Synapse Data Model - Forms

Forms

Forms are derived from types, or base types. Forms represent node types in the graph.

auth:access

An instance of using creds to access a resource.

The base type for the form can be found at auth:access.

Properties:

name

type

doc

:creds

auth:creds

The credentials used to attempt access.

:time

time

The time of the access attempt.

:success

bool

Set to true if the access was successful.

:person

ps:person

The person who attempted access.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

auth:creds

A unique set of credentials used to access a resource.

The base type for the form can be found at auth:creds.

Properties:

name

type

doc

:email

inet:email

The email address used to identify the user.

:user

inet:user

The user name used to identify the user.

:phone

tel:phone

The phone number used to identify the user.

:passwd

inet:passwd

The password used to authenticate.

:passwdhash

it:auth:passwdhash

The password hash used to authenticate.

:account

it:account

The account that the creds allow access to.

:website

inet:url

The base URL of the website that the credentials allow access to.

:host

it:host

The host that the credentials allow access to.

:wifi:ssid

inet:wifi:ssid

The WiFi SSID that the credentials allow access to.

:web:acct

inet:web:acct

The web account that the credentials allow access to.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

belief:subscriber

A contact which subscribes to a belief system.

The base type for the form can be found at belief:subscriber.

Properties:

name

type

doc

:contact

ps:contact

The contact which subscribes to the belief system.

:system

belief:system

The belief system to which the contact subscribes.

:began

time

The time that the contact began to be a subscriber to the belief system.

:ended

time

The time when the contact ceased to be a subscriber to the belief system.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

belief:subscriber

-(follows)>

belief:tenet

The subscriber is assessed to generally adhere to the specific tenet.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

belief:system

A belief system such as an ideology, philosophy, or religion.

The base type for the form can be found at belief:system.

Properties:

name

type

doc

opts

:name

onespace: True
lower: True

The name of the belief system.

:desc

str

A description of the belief system.

Display: {'hint': 'text'}

:type

belief:system:type:taxonomy

A taxonometric type for the belief system.

:began

time

The time that the belief system was first observed.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

belief:system

-(has)>

belief:tenet

The belief system includes the tenet.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

belief:system:type:taxonomy

A hierarchical taxonomy of belief system types.

The base type for the form can be found at belief:system:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

belief:system:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

belief:tenet

A concrete tenet potentially shared by multiple belief systems.

The base type for the form can be found at belief:tenet.

Properties:

name

type

doc

opts

:name

onespace: True
lower: True

The name of the tenet.

:desc

str

A description of the tenet.

Display: {'hint': 'text'}

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

belief:subscriber

-(follows)>

belief:tenet

The subscriber is assessed to generally adhere to the specific tenet.

belief:system

-(has)>

belief:tenet

The belief system includes the tenet.

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:bundle

A bundle allows construction of products which bundle instances of other products.

The base type for the form can be found at biz:bundle.

Properties:

name

type

doc

opts

:count

int

The number of instances of the product or service included in the bundle.

:price

econ:price

The price of the bundle.

:product

biz:product

The product included in the bundle.

:service

biz:service

The service included in the bundle.

:deal

biz:deal

Deprecated. Please use econ:receipt:item for instances of bundles being sold.

Deprecated: True

:purchase

econ:purchase

Deprecated. Please use econ:receipt:item for instances of bundles being sold.

Deprecated: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:deal

A sales or procurement effort in pursuit of a purchase.

The base type for the form can be found at biz:deal.

Properties:

name

type

doc

opts

:title

str

A title for the deal.

:type

biz:dealtype

The type of deal.

Display: {'hint': 'taxonomy'}

:status

biz:dealstatus

The status of the deal.

Display: {'hint': 'taxonomy'}

:updated

time

The last time the deal had a significant update.

:contacted

time

The last time the contacts communicated about the deal.

:rfp

biz:rfp

The RFP that the deal is in response to.

:buyer

ps:contact

The primary contact information for the buyer.

:buyer:org

ou:org

The buyer org.

:buyer:orgname

ou:name

The reported ou:name of the buyer org.

:buyer:orgfqdn

inet:fqdn

The reported inet:fqdn of the buyer org.

:seller

ps:contact

The primary contact information for the seller.

:seller:org

ou:org

The seller org.

