URL specified for the contact.
:whois:fqdn
The whois server FQDN for the given contact (most likely a registrar).
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:whois:email
An email address associated with an FQDN via whois registration text.
The base type for the form can be found at inet:whois:email.
- Properties:
name
type
doc
opts
:fqdn
The domain with a whois record containing the email address.
Read Only:
True
The email address associated with the domain whois record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:whois:ipcontact
An individual contact from an IP block record.
The base type for the form can be found at inet:whois:ipcontact.
- Properties:
name
type
doc
:contact
Contact information associated with a registration.
:asof
The date of the record.
:created
The “created” time from the record.
:updated
The “last updated” time from the record.
:role
lower:True
The primary role for the contact.
:roles
Additional roles assigned to the contact.
:asn
The associated Autonomous System Number (ASN).
:id
The registry unique identifier (e.g. NET-74-0-0-0-1).
:links
URLs provided with the record.
:status
lower:True
The state of the registered contact (e.g. validated, obscured).
:contacts
Additional contacts referenced by this contact.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:whois:ipquery
Query details used to retrieve an IP record.
The base type for the form can be found at inet:whois:ipquery.
- Properties:
name
type
doc
:time
The time the request was made.
:url
The query URL when using the HTTP RDAP Protocol.
:fqdn
The FQDN of the host server when using the legacy WHOIS Protocol.
:ipv4
The IPv4 address queried.
:ipv6
The IPv6 address queried.
:success
Whether the host returned a valid response for the query.
:rec
The resulting record from the query.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:whois:iprec
An IPv4/IPv6 block registration record.
The base type for the form can be found at inet:whois:iprec.
- Properties:
name
type
doc
opts
:net4
The IPv4 address range assigned.
:net4:min
The first IPv4 in the range assigned.
:net4:max
The last IPv4 in the range assigned.
:net6
The IPv6 address range assigned.
:net6:min
The first IPv6 in the range assigned.
:net6:max
The last IPv6 in the range assigned.
:asof
The date of the record.
:created
The “created” time from the record.
:updated
The “last updated” time from the record.
:text
lower:True
The full text of the record.
Display:
{'hint': 'text'}
:desc
lower:True
Notes concerning the record.
Display:
{'hint': 'text'}
:asn
The associated Autonomous System Number (ASN).
:id
The registry unique identifier (e.g. NET-74-0-0-0-1).
:name
The name assigned to the network by the registrant.
:parentid
The registry unique identifier of the parent whois record (e.g. NET-74-0-0-0-0).
:registrant
Deprecated. Add the registrant inet:whois:ipcontact to the :contacts array.
Deprecated:
True
:contacts
Additional contacts from the record.
:country
The two-letter ISO 3166 country code.
:status
lower:True
The state of the registered network.
:type
lower:True
The classification of the registered network (e.g. direct allocation).
:links
URLs provided with the record.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
inet:whois:iprec
-(ipwhois)>
inet:ipv4
The source IP whois record describes the target IPv4 address.
inet:whois:iprec
-(ipwhois)>
inet:ipv6
The source IP whois record describes the target IPv6 address.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:whois:rar
A domain registrar.
The base type for the form can be found at inet:whois:rar.
An example of inet:whois:rar
:
godaddy, inc.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:whois:rec
A domain whois record.
The base type for the form can be found at inet:whois:rec.
- Properties:
name
type
doc
opts
:fqdn
The domain associated with the whois record.
Read Only:
True
:asof
The date of the whois record.
Read Only:
True
:text
lower:True
The full text of the whois record.
Display:
{'hint': 'text'}
:created
The “created” time from the whois record.
:updated
The “last updated” time from the whois record.
:expires
The “expires” time from the whois record.
:registrar
The registrar name from the whois record.
:registrant
The registrant name from the whois record.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:whois:recns
A nameserver associated with a domain whois record.
The base type for the form can be found at inet:whois:recns.
- Properties:
name
type
doc
opts
:ns
A nameserver for a domain as listed in the domain whois record.
Read Only:
True
:rec
The whois record containing the nameserver data.
Read Only:
True
:rec:fqdn
The domain associated with the whois record.
Read Only:
True
:rec:asof
The date of the whois record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:whois:reg
A domain registrant.