:seller:orgname

ou:name

The reported ou:name of the seller org.

:seller:orgfqdn

inet:fqdn

The reported inet:fqdn of the seller org.

:currency

econ:currency

The currency of econ:price values associated with the deal.

:buyer:budget

econ:price

The buyers budget for the eventual purchase.

:buyer:deadline

time

When the buyer intends to make a decision.

:offer:price

econ:price

The total price of the offered products.

:offer:expires

time

When the offer expires.

:purchase

econ:purchase

Records a purchase resulting from the deal.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:dealstatus

A deal/rfp status taxonomy.

The base type for the form can be found at biz:dealstatus.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

biz:dealstatus

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:dealtype

A deal type taxonomy.

The base type for the form can be found at biz:dealtype.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

biz:dealtype

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:listing

A product or service being listed for sale at a given price by a specific seller.

The base type for the form can be found at biz:listing.

Properties:

name

type

doc

:seller

ps:contact

The contact information for the seller.

:product

biz:product

The product being offered.

:service

biz:service

The service being offered.

:current

bool

Set to true if the offer is still current.

:time

time

The first known offering of this product/service by the organization for the asking price.

:expires

time

Set if the offer has a known expiration date.

:price

econ:price

The asking price of the product or service.

:currency

econ:currency

The currency of the asking price.

:count:total

min: 0

The number of instances for sale.

:count:remaining

min: 0

The current remaining number of instances for sale.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:prodtype

A product type taxonomy.

The base type for the form can be found at biz:prodtype.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

biz:prodtype

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:product

A product which is available for purchase.

The base type for the form can be found at biz:product.

Properties:

name

type

doc

opts

:name

str

The name of the product.

:type

biz:prodtype

The type of product.

Display: {'hint': 'taxonomy'}

:summary

str

A brief summary of the product.

Display: {'hint': 'text'}

:maker

ps:contact

A contact for the maker of the product.

:madeby:org

ou:org

Deprecated. Please use biz:product:maker.

Deprecated: True

:madeby:orgname

ou:name

Deprecated. Please use biz:product:maker.

Deprecated: True

:madeby:orgfqdn

inet:fqdn

Deprecated. Please use biz:product:maker.

Deprecated: True

:price:retail

econ:price

The MSRP price of the product.

:price:bottom

econ:price

The minimum offered or observed price of the product.

:price:currency

econ:currency

The currency of the retail and bottom price properties.

:bundles

uniq: True
sorted: True

An array of bundles included with the product.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:rfp

An RFP (Request for Proposal) soliciting proposals.

The base type for the form can be found at biz:rfp.

Properties:

name

type

doc

opts

:ext:id

str

An externally specified identifier for the RFP.

:title

str

The title of the RFP.

:summary

str

A brief summary of the RFP.

Display: {'hint': 'text'}

:status

biz:dealstatus

The status of the RFP.

Display: {'hint': 'enum'}

:url

inet:url

The official URL for the RFP.

:file

file:bytes

The RFP document.

:posted

time

The date/time that the RFP was posted.

:quesdue

time

The date/time that questions are due.

:propdue

time

The date/time that proposals are due.

:contact

ps:contact

The contact information given for the org requesting offers.

:purchases

uniq: True
sorted: True

Any known purchases that resulted from the RFP.

:requirements

type: ou:goal
uniq: True
sorted: True

A typed array which indexes each field.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:service

A service which is performed by a specific organization.

The base type for the form can be found at biz:service.

Properties:

name

type

doc

opts

:provider

ps:contact

The contact info of the entity which performs the service.

:name

lower: True
onespace: True

The name of the service being performed.

:summary

str

A brief summary of the service.

Display: {'hint': 'text'}

:type

biz:service:type:taxonomy

A taxonomy of service types.

:launched

time

The time when the operator first made the service available.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:stake

A stake or partial ownership in a company.

The base type for the form can be found at biz:stake.

Properties:

name

type

doc

:vitals

ou:vitals

The ou:vitals snapshot this stake is part of.

:org

ou:org

The resolved org.

:orgname

ou:name

The org name as reported by the source of the vitals.

:orgfqdn

inet:fqdn

The org FQDN as reported by the source of the vitals.

:name

str

An arbitrary name for this stake. Can be non-contact like “pool”.

:asof

time

The time the stake is being measured. Likely as part of an ou:vitals.

:shares

int

The number of shares represented by the stake.

:invested

econ:price

The amount of money invested in the cap table iteration.

:value

econ:price

The monetary value of the stake.

:percent

hugenum

The percentage ownership represented by this stake.

:owner

ps:contact

Contact information of the owner of the stake.

:purchase

econ:purchase

The purchase event for the stake.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:algorithm

A cryptographic algorithm name.

The base type for the form can be found at crypto:algorithm.

An example of crypto:algorithm:

  • aes256

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:currency:address

An individual crypto currency address.

The base type for the form can be found at crypto:currency:address.

An example of crypto:currency:address:

  • btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

Properties:

name

type

doc

opts

:coin

crypto:currency:coin

The crypto coin to which the address belongs.

Read Only: True

:seed

crypto:key

The cryptographic key and or password used to generate the address.

:iden

str

The coin specific address identifier.

Read Only: True

:desc

str

A free-form description of the address.

:contact

ps:contact

Contact information associated with the address.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:currency:block

An individual crypto currency block record on the blockchain.

The base type for the form can be found at crypto:currency:block.

Properties:

name

type

doc

opts

:coin

crypto:currency:coin

The coin/blockchain this block resides on.

Read Only: True

:offset

int

The index of this block.

Read Only: True

:hash

hex

The unique hash for the block.

:minedby

crypto:currency:address

The address which mined the block.

:time

time

Time timestamp embedded in the block by the miner.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:currency:client

A fused node representing a crypto currency address used by an Internet client.

The base type for the form can be found at crypto:currency:client.

An example of crypto:currency:client:

  • (1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))

Properties:

name

type

doc

opts

:inetaddr

inet:client

The Internet client address observed using the crypto currency address.

Read Only: True

:coinaddr

crypto:currency:address

The crypto currency address observed in use by the Internet client.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:currency:coin

An individual crypto currency type.

The base type for the form can be found at crypto:currency:coin.

An example of crypto:currency:coin:

  • btc

Properties:

name

type

doc

:name

str

The full name of the crypto coin.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:currency:transaction

An individual crypto currency transaction recorded on the blockchain.

The base type for the form can be found at crypto:currency:transaction.

Properties:

name

type

doc

opts

:hash

hex

The unique transaction hash for the transaction.

:desc

str

An analyst specified description of the transaction.

:block

crypto:currency:block

The block which records the transaction.

:block:coin

crypto:currency:coin

The coin/blockchain of the block which records this transaction.

:block:offset

int

The offset of the block which records this transaction.

:success

bool

Set to true if the transaction was successfully executed and recorded.

:status:code

int

A coin specific status code which may represent an error reason.

:status:message

str

A coin specific status message which may contain an error reason.

:to

crypto:currency:address

The destination address of the transaction.

:from

crypto:currency:address

The source address of the transaction.

:inputs

sorted: True
uniq: True

Deprecated. Please use crypto:payment:input:transaction.

Deprecated: True

:outputs

sorted: True
uniq: True

Deprecated. Please use crypto:payment:output:transaction.

Deprecated: True

:fee

econ:price

The total fee paid to execute the transaction.

:value

econ:price

The total value of the transaction.

:time

time

The time this transaction was initiated.

:eth:gasused

int

The amount of gas used to execute this transaction.

:eth:gaslimit

int

The ETH gas limit specified for this transaction.

:eth:gasprice

econ:price

The gas price (in ETH) specified for this transaction.

:contract:input

file:bytes

Input value to a smart contract call.

:contract:output

file:bytes

Output value of a smart contract call.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:key

A cryptographic key and algorithm.

The base type for the form can be found at crypto:key.

Properties:

name

type

doc

opts

:algorithm

crypto:algorithm

The cryptographic algorithm which uses the key material.

Example: aes256

:mode

lower: True
onespace: True

The algorithm specific mode in use.

:iv

hex

The hex encoded initialization vector.

:public

hex

The hex encoded public key material if the algorithm has a public/private key pair.

:public:md5

hash:md5

The MD5 hash of the public key in raw binary form.

:public:sha1

hash:sha1

The SHA1 hash of the public key in raw binary form.