The base type for the form can be found at inet:whois:reg.
An example of inet:whois:reg
:
woot hostmaster
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:whois:regid
The registry unique identifier of the registration record.
The base type for the form can be found at inet:whois:regid.
An example of inet:whois:regid
:
NET-10-0-0-0-1
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:wifi:ap
An SSID/MAC address combination for a wireless access point.
The base type for the form can be found at inet:wifi:ap.
- Properties:
name
type
doc
opts
:ssid
The SSID for the wireless access point.
Read Only:
True
:bssid
The MAC address for the wireless access point.
Read Only:
True
:latlong
The best known latitude/longitude for the wireless access point.
:accuracy
The reported accuracy of the latlong telemetry reading.
:channel
The WIFI channel that the AP was last observed operating on.
:encryption
The type of encryption used by the WIFI AP such as “wpa2”.
:place
The geo:place associated with the latlong property.
:loc
The geo-political location string for the wireless access point.
:org
The organization that owns/operates the access point.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
inet:wifi:ssid
A WiFi service set identifier (SSID) name.
The base type for the form can be found at inet:wifi:ssid.
An example of inet:wifi:ssid
:
The Vertex Project
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
iso:oid
An ISO Object Identifier string.
The base type for the form can be found at iso:oid.
- Properties:
name
type
doc
:descr
A description of the value or meaning of the OID.
:identifier
The string identifier for the deepest tree element.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:account
A GUID that represents an account on a host or network.
The base type for the form can be found at it:account.
- Properties:
name
type
doc
opts
:user
The username associated with the account.
:contact
Additional contact information associated with this account.
:host
The host where the account is registered.
:domain
The authentication domain where the account is registered.
:posix:uid
The user ID of the account.
Example:
1001
:posix:gid
The primary group ID of the account.
Example:
1001
:posix:gecos
The GECOS field for the POSIX account.
:posix:home
The path to the POSIX account’s home directory.
Example:
/home/visi
:posix:shell
The path to the POSIX account’s default shell.
Example:
/bin/bash
:windows:sid
The Microsoft Windows Security Identifier of the account.
:groups
An array of groups that the account is a member of.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:adid
An advertising identification string.
The base type for the form can be found at it:adid.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:app:snort:hit
An instance of a snort rule hit.
The base type for the form can be found at it:app:snort:hit.
- Properties:
name
type
doc
:rule
The snort rule that matched the file.
:flow
The inet:flow that matched the snort rule.
:src
The source address of flow that caused the hit.
:src:ipv4
The source IPv4 address of the flow that caused the hit.
:src:ipv6
The source IPv6 address of the flow that caused the hit.
:src:port
The source port of the flow that caused the hit.
:dst
The destination address of the trigger.
:dst:ipv4
The destination IPv4 address of the flow that caused the hit.
:dst:ipv6
The destination IPv4 address of the flow that caused the hit.
:dst:port
The destination port of the flow that caused the hit.
:time
The time of the network flow that caused the hit.
:sensor
The sensor host node that produced the hit.
:version
The version of the rule at the time of match.
:dropped
Set to true if the network traffic was dropped due to the match.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:app:snort:rule
A snort rule.
The base type for the form can be found at it:app:snort:rule.
- Properties:
name
type
doc
opts
:id
The snort rule id.
:text
The snort rule text.
Display:
{'hint': 'text'}
:name
The name of the snort rule.
:desc
A brief description of the snort rule.
Display:
{'hint': 'text'}
:engine
The snort engine ID which can parse and evaluate the rule text.
:version
The current version of the rule.
:author
Contact info for the author of the rule.
:created
The time the rule was initially created.
:updated
The time the rule was most recently modified.
:enabled
The rule enabled status to be used for snort evaluation engines.
:family
The name of the software family the rule is designed to detect.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:mitigation
-(uses)>
it:app:snort:rule
The mitigation uses the Snort rule.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:app:yara:match
A YARA rule match to a file.
The base type for the form can be found at it:app:yara:match.
- Properties:
name
type
doc
opts
:rule
The YARA rule that matched the file.
Read Only:
True
:file
The file that matched the YARA rule.
Read Only:
True
:version
The most recent version of the rule evaluated as a match.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:app:yara:netmatch
An instance of a YARA rule network hunting match.