:public:sha256

hash:sha256

The SHA256 hash of the public key in raw binary form.

:private

hex

The hex encoded private key material. All symmetric keys are private.

:private:md5

hash:md5

The MD5 hash of the private key in raw binary form.

:private:sha1

hash:sha1

The SHA1 hash of the private key in raw binary form.

:private:sha256

hash:sha256

The SHA256 hash of the private key in raw binary form.

:seed:passwd

inet:passwd

The seed password used to generate the key material.

:seed:algorithm

crypto:algorithm

The algorithm used to generate the key from the seed password.

Example: pbkdf2

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:payment:input

A payment made into a transaction.

The base type for the form can be found at crypto:payment:input.

Properties:

name

type

doc

:transaction

crypto:currency:transaction

The transaction the payment was input to.

:address

crypto:currency:address

The address which paid into the transaction.

:value

econ:price

The value of the currency paid into the transaction.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:payment:output

A payment received from a transaction.

The base type for the form can be found at crypto:payment:output.

Properties:

name

type

doc

:transaction

crypto:currency:transaction

The transaction the payment was output from.

:address

crypto:currency:address

The address which received payment from the transaction.

:value

econ:price

The value of the currency received from the transaction.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:contract

A smart contract.

The base type for the form can be found at crypto:smart:contract.

Properties:

name

type

doc

:transaction

crypto:currency:transaction

The transaction which created the contract.

:address

crypto:currency:address

The address of the contract.

:bytecode

file:bytes

The bytecode which implements the contract.

:token:name

str

The ERC-20 token name.

:token:symbol

str

The ERC-20 token symbol.

:token:totalsupply

hugenum

The ERC-20 totalSupply value.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:burntoken

A smart contract effect which destroys a non-fungible token.

The base type for the form can be found at crypto:smart:effect:burntoken.

Properties:

name

type

doc

:token

crypto:smart:token

The non-fungible token that was destroyed.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:edittokensupply

A smart contract effect which increases or decreases the supply of a fungible token.

The base type for the form can be found at crypto:smart:effect:edittokensupply.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:amount

hugenum

The number of tokens added or removed if negative.

:totalsupply

hugenum

The total supply of tokens after this modification.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:minttoken

A smart contract effect which creates a new non-fungible token.

The base type for the form can be found at crypto:smart:effect:minttoken.

Properties:

name

type

doc

:token

crypto:smart:token

The non-fungible token that was created.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:proxytoken

A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token.

The base type for the form can be found at crypto:smart:effect:proxytoken.

Properties:

name

type

doc

:owner

crypto:currency:address

The address granting proxy authority to manipulate non-fungible tokens.

:proxy

crypto:currency:address

The address granted proxy authority to manipulate non-fungible tokens.

:token

crypto:smart:token

The specific token being granted access to.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:proxytokenall

A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner.

The base type for the form can be found at crypto:smart:effect:proxytokenall.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:owner

crypto:currency:address

The address granting/denying proxy authority to manipulate all non-fungible tokens of the owner.

:proxy

crypto:currency:address

The address granted/denied proxy authority to manipulate all non-fungible tokens of the owner.

:approval

bool

The approval status.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:proxytokens

A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens.

The base type for the form can be found at crypto:smart:effect:proxytokens.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:owner

crypto:currency:address

The address granting proxy authority to manipulate fungible tokens.

:proxy

crypto:currency:address

The address granted proxy authority to manipulate fungible tokens.

:amount

hex

The hex encoded amount of tokens the proxy is allowed to manipulate.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:transfertoken

A smart contract effect which transfers ownership of a non-fungible token.

The base type for the form can be found at crypto:smart:effect:transfertoken.

Properties:

name

type

doc

:token

crypto:smart:token

The non-fungible token that was transferred.

:from

crypto:currency:address

The address the NFT was transferred from.

:to

crypto:currency:address

The address the NFT was transferred to.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:transfertokens

A smart contract effect which transfers fungible tokens.

The base type for the form can be found at crypto:smart:effect:transfertokens.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:from

crypto:currency:address

The address the tokens were transferred from.

:to

crypto:currency:address

The address the tokens were transferred to.

:amount

hugenum

The number of tokens transferred.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:token

A token managed by a smart contract.

The base type for the form can be found at crypto:smart:token.

Properties:

name

type

doc

opts

:contract

crypto:smart:contract

The smart contract which defines and manages the token.

Read Only: True

:tokenid

hugenum

The token ID.

Read Only: True

:owner

crypto:currency:address

The address which currently owns the token.

:nft:url

inet:url

The URL which hosts the NFT metadata.

:nft:meta

data

The raw NFT metadata.

:nft:meta:name

str

The name field from the NFT metadata.

:nft:meta:description

str

The description field from the NFT metadata.

Display: {'hint': 'text'}

:nft:meta:image

inet:url

The image URL from the NFT metadata.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:x509:cert

A unique X.509 certificate.

The base type for the form can be found at crypto:x509:cert.

Properties:

name

type

doc

:file

file:bytes

The file that the certificate metadata was parsed from.

:subject

str

The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.

:issuer

str

The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.

:issuer:cert

crypto:x509:cert

The certificate used by the issuer to sign this certificate.

:serial

zeropad: 40

The certificate serial number as a big endian hex value.

:version

enums: ((0, 'v1'), (2, 'v3'))

The version integer in the certificate. (ex. 2 == v3 ).

:validity:notbefore

time

The timestamp for the beginning of the certificate validity period.

:validity:notafter

time

The timestamp for the end of the certificate validity period.

:md5

hash:md5

The MD5 fingerprint for the certificate.

:sha1

hash:sha1

The SHA1 fingerprint for the certificate.

:sha256

hash:sha256

The SHA256 fingerprint for the certificate.

:rsa:key

rsa:key

The optional RSA public key associated with the certificate.

:algo

iso:oid

The X.509 signature algorithm OID.

:signature

hex

The hexadecimal representation of the digital signature.

:ext:sans

uniq: True
sorted: True

The Subject Alternate Names (SANs) listed in the certificate.

:ext:crls

uniq: True
sorted: True

A list of Subject Alternate Names (SANs) for Distribution Points.

:identities:fqdns

type: inet:fqdn
uniq: True
sorted: True

The fused list of FQDNs identified by the cert CN and SANs.

:identities:emails

uniq: True
sorted: True

The fused list of e-mail addresses identified by the cert CN and SANs.

:identities:ipv4s

type: inet:ipv4
uniq: True
sorted: True

The fused list of IPv4 addresses identified by the cert CN and SANs.

:identities:ipv6s

type: inet:ipv6
uniq: True
sorted: True

The fused list of IPv6 addresses identified by the cert CN and SANs.

:identities:urls

type: inet:url
uniq: True
sorted: True

The fused list of URLs identified by the cert CN and SANs.

:crl:urls

type: inet:url
uniq: True
sorted: True

The extracted URL values from the CRLs extension.

:selfsigned

bool

Whether this is a self-signed certificate.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:x509:crl

A unique X.509 Certificate Revocation List.

The base type for the form can be found at crypto:x509:crl.

Properties:

name

type

doc

:file

file:bytes

The file containing the CRL.

:url

inet:url

The URL where the CRL was published.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:x509:revoked

A revocation relationship between a CRL and an X.509 certificate.

The base type for the form can be found at crypto:x509:revoked.

Properties:

name

type

doc

opts

:crl

crypto:x509:crl

The CRL which revoked the certificate.

Read Only: True

:cert

crypto:x509:cert

The certificate revoked by the CRL.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:x509:signedfile

A digital signature relationship between an X.509 certificate and a file.

The base type for the form can be found at crypto:x509:signedfile.

Properties:

name

type

doc

opts

:cert

crypto:x509:cert

The certificate for the key which signed the file.

Read Only: True

:file

file:bytes

The file which was signed by the certificates key.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:acct:balance

A snapshot of the balance of an account at a point in time.

The base type for the form can be found at econ:acct:balance.

Properties:

name

type

doc

:time

time

The time the balance was recorded.

:pay:card

econ:pay:card

The payment card holding the balance.

:crypto:address

crypto:currency:address

The crypto currency address holding the balance.

:amount

econ:price

The account balance at the time.

:currency

econ:currency

The currency of the balance amount.

:delta

econ:price

The change since last regular sample.

:total:received

econ:price

The total amount of currency received by the account.