The base type for the form can be found at it:app:yara:netmatch.
- Properties:
name
type
doc
:rule
The YARA rule that triggered the match.
:version
The most recent version of the rule evaluated as a match.
:node
forms:('inet:fqdn', 'inet:ipv4', 'inet:ipv6', 'inet:url')
The node which matched the rule.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:app:yara:procmatch
An instance of a YARA rule match to a process.
The base type for the form can be found at it:app:yara:procmatch.
- Properties:
name
type
doc
:rule
The YARA rule that matched the process.
:proc
The process that matched the YARA rule.
:time
The time that the YARA engine matched the process to the rule.
:version
The most recent version of the rule evaluated as a match.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:app:yara:rule
A YARA rule unique identifier.
The base type for the form can be found at it:app:yara:rule.
- Properties:
name
type
doc
opts
:text
The YARA rule text.
Display:
{'hint': 'text', 'syntax': 'yara'}
:ext:id
The YARA rule ID from an external system.
:url
A URL which documents the YARA rule.
:name
The name of the YARA rule.
:author
Contact info for the author of the YARA rule.
:version
The current version of the rule.
:created
The time the YARA rule was initially created.
:updated
The time the YARA rule was most recently modified.
:enabled
The rule enabled status to be used for YARA evaluation engines.
:family
The name of the software family the rule is designed to detect.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:mitigation
-(uses)>
it:app:yara:rule
The mitigation uses the YARA rule.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:auth:passwdhash
An instance of a password hash.
The base type for the form can be found at it:auth:passwdhash.
- Properties:
name
type
doc
:salt
The (optional) hex encoded salt value used to calculate the password hash.
:hash:md5
The MD5 password hash value.
:hash:sha1
The SHA1 password hash value.
:hash:sha256
The SHA256 password hash value.
:hash:sha512
The SHA512 password hash value.
:hash:lm
The LM password hash value.
:hash:ntlm
The NTLM password hash value.
:passwd
The (optional) clear text password for this password hash.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:av:filehit
Deprecated. Please use it:av:scan:result.
The base type for the form can be found at it:av:filehit.
- Properties:
name
type
doc
opts
:file
The file that triggered the signature hit.
Read Only:
True
:sig
The signature that the file triggered on.
Read Only:
True
:sig:name
The signature name.
Read Only:
True
:sig:soft
The anti-virus product which contains the signature.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:av:prochit
Deprecated. Please use it:av:scan:result.
The base type for the form can be found at it:av:prochit.
- Properties:
name
type
doc
:proc
The file that triggered the signature hit.
:sig
The signature that the file triggered on.
:time
The time that the AV engine detected the signature.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:av:scan:result
The result of running an antivirus scanner.
The base type for the form can be found at it:av:scan:result.
- Properties:
name
type
doc
:time
The time the scan was run.
:verdict
enums:((10, 'benign'), (20, 'unknown'), (30, 'suspicious'), (40, 'malicious'))
The scanner provided verdict for the scan.
:scanner
The scanner software used to produce the result.
:scanner:name
The name of the scanner software.
:signame
The name of the signature returned by the scanner.
:categories
A list of categories for the result returned by the scanner.
:target:file
The file that was scanned to produce the result.
:target:proc
The process that was scanned to produce the result.
:target:host
The host that was scanned to produce the result.
:target:fqdn
The FQDN that was scanned to produce the result.
:target:url
The URL that was scanned to produce the result.
:target:ipv4
The IPv4 address that was scanned to produce the result.
:target:ipv6
The IPv6 address that was scanned to produce the result.
:multi:scan
Set if this result was part of running multiple scanners.
:multi:count
min:0
The total number of scanners which were run by a multi-scanner.
:multi:count:benign
min:0
The number of scanners which returned a benign verdict.
:multi:count:unknown
min:0
The number of scanners which returned a unknown/unsupported verdict.
:multi:count:suspicious
min:0
The number of scanners which returned a suspicious verdict.
:multi:count:malicious
min:0
The number of scanners which returned a malicious verdict.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:av:sig
Deprecated. Please use it:av:scan:result.
The base type for the form can be found at it:av:sig.
- Properties:
name
type
doc
opts
:soft
The anti-virus product which contains the signature.
Read Only:
True
:name
The signature name.
Read Only:
True
:desc
A free-form description of the signature.
Display:
{'hint': 'text'}
:url
A reference URL for information about the signature.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:av:signame
An antivirus signature name.
The base type for the form can be found at it:av:signame.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:cmd
A unique command-line string.
The base type for the form can be found at it:cmd.
An example of it:cmd
:
foo.exe --dostuff bar
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:cmd:history
A single command executed within a session.
The base type for the form can be found at it:cmd:history.
- Properties:
name
type
doc
:cmd
The command that was executed.
:session
The session that contains this history entry.
:time
The time that the command was executed.
:index
Used to order the commands when times are not available.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:cmd:session
A command line session with multiple commands run over time.
The base type for the form can be found at it:cmd:session.
- Properties:
name
type
doc
:host
The host where the command line session was executed.
:proc
The process which was interpreting this command line session.
:period
The period over which the command line session was running.
:file
The file containing the command history such as a .bash_history file.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:int
A developer selected integer constant.
The base type for the form can be found at it:dev:int.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:mutex
A string representing a mutex.
The base type for the form can be found at it:dev:mutex.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:pipe
A string representing a named pipe.
The base type for the form can be found at it:dev:pipe.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:regkey
A Windows registry key.
The base type for the form can be found at it:dev:regkey.
An example of it:dev:regkey
:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:regval
A Windows registry key/value pair.
The base type for the form can be found at it:dev:regval.
- Properties:
name
type
doc
:key
The Windows registry key.
:str
The value of the registry key, if the value is a string.
:int
The value of the registry key, if the value is an integer.
:bytes
The file representing the value of the registry key, if the value is binary data.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:repo
A version control system instance.
The base type for the form can be found at it:dev:repo.
- Properties:
name
type
doc
opts
:name
The name of the repository.
:desc
A free-form description of the repository.
Display:
{'hint': 'text'}
:created
Deprecated. Please use :period.
Deprecated:
True
:url
The URL where the repository is hosted.
:type
The type of the version control system used.
Example:
svn
:submodules
type: it:dev:repo:commitAn array of other repos that this repo has as submodules, pinned at specific commits.
:status
The status of the repository.
:period
The period when the repository existed.
:creator
The service account which created the repository.
:remover
The service account which removed or decommissioned the repository.
:id
strip:True
A platform specific ID which identifies the repository.
:platform
The platform which defines the repository.
:instance
The platform instance which defines the repository.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
it:dev:repo
-(has)>
inet:url
The repo has content hosted at the URL.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:repo:branch
A branch in a version control system instance.
The base type for the form can be found at it:dev:repo:branch.
- Properties:
name
type
doc
opts
:parent
The branch this branch was branched from.
:start
The commit in the parent branch this branch was created at.
:name
strip:True
The name of the branch.
:url
The URL where the branch is hosted.
:created
Deprecated. Please use :period.
Deprecated:
True
:merged
The time this branch was merged back into its parent.
:deleted
Deprecated. Please use :period.
Deprecated:
True
:status
The status of the repository branch.
:period
The period when the repository branch existed.
:creator
The service account which created the repository branch.
:remover
The service account which removed or decommissioned the repository branch.
:id
strip:True
A platform specific ID which identifies the repository branch.
:platform
The platform which defines the repository branch.
:instance
The platform instance which defines the repository branch.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:repo:commit
A commit to a repository.
The base type for the form can be found at it:dev:repo:commit.
- Properties:
name
type
doc
opts
:repo
The repository the commit lives in.
:parents
type: it:dev:repo:commitThe commit or commits this commit is immediately based on.
:branch
The name of the branch the commit was made to.
:mesg
The commit message describing the changes in the commit.
Display:
{'hint': 'text'}
:id
strip:True
The version control system specific commit identifier.
:created
Deprecated. Please use :period.
Deprecated:
True
:url
The URL where the commit is hosted.
:status
The status of the repository commit.
:period
The period when the repository commit existed.
:creator
The service account which created the repository commit.
:remover
The service account which removed or decommissioned the repository commit.
:platform
The platform which defines the repository commit.
:instance
The platform instance which defines the repository commit.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:repo:diff
A diff of a file being applied in a single commit.
The base type for the form can be found at it:dev:repo:diff.
- Properties:
name
type
doc
:commit
The commit that produced this diff.
:file
The file after the commit has been applied.
:path
The path to the file in the repo that the diff is being applied to.
:url
The URL where the diff is hosted.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:repo:diff:comment
A comment on a diff in a repository.
The base type for the form can be found at it:dev:repo:diff:comment.
- Properties:
name
type
doc
opts
:diff
The diff the comment is being added to.
:text
The body of the comment.
Display:
{'hint': 'text'}
:replyto
The comment that this comment is replying to.
:line
The line in the file that is being commented on.
:offset
The offset in the line in the file that is being commented on.
:url
The URL where the comment is hosted.
:created
Deprecated. Please use :period.
Deprecated:
True
:updated
The time the comment was updated.
:status
The status of the repository diff comment.
:period
The period when the repository diff comment existed.
:creator
The service account which created the repository diff comment.
:remover
The service account which removed or decommissioned the repository diff comment.
:id
strip:True
A platform specific ID which identifies the repository diff comment.
:platform
The platform which defines the repository diff comment.
:instance
The platform instance which defines the repository diff comment.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:repo:issue
An issue raised in a repository.
The base type for the form can be found at it:dev:repo:issue.
- Properties:
name
type
doc
opts
:repo
The repo where the issue was logged.
:title
The title of the issue.
:desc
The text describing the issue.
Display:
{'hint': 'text'}
:created
Deprecated. Please use :period.
Deprecated:
True
:updated
The time the issue was updated.
:url
The URL where the issue is hosted.
:id
strip:True
The ID of the issue in the repository system.
:status
The status of the repository issue.
:period
The period when the repository issue existed.
:creator
The service account which created the repository issue.
:remover
The service account which removed or decommissioned the repository issue.
:platform
The platform which defines the repository issue.
:instance
The platform instance which defines the repository issue.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:repo:issue:comment
A comment on an issue in a repository.
The base type for the form can be found at it:dev:repo:issue:comment.
- Properties:
name
type
doc
opts
:issue
The issue thread that the comment was made in.
:text
The body of the comment.
Display:
{'hint': 'text'}
:replyto
The comment that this comment is replying to.
:url
The URL where the comment is hosted.
:created
Deprecated. Please use :period.
Deprecated:
True
:updated
The time the comment was updated.
:status
The status of the repository issue comment.
:period
The period when the repository issue comment existed.
:creator
The service account which created the repository issue comment.
:remover
The service account which removed or decommissioned the repository issue comment.
:id
strip:True
A platform specific ID which identifies the repository issue comment.
:platform
The platform which defines the repository issue comment.
:instance
The platform instance which defines the repository issue comment.
- Source Edges:
source
verb
target
doc
*
-(meets)>
ou:requirement
The requirement is met by the source node.
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
Deprecated. Please use geo:telem:node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
math:algorithm
-(generates)>
*
The target node was generated by the algorithm.
meta:feed
-(found)>
*
The meta:feed produced the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(has)>
*
The organization is or was in possession of the target node.
ou:org
-(owns)>
*
The organization owns or owned the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
plan:procedure:step
-(uses)>
*
The step in the procedure makes use of the target node.
ps:contact
-(has)>
*
The contact is or was in possession of the target node.
ps:contact
-(owns)>
*
The contact owns or owned the target node.
ps:person
-(has)>
*
The person is or was in possession of the target node.
ps:person
-(owns)>
*
The person owns or owned the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:extortion
-(leveraged)>
*
The extortion event was based on attacker access to the target node.
risk:leak
-(leaked)>
*
The leak included the disclosure of the target node.
risk:outage
-(impacted)>
*
The outage event impacted the availability of the target node.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
sci:evidence
-(has)>
*
The evidence includes observations from the target nodes.
sci:experiment
-(uses)>
*
The experiment used the target nodes when it was run.
sci:observation
-(has)>
*
The observations are summarized from the target nodes.
it:dev:repo:issue:label
A label applied to a repository issue.
The base type for the form can be found at it:dev:repo:issue:label.
- Properties:
name
type
doc
opts
:issue
The issue the label was applied to.
:label
The label that was applied to the issue.
:applied