:total:sent

econ:price

The total amount of currency sent from the account.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:acct:invoice

An invoice issued requesting payment.

The base type for the form can be found at econ:acct:invoice.

Properties:

name

type

doc

:issued

time

The time that the invoice was issued to the recipient.

:issuer

ps:contact

The contact information for the entity who issued the invoice.

:purchase

econ:purchase

The purchase that the invoice is requesting payment for.

:recipient

ps:contact

The contact information for the intended recipient of the invoice.

:due

time

The time by which the payment is due.

:paid

bool

Set to true if the invoice has been paid in full.

:amount

econ:price

The balance due.

:currency

econ:currency

The currency that the invoice specifies for payment.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:acct:payment

A payment or crypto currency transaction.

The base type for the form can be found at econ:acct:payment.

Properties:

name

type

doc

:txnid

strip: True

A payment processor specific transaction id.

:fee

econ:price

The transaction fee paid by the recipient to the payment processor.

:from:account

econ:bank:account

The bank account which made the payment.

:from:pay:card

econ:pay:card

The payment card making the payment.

:from:contract

ou:contract

A contract used as an aggregate payment source.

:from:coinaddr

crypto:currency:address

The crypto currency address making the payment.

:from:contact

ps:contact

Contact information for the entity making the payment.

:to:account

econ:bank:account

The bank account which received the payment.

:to:coinaddr

crypto:currency:address

The crypto currency address receiving the payment.

:to:contact

ps:contact

Contact information for the person/org being paid.

:to:contract

ou:contract

A contract used as an aggregate payment destination.

:time

time

The time the payment was processed.

:purchase

econ:purchase

The purchase which the payment was paying for.

:amount

econ:price

The amount of money transferred in the payment.

:currency

econ:currency

The currency of the payment.

:memo

str

A small note specified by the payer common in financial transactions.

:crypto:transaction

crypto:currency:transaction

A crypto currency transaction that initiated the payment.

:invoice

econ:acct:invoice

The invoice that the payment applies to.

:receipt

econ:acct:receipt

The receipt that was issued for the payment.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:bank:statement

-(has)>

econ:acct:payment

The bank statement includes the payment.

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:acct:receipt

A receipt issued as proof of payment.

The base type for the form can be found at econ:acct:receipt.

Properties:

name

type

doc

:issued

time

The time the receipt was issued.

:purchase

econ:purchase

The purchase that the receipt confirms payment for.

:issuer

ps:contact

The contact information for the entity who issued the receipt.

:recipient

ps:contact

The contact information for the entity who received the receipt.

:currency

econ:currency

The currency that the receipt uses to specify the price.

:amount

econ:price

The price that the receipt confirms was paid.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:acquired

Deprecated. Please use econ:purchase -(acquired)> *.

The base type for the form can be found at econ:acquired.

Properties:

name

type

doc

opts

:purchase

econ:purchase

The purchase event which acquired an item.

Read Only: True

:item

ndef

A reference to the item that was acquired.

Read Only: True

:item:form

str

The form of item purchased.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:aba:rtn

An American Bank Association (ABA) routing transit number (RTN).

The base type for the form can be found at econ:bank:aba:rtn.

Properties:

name

type

doc

:bank

ou:org

The bank which was issued the ABA RTN.

:bank:name

ou:name

The name which is registered for this ABA RTN.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:account

A bank account.

The base type for the form can be found at econ:bank:account.

Properties:

name

type

doc

:type

econ:bank:account:type:taxonomy

The type of bank account.

:aba:rtn

econ:bank:aba:rtn

The ABA routing transit number for the bank which issued the account.

:number

regex: [0-9]+

The account number.

:iban

econ:bank:iban

The IBAN for the account.

:contact

ps:contact

The contact information associated with the bank account.

:issuer

ou:org

The bank which issued the account.

:issuer:name

ou:name

The name of the bank which issued the account.

:currency

econ:currency

The currency of the account balance.

:balance

econ:bank:balance

The most recently known bank balance information.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:account:type:taxonomy

A bank account type taxonomy.

The base type for the form can be found at econ:bank:account:type:taxonomy.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:balance

A balance contained by a bank account at a point in time.

The base type for the form can be found at econ:bank:balance.

Properties:

name

type

doc

:time

time

The time that the account balance was observed.

:amount

econ:price

The amount of currency available at the time.

:account

econ:bank:account

The bank account which contained the balance amount.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:iban

An International Bank Account Number.

The base type for the form can be found at econ:bank:iban.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:statement

A statement of bank account payment activity over a period of time.

The base type for the form can be found at econ:bank:statement.

Properties:

name

type

doc

:account

econ:bank:account

The bank account used to compute the statement.

:period

ival

The period that the statement includes.

:starting:balance

econ:price

The account balance at the beginning of the statement period.

:ending:balance

econ:price

The account balance at the end of the statement period.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

econ:bank:statement

-(has)>

econ:acct:payment

The bank statement includes the payment.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:swift:bic

A Society for Worldwide Interbank Financial Telecommunication (SWIFT) Business Identifier Code (BIC).

The base type for the form can be found at econ:bank:swift:bic.

Properties:

name

type

doc

:business

ou:org

The business which is the registered owner of the SWIFT BIC.

:office

ps:contact

The branch or office which is specified in the last 3 digits of the SWIFT BIC.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:fin:bar

A sample of the open, close, high, low prices of a security in a specific time window.

The base type for the form can be found at econ:fin:bar.

Properties:

name

type

doc

:security

econ:fin:security

The security measured by the bar.

:ival

ival

The interval of measurement.

:price:open

econ:price

The opening price of the security.

:price:close

econ:price

The closing price of the security.

:price:low

econ:price

The low price of the security.

:price:high

econ:price

The high price of the security.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:fin:exchange

A financial exchange where securities are traded.

The base type for the form can be found at econ:fin:exchange.

Properties:

name

type

doc

opts

:name

lower: True
strip: True

A simple name for the exchange.

Example: nasdaq

:org

ou:org

The organization that operates the exchange.

:currency

econ:currency

The currency used for all transactions in the exchange.

Example: usd

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:fin:security

A financial security which is typically traded on an exchange.

The base type for the form can be found at econ:fin:security.

Properties:

name

type

doc

:exchange

econ:fin:exchange

The exchange on which the security is traded.

:ticker

lower: True
strip: True

The identifier for this security within the exchange.

:type

lower: True
strip: True

A user defined type such as stock, bond, option, future, or forex.

:price

econ:price

The last known/available price of the security.

:time

time

The time of the last know price sample.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:fin:tick

A sample of the price of a security at a single moment in time.

The base type for the form can be found at econ:fin:tick.

Properties:

name

type

doc

:security

econ:fin:security

The security measured by the tick.

:time

time

The time the price was sampled.

:price

econ:price

The price of the security at the time.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:pay:card

A single payment card.

The base type for the form can be found at econ:pay:card.

Properties:

name

type

doc

:pan

econ:pay:pan

The payment card number.

:pan:mii

econ:pay:mii

The payment card MII.

:pan:iin

econ:pay:iin

The payment card IIN.

:name

ps:name

The name as it appears on the card.

:expr

time

The expiration date for the card.

:cvv

econ:pay:cvv

The Card Verification Value on the card.

:pin

econ:pay:pin

The Personal Identification Number on the card.

:account

econ:bank:account

A bank account associated with the payment card.

:contact

ps:contact

The contact information associated with the payment card.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:pay:iin

An Issuer Id Number (IIN).

The base type for the form can be found at econ:pay:iin.

Properties:

name

type

doc

:org

ou:org

The issuer organization.

:name

lower: True

The registered name of the issuer.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:purchase

A purchase event.

The base type for the form can be found at econ:purchase.

Properties:

name

type

doc

:by:contact

ps:contact

The contact information used to make the purchase.

:from:contact

ps:contact

The contact information used to sell the item.

:time

time

The time of the purchase.

:place

geo:place

The place where the purchase took place.

:paid

bool

Set to True if the purchase has been paid in full.

:paid:time

time

The point in time where the purchase was paid in full.

:settled

time

The point in time where the purchase was settled.

:campaign

ou:campaign

The campaign that the purchase was in support of.

:price

econ:price

The econ:price of the purchase.

:currency

econ:currency

The econ:price of the purchase.

:listing

biz:listing

The purchase was made based on the given listing.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

The source node was seen at the geo:telem node place and time.

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack