Synapse Data Model - Forms

Forms

Forms are derived from types, or base types. Forms represent node types in the graph.

auth:access

An instance of using creds to access a resource.

The base type for the form can be found at auth:access.

Properties:

name	type	doc
:creds	auth:creds	The credentials used to attempt access.
:time	time	The time of the access attempt.
:success	bool	Set to true if the access was successful.
:person	ps:person	The person who attempted access.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

auth:creds

A unique set of credentials used to access a resource.

The base type for the form can be found at auth:creds.

Properties:

name	type	doc	opts
:email	inet:email	The email address used to identify the user.
:user	inet:user	The user name used to identify the user.
:phone	tel:phone	The phone number used to identify the user.
:passwd	inet:passwd	The password used to authenticate.
:passwdhash	it:auth:passwdhash	The password hash used to authenticate.
:account	it:account	The account that the creds allow access to.
:website	inet:url	The base URL of the website that the credentials allow access to.
:host	it:host	The host that the credentials allow access to.
:wifi:ssid	inet:wifi:ssid	The WiFi SSID that the credentials allow access to.
:web:acct	inet:web:acct	Deprecated. Use :service:account.	Deprecated: True
:service:account	inet:service:account	The service account that the credentials allow access to.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

belief:subscriber

A contact which subscribes to a belief system.

The base type for the form can be found at belief:subscriber.

Properties:

name	type	doc
:contact	ps:contact	The contact which subscribes to the belief system.
:system	belief:system	The belief system to which the contact subscribes.
:began	time	The time that the contact began to be a subscriber to the belief system.
:ended	time	The time when the contact ceased to be a subscriber to the belief system.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
belief:subscriber	-(follows)>	belief:tenet	The subscriber is assessed to generally adhere to the specific tenet.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

belief:system

A belief system such as an ideology, philosophy, or religion.

The base type for the form can be found at belief:system.

Properties:

name	type	doc	opts
:name	str onespace: True lower: True	The name of the belief system.
:desc	str	A description of the belief system.	Display: {'hint': 'text'}
:type	belief:system:type:taxonomy	A taxonometric type for the belief system.
:began	time	The time that the belief system was first observed.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
belief:system	-(has)>	belief:tenet	The belief system includes the tenet.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

belief:system:type:taxonomy

A hierarchical taxonomy of belief system types.

The base type for the form can be found at belief:system:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	belief:system:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

belief:tenet

A concrete tenet potentially shared by multiple belief systems.

The base type for the form can be found at belief:tenet.

Properties:

name	type	doc	opts
:name	str onespace: True lower: True	The name of the tenet.
:desc	str	A description of the tenet.	Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
belief:subscriber	-(follows)>	belief:tenet	The subscriber is assessed to generally adhere to the specific tenet.
belief:system	-(has)>	belief:tenet	The belief system includes the tenet.
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:bundle

A bundle allows construction of products which bundle instances of other products.

The base type for the form can be found at biz:bundle.

Properties:

name	type	doc	opts
:count	int	The number of instances of the product or service included in the bundle.
:price	econ:price	The price of the bundle.
:product	biz:product	The product included in the bundle.
:service	biz:service	The service included in the bundle.
:deal	biz:deal	Deprecated. Please use econ:receipt:item for instances of bundles being sold.	Deprecated: True
:purchase	econ:purchase	Deprecated. Please use econ:receipt:item for instances of bundles being sold.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:deal

A sales or procurement effort in pursuit of a purchase.

The base type for the form can be found at biz:deal.

Properties:

name	type	doc	opts
:id	str strip: True	An identifier for the deal.
:title	str	A title for the deal.
:type	biz:dealtype	The type of deal.	Display: {'hint': 'taxonomy'}
:status	biz:dealstatus	The status of the deal.	Display: {'hint': 'taxonomy'}
:updated	time	The last time the deal had a significant update.
:contacted	time	The last time the contacts communicated about the deal.
:rfp	biz:rfp	The RFP that the deal is in response to.
:buyer	ps:contact	The primary contact information for the buyer.
:buyer:org	ou:org	The buyer org.
:buyer:orgname	ou:name	The reported ou:name of the buyer org.
:buyer:orgfqdn	inet:fqdn	The reported inet:fqdn of the buyer org.
:seller	ps:contact	The primary contact information for the seller.
:seller:org	ou:org	The seller org.
:seller:orgname	ou:name	The reported ou:name of the seller org.
:seller:orgfqdn	inet:fqdn	The reported inet:fqdn of the seller org.
:currency	econ:currency	The currency of econ:price values associated with the deal.
:buyer:budget	econ:price	The buyers budget for the eventual purchase.
:buyer:deadline	time	When the buyer intends to make a decision.
:offer:price	econ:price	The total price of the offered products.
:offer:expires	time	When the offer expires.
:purchase	econ:purchase	Records a purchase resulting from the deal.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:dealstatus

A deal/rfp status taxonomy.

The base type for the form can be found at biz:dealstatus.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	biz:dealstatus	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:dealtype

A deal type taxonomy.

The base type for the form can be found at biz:dealtype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	biz:dealtype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:listing

A product or service being listed for sale at a given price by a specific seller.

The base type for the form can be found at biz:listing.

Properties:

name	type	doc
:seller	ps:contact	The contact information for the seller.
:product	biz:product	The product being offered.
:service	biz:service	The service being offered.
:current	bool	Set to true if the offer is still current.
:time	time	The first known offering of this product/service by the organization for the asking price.
:expires	time	Set if the offer has a known expiration date.
:price	econ:price	The asking price of the product or service.
:currency	econ:currency	The currency of the asking price.
:count:total	int min: 0	The number of instances for sale.
:count:remaining	int min: 0	The current remaining number of instances for sale.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:prodtype

A product type taxonomy.

The base type for the form can be found at biz:prodtype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	biz:prodtype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:product

A product which is available for purchase.

The base type for the form can be found at biz:product.

Properties:

name	type	doc	opts
:name	str	The name of the product.
:type	biz:prodtype	The type of product.	Display: {'hint': 'taxonomy'}
:summary	str	A brief summary of the product.	Display: {'hint': 'text'}
:maker	ps:contact	A contact for the maker of the product.
:madeby:org	ou:org	Deprecated. Please use biz:product:maker.	Deprecated: True
:madeby:orgname	ou:name	Deprecated. Please use biz:product:maker.	Deprecated: True
:madeby:orgfqdn	inet:fqdn	Deprecated. Please use biz:product:maker.	Deprecated: True
:price:retail	econ:price	The MSRP price of the product.
:price:bottom	econ:price	The minimum offered or observed price of the product.
:price:currency	econ:currency	The currency of the retail and bottom price properties.
:bundles	array type: biz:bundle uniq: True sorted: True	An array of bundles included with the product.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:rfp

An RFP (Request for Proposal) soliciting proposals.

The base type for the form can be found at biz:rfp.

Properties:

name	type	doc	opts
:ext:id	str	An externally specified identifier for the RFP.
:title	str	The title of the RFP.
:summary	str	A brief summary of the RFP.	Display: {'hint': 'text'}
:status	biz:dealstatus	The status of the RFP.	Display: {'hint': 'enum'}
:url	inet:url	The official URL for the RFP.
:file	file:bytes	The RFP document.
:posted	time	The date/time that the RFP was posted.
:quesdue	time	The date/time that questions are due.
:propdue	time	The date/time that proposals are due.
:contact	ps:contact	The contact information given for the org requesting offers.
:purchases	array type: econ:purchase uniq: True sorted: True	Any known purchases that resulted from the RFP.
:requirements	array type: ou:goal uniq: True sorted: True	A typed array which indexes each field.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:service

A service which is performed by a specific organization.

The base type for the form can be found at biz:service.

Properties:

name	type	doc	opts
:provider	ps:contact	The contact info of the entity which performs the service.
:name	str lower: True onespace: True	The name of the service being performed.
:summary	str	A brief summary of the service.	Display: {'hint': 'text'}
:type	biz:service:type:taxonomy	A taxonomy of service types.
:launched	time	The time when the operator first made the service available.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:stake

A stake or partial ownership in a company.

The base type for the form can be found at biz:stake.

Properties:

name	type	doc
:vitals	ou:vitals	The ou:vitals snapshot this stake is part of.
:org	ou:org	The resolved org.
:orgname	ou:name	The org name as reported by the source of the vitals.
:orgfqdn	inet:fqdn	The org FQDN as reported by the source of the vitals.
:name	str	An arbitrary name for this stake. Can be non-contact like “pool”.
:asof	time	The time the stake is being measured. Likely as part of an ou:vitals.
:shares	int	The number of shares represented by the stake.
:invested	econ:price	The amount of money invested in the cap table iteration.
:value	econ:price	The monetary value of the stake.
:percent	hugenum	The percentage ownership represented by this stake.
:owner	ps:contact	Contact information of the owner of the stake.
:purchase	econ:purchase	The purchase event for the stake.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:algorithm

A cryptographic algorithm name.

The base type for the form can be found at crypto:algorithm.

An example of crypto:algorithm:

• aes256

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:currency:address

An individual crypto currency address.

The base type for the form can be found at crypto:currency:address.

An example of crypto:currency:address:

• btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

Properties:

name	type	doc	opts
:coin	crypto:currency:coin	The crypto coin to which the address belongs.	Read Only: True
:seed	crypto:key	The cryptographic key and or password used to generate the address.
:iden	str	The coin specific address identifier.	Read Only: True
:desc	str	A free-form description of the address.
:contact	ps:contact	The primary contact for the crypto currency address.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:currency:block

An individual crypto currency block record on the blockchain.

The base type for the form can be found at crypto:currency:block.

Properties:

name	type	doc	opts
:coin	crypto:currency:coin	The coin/blockchain this block resides on.	Read Only: True
:offset	int	The index of this block.	Read Only: True
:hash	hex	The unique hash for the block.
:minedby	crypto:currency:address	The address which mined the block.
:time	time	Time timestamp embedded in the block by the miner.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:currency:client

A fused node representing a crypto currency address used by an Internet client.

The base type for the form can be found at crypto:currency:client.

An example of crypto:currency:client:

• (1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))

Properties:

name	type	doc	opts
:inetaddr	inet:client	The Internet client address observed using the crypto currency address.	Read Only: True
:coinaddr	crypto:currency:address	The crypto currency address observed in use by the Internet client.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:currency:coin

An individual crypto currency type.

The base type for the form can be found at crypto:currency:coin.

An example of crypto:currency:coin:

• btc

Properties:

name	type	doc
:name	str	The full name of the crypto coin.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:currency:transaction

An individual crypto currency transaction recorded on the blockchain.

The base type for the form can be found at crypto:currency:transaction.

Properties:

name	type	doc	opts
:hash	hex	The unique transaction hash for the transaction.
:desc	str	An analyst specified description of the transaction.
:block	crypto:currency:block	The block which records the transaction.
:block:coin	crypto:currency:coin	The coin/blockchain of the block which records this transaction.
:block:offset	int	The offset of the block which records this transaction.
:success	bool	Set to true if the transaction was successfully executed and recorded.
:status:code	int	A coin specific status code which may represent an error reason.
:status:message	str	A coin specific status message which may contain an error reason.
:to	crypto:currency:address	The destination address of the transaction.
:from	crypto:currency:address	The source address of the transaction.
:inputs	array type: crypto:payment:input sorted: True uniq: True	Deprecated. Please use crypto:payment:input:transaction.	Deprecated: True
:outputs	array type: crypto:payment:output sorted: True uniq: True	Deprecated. Please use crypto:payment:output:transaction.	Deprecated: True
:fee	econ:price	The total fee paid to execute the transaction.
:value	econ:price	The total value of the transaction.
:time	time	The time this transaction was initiated.
:eth:gasused	int	The amount of gas used to execute this transaction.
:eth:gaslimit	int	The ETH gas limit specified for this transaction.
:eth:gasprice	econ:price	The gas price (in ETH) specified for this transaction.
:contract:input	file:bytes	Input value to a smart contract call.
:contract:output	file:bytes	Output value of a smart contract call.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:key

A cryptographic key and algorithm.

The base type for the form can be found at crypto:key.

Properties:

name	type	doc	opts
:algorithm	crypto:algorithm	The cryptographic algorithm which uses the key material.	Example: aes256
:mode	str lower: True onespace: True	The algorithm specific mode in use.
:iv	hex	The hex encoded initialization vector.
:iv:text	it:dev:str	Set only if the :iv property decodes to ASCII.
:public	hex	The hex encoded public key material if the algorithm has a public/private key pair.
:public:text	it:dev:str	Set only if the :public property decodes to ASCII.
:public:md5	hash:md5	The MD5 hash of the public key in raw binary form.
:public:sha1	hash:sha1	The SHA1 hash of the public key in raw binary form.
:public:sha256	hash:sha256	The SHA256 hash of the public key in raw binary form.
:private	hex	The hex encoded private key material. All symmetric keys are private.
:private:text	it:dev:str	Set only if the :private property decodes to ASCII.
:private:md5	hash:md5	The MD5 hash of the private key in raw binary form.
:private:sha1	hash:sha1	The SHA1 hash of the private key in raw binary form.
:private:sha256	hash:sha256	The SHA256 hash of the private key in raw binary form.
:seed:passwd	inet:passwd	The seed password used to generate the key material.
:seed:algorithm	crypto:algorithm	The algorithm used to generate the key from the seed password.	Example: pbkdf2

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:payment:input

A payment made into a transaction.

The base type for the form can be found at crypto:payment:input.

Properties:

name	type	doc
:transaction	crypto:currency:transaction	The transaction the payment was input to.
:address	crypto:currency:address	The address which paid into the transaction.
:value	econ:price	The value of the currency paid into the transaction.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:payment:output

A payment received from a transaction.

The base type for the form can be found at crypto:payment:output.

Properties:

name	type	doc
:transaction	crypto:currency:transaction	The transaction the payment was output from.
:address	crypto:currency:address	The address which received payment from the transaction.
:value	econ:price	The value of the currency received from the transaction.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:contract

A smart contract.

The base type for the form can be found at crypto:smart:contract.

Properties:

name	type	doc
:transaction	crypto:currency:transaction	The transaction which created the contract.
:address	crypto:currency:address	The address of the contract.
:bytecode	file:bytes	The bytecode which implements the contract.
:token:name	str	The ERC-20 token name.
:token:symbol	str	The ERC-20 token symbol.
:token:totalsupply	hugenum	The ERC-20 totalSupply value.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:burntoken

A smart contract effect which destroys a non-fungible token.

The base type for the form can be found at crypto:smart:effect:burntoken.

Properties:

name	type	doc
:token	crypto:smart:token	The non-fungible token that was destroyed.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:edittokensupply

A smart contract effect which increases or decreases the supply of a fungible token.

The base type for the form can be found at crypto:smart:effect:edittokensupply.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:amount	hugenum	The number of tokens added or removed if negative.
:totalsupply	hugenum	The total supply of tokens after this modification.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:minttoken

A smart contract effect which creates a new non-fungible token.

The base type for the form can be found at crypto:smart:effect:minttoken.

Properties:

name	type	doc
:token	crypto:smart:token	The non-fungible token that was created.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:proxytoken

A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token.

The base type for the form can be found at crypto:smart:effect:proxytoken.

Properties:

name	type	doc
:owner	crypto:currency:address	The address granting proxy authority to manipulate non-fungible tokens.
:proxy	crypto:currency:address	The address granted proxy authority to manipulate non-fungible tokens.
:token	crypto:smart:token	The specific token being granted access to.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:proxytokenall

A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner.

The base type for the form can be found at crypto:smart:effect:proxytokenall.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:owner	crypto:currency:address	The address granting/denying proxy authority to manipulate all non-fungible tokens of the owner.
:proxy	crypto:currency:address	The address granted/denied proxy authority to manipulate all non-fungible tokens of the owner.
:approval	bool	The approval status.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:proxytokens

A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens.

The base type for the form can be found at crypto:smart:effect:proxytokens.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:owner	crypto:currency:address	The address granting proxy authority to manipulate fungible tokens.
:proxy	crypto:currency:address	The address granted proxy authority to manipulate fungible tokens.
:amount	hex	The hex encoded amount of tokens the proxy is allowed to manipulate.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:transfertoken

A smart contract effect which transfers ownership of a non-fungible token.

The base type for the form can be found at crypto:smart:effect:transfertoken.

Properties:

name	type	doc
:token	crypto:smart:token	The non-fungible token that was transferred.
:from	crypto:currency:address	The address the NFT was transferred from.
:to	crypto:currency:address	The address the NFT was transferred to.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:transfertokens

A smart contract effect which transfers fungible tokens.

The base type for the form can be found at crypto:smart:effect:transfertokens.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:from	crypto:currency:address	The address the tokens were transferred from.
:to	crypto:currency:address	The address the tokens were transferred to.
:amount	hugenum	The number of tokens transferred.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:token

A token managed by a smart contract.

The base type for the form can be found at crypto:smart:token.

Properties:

name	type	doc	opts
:contract	crypto:smart:contract	The smart contract which defines and manages the token.	Read Only: True
:tokenid	hugenum	The token ID.	Read Only: True
:owner	crypto:currency:address	The address which currently owns the token.
:nft:url	inet:url	The URL which hosts the NFT metadata.
:nft:meta	data	The raw NFT metadata.
:nft:meta:name	str	The name field from the NFT metadata.
:nft:meta:description	str	The description field from the NFT metadata.	Display: {'hint': 'text'}
:nft:meta:image	inet:url	The image URL from the NFT metadata.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:x509:cert

A unique X.509 certificate.

The base type for the form can be found at crypto:x509:cert.

Properties:

name	type	doc
:file	file:bytes	The file that the certificate metadata was parsed from.
:subject	str	The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.
:issuer	str	The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.
:issuer:cert	crypto:x509:cert	The certificate used by the issuer to sign this certificate.
:serial	hex zeropad: 40	The certificate serial number as a big endian hex value.
:version	int enums: ((0, 'v1'), (2, 'v3'))	The version integer in the certificate. (ex. 2 == v3 ).
:validity:notbefore	time	The timestamp for the beginning of the certificate validity period.
:validity:notafter	time	The timestamp for the end of the certificate validity period.
:md5	hash:md5	The MD5 fingerprint for the certificate.
:sha1	hash:sha1	The SHA1 fingerprint for the certificate.
:sha256	hash:sha256	The SHA256 fingerprint for the certificate.
:rsa:key	rsa:key	The optional RSA public key associated with the certificate.
:algo	iso:oid	The X.509 signature algorithm OID.
:signature	hex	The hexadecimal representation of the digital signature.
:ext:sans	array type: crypto:x509:san uniq: True sorted: True	The Subject Alternate Names (SANs) listed in the certificate.
:ext:crls	array type: crypto:x509:san uniq: True sorted: True	A list of Subject Alternate Names (SANs) for Distribution Points.
:identities:fqdns	array type: inet:fqdn uniq: True sorted: True	The fused list of FQDNs identified by the cert CN and SANs.
:identities:emails	array type: inet:email uniq: True sorted: True	The fused list of e-mail addresses identified by the cert CN and SANs.
:identities:ipv4s	array type: inet:ipv4 uniq: True sorted: True	The fused list of IPv4 addresses identified by the cert CN and SANs.
:identities:ipv6s	array type: inet:ipv6 uniq: True sorted: True	The fused list of IPv6 addresses identified by the cert CN and SANs.
:identities:urls	array type: inet:url uniq: True sorted: True	The fused list of URLs identified by the cert CN and SANs.
:crl:urls	array type: inet:url uniq: True sorted: True	The extracted URL values from the CRLs extension.
:selfsigned	bool	Whether this is a self-signed certificate.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:x509:crl

A unique X.509 Certificate Revocation List.

The base type for the form can be found at crypto:x509:crl.

Properties:

name	type	doc
:file	file:bytes	The file containing the CRL.
:url	inet:url	The URL where the CRL was published.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:x509:revoked

A revocation relationship between a CRL and an X.509 certificate.

The base type for the form can be found at crypto:x509:revoked.

Properties:

name	type	doc	opts
:crl	crypto:x509:crl	The CRL which revoked the certificate.	Read Only: True
:cert	crypto:x509:cert	The certificate revoked by the CRL.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:x509:signedfile

A digital signature relationship between an X.509 certificate and a file.

The base type for the form can be found at crypto:x509:signedfile.

Properties:

name	type	doc	opts
:cert	crypto:x509:cert	The certificate for the key which signed the file.	Read Only: True
:file	file:bytes	The file which was signed by the certificates key.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

doc:policy

Guiding principles used to reach a set of goals.

The base type for the form can be found at doc:policy.

Properties:

name	type	doc
:id	str strip: True	The policy ID.
:name	str lower: True onespace: True	The policy name.
:type	doc:policy:type:taxonomy	The type of policy.
:text	str	The text of the policy.
:file	file:bytes	The file which contains the policy.
:created	time	The time that the policy was created.
:updated	time	The time that the policy was last updated.
:author	ps:contact	The contact information of the primary author.
:contributors	array type: ps:contact sorted: True uniq: True	An array of contacts which contributed to the policy.
:version	it:semver	The version of the policy.
:supersedes	array type: doc:policy sorted: True uniq: True	An array of policies which are superseded by this policy.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

doc:policy:type:taxonomy

A taxonomy of policy types.

The base type for the form can be found at doc:policy:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	doc:policy:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

doc:requirement

A single requirement, often defined by a standard.

The base type for the form can be found at doc:requirement.

Properties:

name	type	doc	opts
:summary	str	A summary of the requirement definition.	Display: {'hint': 'text'}
:optional	bool	Set to true if the requirement is optional as defined by the standard.
:priority	meta:priority	The priority of the requirement as defined by the standard.
:standard	doc:standard	The standard which defined the requirement.
:id	str strip: True	The requirement ID.
:name	str lower: True onespace: True	The requirement name.
:type	doc:requirement:type:taxonomy	The type of requirement.
:text	str	The text of the requirement.
:file	file:bytes	The file which contains the requirement.
:created	time	The time that the requirement was created.
:updated	time	The time that the requirement was last updated.
:author	ps:contact	The contact information of the primary author.
:contributors	array type: ps:contact sorted: True uniq: True	An array of contacts which contributed to the requirement.
:version	it:semver	The version of the requirement.
:supersedes	array type: doc:requirement sorted: True uniq: True	An array of requirements which are superseded by this requirement.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

doc:requirement:type:taxonomy

A taxonomy of requirement types.

The base type for the form can be found at doc:requirement:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	doc:requirement:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

doc:resume

A CV/resume document.

The base type for the form can be found at doc:resume.

Properties:

name	type	doc	opts
:contact	ps:contact	Contact information for subject of the resume.
:summary	str	The summary of qualifications from the resume.	Display: {'hint': 'text'}
:workhist	array type: ps:workhist sorted: True uniq: True	Work history described in the resume.
:education	array type: ps:education sorted: True uniq: True	Education experience described in the resume.
:achievements	array type: ps:achievement sorted: True uniq: True	Achievements described in the resume.
:id	str strip: True	The resume ID.
:name	str lower: True onespace: True	The resume name.
:type	doc:resume:type:taxonomy	The type of resume.
:text	str	The text of the resume.
:file	file:bytes	The file which contains the resume.
:created	time	The time that the resume was created.
:updated	time	The time that the resume was last updated.
:author	ps:contact	The contact information of the primary author.
:contributors	array type: ps:contact sorted: True uniq: True	An array of contacts which contributed to the resume.
:version	it:semver	The version of the resume.
:supersedes	array type: doc:resume sorted: True uniq: True	An array of resumes which are superseded by this resume.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

doc:resume:type:taxonomy

A taxonomy of resume types.

The base type for the form can be found at doc:resume:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	doc:resume:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

doc:standard

A group of requirements which define how to implement a policy or goal.

The base type for the form can be found at doc:standard.

Properties:

name	type	doc
:policy	doc:policy	The policy which was used to derive the standard.
:id	str strip: True	The standard ID.
:name	str lower: True onespace: True	The standard name.
:type	doc:standard:type:taxonomy	The type of standard.
:text	str	The text of the standard.
:file	file:bytes	The file which contains the standard.
:created	time	The time that the standard was created.
:updated	time	The time that the standard was last updated.
:author	ps:contact	The contact information of the primary author.
:contributors	array type: ps:contact sorted: True uniq: True	An array of contacts which contributed to the standard.
:version	it:semver	The version of the standard.
:supersedes	array type: doc:standard sorted: True uniq: True	An array of standards which are superseded by this standard.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

doc:standard:type:taxonomy

A taxonomy of standard types.

The base type for the form can be found at doc:standard:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	doc:standard:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:acct:balance

A snapshot of the balance of an account at a point in time.

The base type for the form can be found at econ:acct:balance.

Properties:

name	type	doc	opts
:time	time	The time the balance was recorded.
:instrument	econ:pay:instrument	The financial instrument holding the balance.
:pay:card	econ:pay:card	Deprecated. Please use :instrument.	Deprecated: True
:crypto:address	crypto:currency:address	Deprecated. Please use :instrument.	Deprecated: True
:amount	econ:price	The account balance at the time.
:currency	econ:currency	The currency of the balance amount.
:delta	econ:price	The change since last regular sample.
:total:received	econ:price	The total amount of currency received by the account.
:total:sent	econ:price	The total amount of currency sent from the account.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:acct:invoice

An invoice issued requesting payment.

The base type for the form can be found at econ:acct:invoice.

Properties:

name	type	doc
:issued	time	The time that the invoice was issued to the recipient.
:issuer	ps:contact	The contact information for the entity who issued the invoice.
:purchase	econ:purchase	The purchase that the invoice is requesting payment for.
:recipient	ps:contact	The contact information for the intended recipient of the invoice.
:due	time	The time by which the payment is due.
:paid	bool	Set to true if the invoice has been paid in full.
:amount	econ:price	The balance due.
:currency	econ:currency	The currency that the invoice specifies for payment.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:acct:payment

A payment or crypto currency transaction.

The base type for the form can be found at econ:acct:payment.

Properties:

name	type	doc	opts
:txnid	str strip: True	A payment processor specific transaction id.
:fee	econ:price	The transaction fee paid by the recipient to the payment processor.
:from:cash	bool	Set to true if the payment input was in cash.
:to:instrument	econ:pay:instrument	The payment instrument which received funds from the payment.
:from:instrument	econ:pay:instrument	The payment instrument used to make the payment.
:from:account	econ:bank:account	Deprecated. Please use :from:instrument.	Deprecated: True
:from:pay:card	econ:pay:card	Deprecated. Please use :from:instrument.	Deprecated: True
:from:contract	ou:contract	A contract used as an aggregate payment source.
:from:coinaddr	crypto:currency:address	Deprecated. Please use :from:instrument.	Deprecated: True
:from:contact	ps:contact	Contact information for the entity making the payment.
:to:cash	bool	Set to true if the payment output was in cash.
:to:account	econ:bank:account	Deprecated. Please use :to:instrument.	Deprecated: True
:to:coinaddr	crypto:currency:address	Deprecated. Please use :to:instrument.	Deprecated: True
:to:contact	ps:contact	Contact information for the person/org being paid.
:to:contract	ou:contract	A contract used as an aggregate payment destination.
:time	time	The time the payment was processed.
:purchase	econ:purchase	The purchase which the payment was paying for.
:amount	econ:price	The amount of money transferred in the payment.
:currency	econ:currency	The currency of the payment.
:memo	str	A small note specified by the payer common in financial transactions.
:crypto:transaction	crypto:currency:transaction	A crypto currency transaction that initiated the payment.
:invoice	econ:acct:invoice	The invoice that the payment applies to.
:receipt	econ:acct:receipt	The receipt that was issued for the payment.
:place	geo:place	The place where the payment occurred.
:place:name	geo:name	The name of the place where the payment occurred.
:place:address	geo:address	The address of the place where the payment occurred.
:place:loc	loc	The loc of the place where the payment occurred.
:place:latlong	geo:latlong	The latlong where the payment occurred.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:bank:statement	-(has)>	econ:acct:payment	The bank statement includes the payment.
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:acct:receipt

A receipt issued as proof of payment.

The base type for the form can be found at econ:acct:receipt.

Properties:

name	type	doc
:issued	time	The time the receipt was issued.
:purchase	econ:purchase	The purchase that the receipt confirms payment for.
:issuer	ps:contact	The contact information for the entity who issued the receipt.
:recipient	ps:contact	The contact information for the entity who received the receipt.
:currency	econ:currency	The currency that the receipt uses to specify the price.
:amount	econ:price	The price that the receipt confirms was paid.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:acquired

Deprecated. Please use econ:purchase -(acquired)> *.

The base type for the form can be found at econ:acquired.

Properties:

name	type	doc	opts
:purchase	econ:purchase	The purchase event which acquired an item.	Read Only: True
:item	ndef	A reference to the item that was acquired.	Read Only: True
:item:form	str	The form of item purchased.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:aba:rtn

An American Bank Association (ABA) routing transit number (RTN).

The base type for the form can be found at econ:bank:aba:rtn.

Properties:

name	type	doc
:bank	ou:org	The bank which was issued the ABA RTN.
:bank:name	ou:name	The name which is registered for this ABA RTN.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:account

A bank account.

The base type for the form can be found at econ:bank:account.

Properties:

name	type	doc
:type	econ:bank:account:type:taxonomy	The type of bank account.
:aba:rtn	econ:bank:aba:rtn	The ABA routing transit number for the bank which issued the account.
:number	str regex: [0-9]+	The account number.
:iban	econ:bank:iban	The IBAN for the account.
:issuer	ou:org	The bank which issued the account.
:issuer:name	ou:name	The name of the bank which issued the account.
:currency	econ:currency	The currency of the account balance.
:balance	econ:bank:balance	The most recently known bank balance information.
:contact	ps:contact	The primary contact for the bank account.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:account:type:taxonomy

A bank account type taxonomy.

The base type for the form can be found at econ:bank:account:type:taxonomy.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:balance

A balance contained by a bank account at a point in time.

The base type for the form can be found at econ:bank:balance.

Properties:

name	type	doc
:time	time	The time that the account balance was observed.
:amount	econ:price	The amount of currency available at the time.
:account	econ:bank:account	The bank account which contained the balance amount.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:iban

An International Bank Account Number.

The base type for the form can be found at econ:bank:iban.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:statement

A statement of bank account payment activity over a period of time.

The base type for the form can be found at econ:bank:statement.

Properties:

name	type	doc
:account	econ:bank:account	The bank account used to compute the statement.
:period	ival	The period that the statement includes.
:starting:balance	econ:price	The account balance at the beginning of the statement period.
:ending:balance	econ:price	The account balance at the end of the statement period.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
econ:bank:statement	-(has)>	econ:acct:payment	The bank statement includes the payment.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:swift:bic

A Society for Worldwide Interbank Financial Telecommunication (SWIFT) Business Identifier Code (BIC).

The base type for the form can be found at econ:bank:swift:bic.

Properties:

name	type	doc
:business	ou:org	The business which is the registered owner of the SWIFT BIC.
:office	ps:contact	The branch or office which is specified in the last 3 digits of the SWIFT BIC.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:currency

The name of a system of money in general use.

The base type for the form can be found at econ:currency.

An example of econ:currency:

• usd

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:fin:bar

A sample of the open, close, high, low prices of a security in a specific time window.

The base type for the form can be found at econ:fin:bar.

Properties:

name	type	doc
:security	econ:fin:security	The security measured by the bar.
:ival	ival	The interval of measurement.
:price:open	econ:price	The opening price of the security.
:price:close	econ:price	The closing price of the security.
:price:low	econ:price	The low price of the security.
:price:high	econ:price	The high price of the security.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:fin:exchange

A financial exchange where securities are traded.

The base type for the form can be found at econ:fin:exchange.

Properties:

name	type	doc	opts
:name	str lower: True strip: True	A simple name for the exchange.	Example: nasdaq
:org	ou:org	The organization that operates the exchange.
:currency	econ:currency	The currency used for all transactions in the exchange.	Example: usd

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:fin:security

A financial security which is typically traded on an exchange.

The base type for the form can be found at econ:fin:security.

Properties:

name	type	doc
:exchange	econ:fin:exchange	The exchange on which the security is traded.
:ticker	str lower: True strip: True	The identifier for this security within the exchange.
:type	str lower: True strip: True	A user defined type such as stock, bond, option, future, or forex.
:price	econ:price	The last known/available price of the security.
:time	time	The time of the last know price sample.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:fin:tick

A sample of the price of a security at a single moment in time.

The base type for the form can be found at econ:fin:tick.

Properties:

name	type	doc
:security	econ:fin:security	The security measured by the tick.
:time	time	The time the price was sampled.
:price	econ:price	The price of the security at the time.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:pay:card

A single payment card.

The base type for the form can be found at econ:pay:card.

Properties:

name	type	doc
:pan	econ:pay:pan	The payment card number.
:pan:mii	econ:pay:mii	The payment card MII.
:pan:iin	econ:pay:iin	The payment card IIN.
:name	ps:name	The name as it appears on the card.
:expr	time	The expiration date for the card.
:cvv	econ:pay:cvv	The Card Verification Value on the card.
:pin	econ:pay:pin	The Personal Identification Number on the card.
:account	econ:bank:account	A bank account associated with the payment card.
:contact	ps:contact	The primary contact for the payment card.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:pay:iin

An Issuer Id Number (IIN).

The base type for the form can be found at econ:pay:iin.

Properties:

name	type	doc
:org	ou:org	The issuer organization.
:name	str lower: True	The registered name of the issuer.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:purchase

A purchase event.

The base type for the form can be found at econ:purchase.

Properties:

name	type	doc
:by:contact	ps:contact	The contact information used to make the purchase.
:from:contact	ps:contact	The contact information used to sell the item.
:time	time	The time of the purchase.
:place	geo:place	The place where the purchase took place.
:paid	bool	Set to True if the purchase has been paid in full.
:paid:time	time	The point in time where the purchase was paid in full.
:settled	time	The point in time where the purchase was settled.
:campaign	ou:campaign	The campaign that the purchase was in support of.
:price	econ:price	The econ:price of the purchase.
:currency	econ:currency	The econ:price of the purchase.
:listing	biz:listing	The purchase was made based on the given listing.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:receipt:item

A line item included as part of a purchase.

The base type for the form can be found at econ:receipt:item.

Properties:

name	type	doc
:purchase	econ:purchase	The purchase that contains this line item.
:count	int min: 1	The number of items included in this line item.
:price	econ:price	The total cost of this receipt line item.
:product	biz:product	The product being being purchased in this line item.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

edge:has

A digraph edge which records that N1 has N2.

The base type for the form can be found at edge:has.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

edge:refs

A digraph edge which records that N1 refers to or contains N2.

The base type for the form can be found at edge:refs.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

edge:wentto

A digraph edge which records that N1 went to N2 at a specific time.

The base type for the form can be found at edge:wentto.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True
:time	time	A date/time value.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

edu:class

An instance of an edu:course taught at a given time.

The base type for the form can be found at edu:class.

Properties:

name	type	doc
:course	edu:course	The course being taught in the class.
:instructor	ps:contact	The primary instructor for the class.
:assistants	array type: ps:contact uniq: True sorted: True	An array of assistant/co-instructor contacts.
:date:first	time	The date of the first day of class.
:date:last	time	The date of the last day of class.
:isvirtual	bool	Set if the class is known to be virtual.
:virtual:url	inet:url	The URL a student would use to attend the virtual class.
:virtual:provider	ps:contact	Contact info for the virtual infrastructure provider.
:place	geo:place	The place that the class is held.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

edu:course

A course of study taught by an org.

The base type for the form can be found at edu:course.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The name of the course.	Example: organic chemistry for beginners
:desc	str	A brief course description.
:code	str lower: True strip: True	The course catalog number or designator.	Example: chem101
:institution	ps:contact	The org or department which teaches the course.
:prereqs	array type: edu:course uniq: True sorted: True	The pre-requisite courses for taking this course.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

entity:name

A name used to refer to an entity.

The base type for the form can be found at entity:name.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

entity:relationship

A directional relationship between two actor entities.

The base type for the form can be found at entity:relationship.

Properties:

name	type	doc
:type	entity:relationship:type:taxonomy	The type of relationship.
:period	ival	The time period when the relationship existed.
:source	entity:actor	The source entity in the relationship.
:target	entity:actor	The target entity in the relationship.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

entity:relationship:type:taxonomy

A hierarchical taxonomy of entity relationship types.

The base type for the form can be found at entity:relationship:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	entity:relationship:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:archive:entry

An archive entry representing a file and metadata within a parent archive file.

The base type for the form can be found at file:archive:entry.

Properties:

name	type	doc
:parent	file:bytes	The parent archive file.
:file	file:bytes	The file contained within the archive.
:path	file:path	The file path of the archived file.
:user	inet:user	The name of the user who owns the archived file.
:added	time	The time that the file was added to the archive.
:created	time	The created time of the archived file.
:modified	time	The modified time of the archived file.
:comment	str	The comment field for the file entry within the archive.
:posix:uid	int	The POSIX UID of the user who owns the archived file.
:posix:gid	int	The POSIX GID of the group who owns the archived file.
:posix:perms	int	The POSIX permissions mask of the archived file.
:archived:size	int	The encoded or compressed size of the archived file within the parent.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:attachment

A file attachment.

The base type for the form can be found at file:attachment.

Properties:

name	type	doc
:name	file:path	The name of the attached file.
:text	str	Any text associated with the file such as alt-text for images.
:file	file:bytes	The file which was attached.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:base

A file name with no path.

The base type for the form can be found at file:base.

An example of file:base:

• woot.exe

Properties:

name	type	doc	opts
:ext	str	The file extension (if any).	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:bytes

The file bytes type with SHA256 based primary property.

The base type for the form can be found at file:bytes.

Properties:

name	type	doc
:size	int	The file size in bytes.
:md5	hash:md5	The md5 hash of the file.
:sha1	hash:sha1	The sha1 hash of the file.
:sha256	hash:sha256	The sha256 hash of the file.
:sha512	hash:sha512	The sha512 hash of the file.
:name	file:base	The best known base name for the file.
:mime	file:mime	The “best” mime type name for the file.
:mime:x509:cn	str	The Common Name (CN) attribute of the x509 Subject.
:mime:pe:size	int	The size of the executable file according to the PE file header.
:mime:pe:imphash	hash:md5	The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .
:mime:pe:compiled	time	The compile time of the file according to the PE header.
:mime:pe:pdbpath	file:path	The PDB string according to the PE.
:mime:pe:exports:time	time	The export time of the file according to the PE.
:mime:pe:exports:libname	str	The export library name according to the PE.
:mime:pe:richhdr	hash:sha256	The sha256 hash of the rich header bytes.
:exe:compiler	it:prod:softver	The software used to compile the file.
:exe:packer	it:prod:softver	The packer software used to encode the file.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
file:bytes	-(refs)>	it:dev:str	The source file contains the target string.
file:bytes	-(uses)>	math:algorithm	The file uses the algorithm.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:filepath

The fused knowledge of the association of a file:bytes node and a file:path.

The base type for the form can be found at file:filepath.

Properties:

name	type	doc	opts
:file	file:bytes	The file seen at a path.	Read Only: True
:path	file:path	The path a file was seen at.	Read Only: True
:path:dir	file:path	The parent directory.	Read Only: True
:path:base	file:base	The name of the file.	Read Only: True
:path:base:ext	str	The extension of the file name.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:ismime

Records one, of potentially multiple, mime types for a given file.

The base type for the form can be found at file:ismime.

Properties:

name	type	doc	opts
:file	file:bytes	The file node that is an instance of the named mime type.	Read Only: True
:mime	file:mime	The mime type of the file.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime

A file mime name string.

The base type for the form can be found at file:mime.

An example of file:mime:

• text/plain

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:gif

The GUID of a set of mime metadata for a .gif file.

The base type for the form can be found at file:mime:gif.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:text	str lower: True onespace: True	The text contained within the image.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:jpg

The GUID of a set of mime metadata for a .jpg file.

The base type for the form can be found at file:mime:jpg.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:text	str lower: True onespace: True	The text contained within the image.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:lnk

The GUID of the metadata pulled from a Windows shortcut or LNK file.

The base type for the form can be found at file:mime:lnk.

Properties:

name	type	doc	opts
:flags	int	The flags specified by the LNK header that control the structure of the LNK file.
:entry:primary	file:path	The primary file path contained within the FileEntry structure of the LNK file.
:entry:secondary	file:path	The secondary file path contained within the FileEntry structure of the LNK file.
:entry:extended	file:path	The extended file path contained within the extended FileEntry structure of the LNK file.
:entry:localized	file:path	The localized file path reconstructed from references within the extended FileEntry structure of the LNK file.
:entry:icon	file:path	The icon file path contained within the StringData structure of the LNK file.
:environment:path	file:path	The target file path contained within the EnvironmentVariableDataBlock structure of the LNK file.
:environment:icon	file:path	The icon file path contained within the IconEnvironmentDataBlock structure of the LNK file.
:iconindex	int	A resource index for an icon within an icon location.
:working	file:path	The working directory used when activating the link target.
:relative	str strip: True	The relative target path string contained within the StringData structure of the LNK file.
:arguments	it:cmd	The command line arguments passed to the target file when the LNK file is activated.
:desc	str	The description of the LNK file contained within the StringData section of the LNK file.	Display: {'hint': 'text'}
:target:attrs	int	The attributes of the target file according to the LNK header.
:target:size	int	The size of the target file according to the LNK header. The LNK format specifies that this is only the lower 32 bits of the target file size.
:target:created	time	The creation time of the target file according to the LNK header.
:target:accessed	time	The access time of the target file according to the LNK header.
:target:written	time	The write time of the target file according to the LNK header.
:driveserial	int	The drive serial number of the volume the link target is stored on.
:machineid	it:hostname	The NetBIOS name of the machine where the link target was last located.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:macho:loadcmd

A generic load command pulled from the Mach-O headers.

The base type for the form can be found at file:mime:macho:loadcmd.

Properties:

name	type	doc
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:macho:section

A section inside a Mach-O binary denoting a named region of bytes inside a segment.

The base type for the form can be found at file:mime:macho:section.

Properties:

name	type	doc
:segment	file:mime:macho:segment	The Mach-O segment that contains this section.
:name	str	Name of the section.
:size	int	Size of the section in bytes.
:type	int enums: ((0, 'regular'), (1, 'zero fill on demand'), (2, 'only literal C strings'), (3, 'only 4 byte literals'), (4, 'only 8 byte literals'), (5, 'only pointers to literals'), (6, 'only non-lazy symbol pointers'), (7, 'only lazy symbol pointers'), (8, 'only symbol stubs'), (9, 'only function pointers for init'), (10, 'only function pointers for fini'), (11, 'contains symbols to be coalesced'), (12, 'zero fill on deman (greater than 4gb)'), (13, 'only pairs of function pointers for interposing'), (14, 'only 16 byte literals'), (15, 'dtrace object format'), (16, 'only lazy symbols pointers to lazy dynamic libraries'))	The type of the section.
:sha256	hash:sha256	The sha256 hash of the bytes of the Mach-O section.
:offset	int	The file offset to the beginning of the section.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:macho:segment

A named region of bytes inside a Mach-O binary.

The base type for the form can be found at file:mime:macho:segment.

Properties:

name	type	doc
:name	str	The name of the Mach-O segment.
:memsize	int	The size of the segment in bytes, when resident in memory, according to the load command structure.
:disksize	int	The size of the segment in bytes, when on disk, according to the load command structure.
:sha256	hash:sha256	The sha256 hash of the bytes of the segment.
:offset	int	The file offset to the beginning of the segment.
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:macho:uuid

A specific load command denoting a UUID used to uniquely identify the Mach-O binary.

The base type for the form can be found at file:mime:macho:uuid.

Properties:

name	type	doc
:uuid	guid	The UUID of the Mach-O application (as defined in an LC_UUID load command).
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:macho:version

A specific load command used to denote the version of the source used to build the Mach-O binary.

The base type for the form can be found at file:mime:macho:version.

Properties:

name	type	doc
:version	str	The version of the Mach-O file encoded in an LC_VERSION load command.
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:msdoc

The GUID of a set of mime metadata for a Microsoft Word file.

The base type for the form can be found at file:mime:msdoc.

Properties:

name	type	doc
:title	str	The title extracted from Microsoft Office metadata.
:author	str	The author extracted from Microsoft Office metadata.
:subject	str	The subject extracted from Microsoft Office metadata.
:application	str	The creating_application extracted from Microsoft Office metadata.
:created	time	The create_time extracted from Microsoft Office metadata.
:lastsaved	time	The last_saved_time extracted from Microsoft Office metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:msppt

The GUID of a set of mime metadata for a Microsoft Powerpoint file.

The base type for the form can be found at file:mime:msppt.

Properties:

name	type	doc
:title	str	The title extracted from Microsoft Office metadata.
:author	str	The author extracted from Microsoft Office metadata.
:subject	str	The subject extracted from Microsoft Office metadata.
:application	str	The creating_application extracted from Microsoft Office metadata.
:created	time	The create_time extracted from Microsoft Office metadata.
:lastsaved	time	The last_saved_time extracted from Microsoft Office metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:msxls

The GUID of a set of mime metadata for a Microsoft Excel file.

The base type for the form can be found at file:mime:msxls.

Properties:

name	type	doc
:title	str	The title extracted from Microsoft Office metadata.
:author	str	The author extracted from Microsoft Office metadata.
:subject	str	The subject extracted from Microsoft Office metadata.
:application	str	The creating_application extracted from Microsoft Office metadata.
:created	time	The create_time extracted from Microsoft Office metadata.
:lastsaved	time	The last_saved_time extracted from Microsoft Office metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:pe:export

The fused knowledge of a file:bytes node containing a pe named export.

The base type for the form can be found at file:mime:pe:export.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the export.	Read Only: True
:name	str	The name of the export in the file.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:pe:resource

The fused knowledge of a file:bytes node containing a pe resource.

The base type for the form can be found at file:mime:pe:resource.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the resource.	Read Only: True
:type	pe:resource:type	The typecode for the resource.	Read Only: True
:langid	pe:langid	The language code for the resource.	Read Only: True
:resource	file:bytes	The sha256 hash of the resource bytes.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:pe:section

The fused knowledge a file:bytes node containing a pe section.

The base type for the form can be found at file:mime:pe:section.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the section.	Read Only: True
:name	str	The textual name of the section.	Read Only: True
:sha256	hash:sha256	The sha256 hash of the section. Relocations must be zeroed before hashing.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:pe:vsvers:info

knowledge of a file:bytes node containing vsvers info.

The base type for the form can be found at file:mime:pe:vsvers:info.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the vsversion keyval pair.	Read Only: True
:keyval	file:mime:pe:vsvers:keyval	The vsversion info keyval in this file:bytes node.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:pe:vsvers:keyval

A key value pair found in a PE vsversion info structure.

The base type for the form can be found at file:mime:pe:vsvers:keyval.

Properties:

name	type	doc	opts
:name	str	The key for the vsversion keyval pair.	Read Only: True
:value	str	The value for the vsversion keyval pair.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:png

The GUID of a set of mime metadata for a .png file.

The base type for the form can be found at file:mime:png.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:text	str lower: True onespace: True	The text contained within the image.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:rtf

The GUID of a set of mime metadata for a .rtf file.

The base type for the form can be found at file:mime:rtf.

Properties:

name	type	doc
:guid	guid	The parsed GUID embedded in the .rtf file.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:tif

The GUID of a set of mime metadata for a .tif file.

The base type for the form can be found at file:mime:tif.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:text	str lower: True onespace: True	The text contained within the image.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:path

A normalized file path.

The base type for the form can be found at file:path.

An example of file:path:

• c:/windows/system32/calc.exe

Properties:

name	type	doc	opts
:dir	file:path	The parent directory.	Read Only: True
:base	file:base	The file base name.	Read Only: True
:base:ext	str	The file extension.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:string

Deprecated. Please use the edge -(refs)> it:dev:str.

The base type for the form can be found at file:string.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the string.	Read Only: True
:string	str	The string contained in this file:bytes node.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:subfile

A parent file that fully contains the specified child file.

The base type for the form can be found at file:subfile.

Properties:

name	type	doc	opts
:parent	file:bytes	The parent file containing the child file.	Read Only: True
:child	file:bytes	The child file contained in the parent file.	Read Only: True
:name	file:base	Deprecated, please use the :path property.	Deprecated: True
:path	file:path	The path that the parent uses to refer to the child file.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

geo:name

An unstructured place name or address.

The base type for the form can be found at geo:name.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

geo:nloc

Records a node latitude/longitude in space-time.

The base type for the form can be found at geo:nloc.

Properties:

name	type	doc	opts
:ndef	ndef	The node with location in geospace and time.	Read Only: True
:ndef:form	str	The form of node referenced by the ndef.	Read Only: True
:latlong	geo:latlong	The latitude/longitude the node was observed.	Read Only: True
:time	time	The time the node was observed at location.	Read Only: True
:place	geo:place	The place corresponding to the latlong property.
:loc	loc	The geo-political location string for the node.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

geo:place

A GUID for a geographic place.

The base type for the form can be found at geo:place.

Properties:

name	type	doc	opts
:id	str strip: True	A type specific identifier such as an airport ID.
:name	geo:name	The name of the place.	alts: ('names',)
:type	geo:place:taxonomy	The type of place.
:names	array type: geo:name sorted: True uniq: True	An array of alternative place names.
:parent	geo:place	Deprecated. Please use a -(contains)> edge.	Deprecated: True
:desc	str	A long form description of the place.
:loc	loc	The geo-political location string for the node.
:address	geo:address	The street/mailing address for the place.
:geojson	geo:json	A GeoJSON representation of the place.
:latlong	geo:latlong	The lat/long position for the place.
:bbox	geo:bbox	A bounding box which encompasses the place.
:radius	geo:dist	An approximate radius to use for bounding box calculation.
:photo	file:bytes	The image file to use as the primary image of the place.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
geo:place	-(contains)>	geo:place	The source place completely contains the target place.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
geo:place	-(contains)>	geo:place	None
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

geo:place:taxonomy

A taxonomy of place types.

The base type for the form can be found at geo:place:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	geo:place:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

geo:telem

The geospatial position and physical characteristics of a node at a given time.

The base type for the form can be found at geo:telem.

Properties:

name	type	doc	opts
:time	time	The time that the telemetry measurements were taken.
:desc	str	A description of the telemetry sample.
:latlong	geo:latlong	Deprecated. Please use :place:latlong.	Deprecated: True
:accuracy	geo:dist	Deprecated. Please use :place:latlong:accuracy.	Deprecated: True
:node	ndef	The node that was observed at the associated time and place.
:phys:mass	mass	The mass of the object.
:phys:volume	geo:dist	The cubed volume of the object.
:phys:length	geo:dist	The length of the object.
:phys:width	geo:dist	The width of the object.
:phys:height	geo:dist	The height of the object.
:place	geo:place	The place where the object was located.
:place:loc	loc	The geopolitical location of the object.
:place:name	geo:name	The name of the place where the object was located.
:place:address	geo:address	The postal address of the place where the object was located.
:place:latlong	geo:latlong	The latlong where the object was located.
:place:latlong:accuracy	geo:dist	The accuracy of the latlong where the object was located.
:place:country	pol:country	The country where the object was located.
:place:country:code	pol:iso2	The country code where the object was located.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

gov:cn:icp

A Chinese Internet Content Provider ID.

The base type for the form can be found at gov:cn:icp.

Properties:

name	type	doc
:org	ou:org	The org with the Internet Content Provider ID.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

gov:cn:mucd

A Chinese PLA MUCD.

The base type for the form can be found at gov:cn:mucd.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

gov:us:cage

A Commercial and Government Entity (CAGE) code.

The base type for the form can be found at gov:us:cage.

Properties:

name	type	doc
:name0	ou:name	The name of the organization.
:name1	str lower: True	Name Part 1.
:street	str lower: True	The base string type.
:city	str lower: True	The base string type.
:state	str lower: True	The base string type.
:zip	gov:us:zip	A US Postal Zip Code.
:cc	pol:iso2	The 2 digit ISO 3166 country code.
:country	str lower: True	The base string type.
:phone0	tel:phone	A phone number.
:phone1	tel:phone	A phone number.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

gov:us:ssn

A US Social Security Number (SSN).

The base type for the form can be found at gov:us:ssn.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

gov:us:zip

A US Postal Zip Code.

The base type for the form can be found at gov:us:zip.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

graph:cluster

A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model.

The base type for the form can be found at graph:cluster.

Properties:

name	type	doc
:name	str lower: True	A human friendly name for the cluster.
:desc	str lower: True	A human friendly long form description for the cluster.
:type	str lower: True	An optional type field used to group clusters.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

graph:edge

A generic digraph edge to show relationships outside the model.

The base type for the form can be found at graph:edge.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

graph:event

A generic event node to represent events outside the model.

The base type for the form can be found at graph:event.

Properties:

name	type	doc
:time	time	The time of the event.
:type	str	A arbitrary type string for the event.
:name	str	A name for the event.
:data	data	Arbitrary non-indexed msgpack data attached to the event.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

graph:node

A generic node used to represent objects outside the model.

The base type for the form can be found at graph:node.

Properties:

name	type	doc
:type	str	The type name for the non-model node.
:name	str	A human readable name for this record.
:data	data	Arbitrary non-indexed msgpack data attached to the node.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

graph:timeedge

A generic digraph time edge to show relationships outside the model.

The base type for the form can be found at graph:timeedge.

Properties:

name	type	doc	opts
:time	time	A date/time value.	Read Only: True
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

hash:md5

A hex encoded MD5 hash.

The base type for the form can be found at hash:md5.

An example of hash:md5:

• d41d8cd98f00b204e9800998ecf8427e

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

hash:sha1

A hex encoded SHA1 hash.

The base type for the form can be found at hash:sha1.

An example of hash:sha1:

• da39a3ee5e6b4b0d3255bfef95601890afd80709

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

hash:sha256

A hex encoded SHA256 hash.

The base type for the form can be found at hash:sha256.

An example of hash:sha256:

• ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

hash:sha384

A hex encoded SHA384 hash.

The base type for the form can be found at hash:sha384.

An example of hash:sha384:

• d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

hash:sha512

A hex encoded SHA512 hash.

The base type for the form can be found at hash:sha512.

An example of hash:sha512:

• ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:asn

An Autonomous System Number (ASN).

The base type for the form can be found at inet:asn.

Properties:

name	type	doc
:name	str lower: True	The name of the organization currently responsible for the ASN.
:owner	ou:org	The guid of the organization currently responsible for the ASN.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:asnet4

An Autonomous System Number (ASN) and its associated IPv4 address range.

The base type for the form can be found at inet:asnet4.

An example of inet:asnet4:

• (54959, (1.2.3.4, 1.2.3.20))

Properties:

name	type	doc	opts
:asn	inet:asn	The Autonomous System Number (ASN) of the netblock.	Read Only: True
:net4	inet:net4	The IPv4 address range assigned to the ASN.	Read Only: True
:net4:min	inet:ipv4	The first IPv4 in the range assigned to the ASN.	Read Only: True
:net4:max	inet:ipv4	The last IPv4 in the range assigned to the ASN.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:asnet6

An Autonomous System Number (ASN) and its associated IPv6 address range.

The base type for the form can be found at inet:asnet6.

An example of inet:asnet6:

• (54959, (ff::00, ff::02))

Properties:

name	type	doc	opts
:asn	inet:asn	The Autonomous System Number (ASN) of the netblock.	Read Only: True
:net6	inet:net6	The IPv6 address range assigned to the ASN.	Read Only: True
:net6:min	inet:ipv6	The first IPv6 in the range assigned to the ASN.	Read Only: True
:net6:max	inet:ipv6	The last IPv6 in the range assigned to the ASN.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:banner

A network protocol banner string presented by a server.

The base type for the form can be found at inet:banner.

Properties:

name	type	doc	opts
:server	inet:server	The server which presented the banner string.	Read Only: True
:server:ipv4	inet:ipv4	The IPv4 address of the server.	Read Only: True
:server:ipv6	inet:ipv6	The IPv6 address of the server.	Read Only: True
:server:port	inet:port	The network port.	Read Only: True
:text	it:dev:str	The banner text.	Read Only: True Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:cidr4

An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation.

The base type for the form can be found at inet:cidr4.

An example of inet:cidr4:

• 1.2.3.0/24

Properties:

name	type	doc	opts
:broadcast	inet:ipv4	The broadcast IP address from the CIDR notation.	Read Only: True
:mask	int	The mask from the CIDR notation.	Read Only: True
:network	inet:ipv4	The network IP address from the CIDR notation.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:cidr6

An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation.

The base type for the form can be found at inet:cidr6.

An example of inet:cidr6:

• 2001:db8::/101

Properties:

name	type	doc	opts
:broadcast	inet:ipv6	The broadcast IP address from the CIDR notation.	Read Only: True
:mask	int	The mask from the CIDR notation.	Read Only: True
:network	inet:ipv6	The network IP address from the CIDR notation.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:client

A network client address.

The base type for the form can be found at inet:client.

An example of inet:client:

• tcp://1.2.3.4:80

Properties:

name	type	doc	opts
:proto	str lower: True	The network protocol of the client.	Read Only: True
:ipv4	inet:ipv4	The IPv4 of the client.	Read Only: True
:ipv6	inet:ipv6	The IPv6 of the client.	Read Only: True
:host	it:host	The it:host node for the client.	Read Only: True
:port	inet:port	The client tcp/udp port.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:a

The result of a DNS A record lookup.

The base type for the form can be found at inet:dns:a.

An example of inet:dns:a:

• (vertex.link,1.2.3.4)

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain queried for its DNS A record.	Read Only: True
:ipv4	inet:ipv4	The IPv4 address returned in the A record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:aaaa

The result of a DNS AAAA record lookup.

The base type for the form can be found at inet:dns:aaaa.

An example of inet:dns:aaaa:

• (vertex.link,2607:f8b0:4004:809::200e)

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain queried for its DNS AAAA record.	Read Only: True
:ipv6	inet:ipv6	The IPv6 address returned in the AAAA record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:answer

A single answer from within a DNS reply.

The base type for the form can be found at inet:dns:answer.

Properties:

name	type	doc
:ttl	int	The base 64 bit signed integer type.
:request	inet:dns:request	A single instance of a DNS resolver request and optional reply info.
:a	inet:dns:a	The DNS A record returned by the lookup.
:ns	inet:dns:ns	The DNS NS record returned by the lookup.
:rev	inet:dns:rev	The DNS PTR record returned by the lookup.
:aaaa	inet:dns:aaaa	The DNS AAAA record returned by the lookup.
:rev6	inet:dns:rev6	The DNS PTR record returned by the lookup of an IPv6 address.
:cname	inet:dns:cname	The DNS CNAME record returned by the lookup.
:mx	inet:dns:mx	The DNS MX record returned by the lookup.
:mx:priority	int	The DNS MX record priority.
:soa	inet:dns:soa	The domain queried for its SOA record.
:txt	inet:dns:txt	The DNS TXT record returned by the lookup.
:time	time	The time that the DNS response was transmitted.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:cname

The result of a DNS CNAME record lookup.

The base type for the form can be found at inet:dns:cname.

An example of inet:dns:cname:

• (foo.vertex.link,vertex.link)

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain queried for its CNAME record.	Read Only: True
:cname	inet:fqdn	The domain returned in the CNAME record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:dynreg

A dynamic DNS registration.

The base type for the form can be found at inet:dns:dynreg.

Properties:

name	type	doc
:fqdn	inet:fqdn	The FQDN registered within a dynamic DNS provider.
:provider	ou:org	The organization which provides the dynamic DNS FQDN.
:provider:name	ou:name	The name of the organization which provides the dynamic DNS FQDN.
:provider:fqdn	inet:fqdn	The FQDN of the organization which provides the dynamic DNS FQDN.
:contact	ps:contact	The contact information of the registrant.
:created	time	The time that the dynamic DNS registration was first created.
:client	inet:client	The network client address used to register the dynamic FQDN.
:client:ipv4	inet:ipv4	The client IPv4 address used to register the dynamic FQDN.
:client:ipv6	inet:ipv6	The client IPv6 address used to register the dynamic FQDN.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:mx

The result of a DNS MX record lookup.

The base type for the form can be found at inet:dns:mx.

An example of inet:dns:mx:

• (vertex.link,mail.vertex.link)

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain queried for its MX record.	Read Only: True
:mx	inet:fqdn	The domain returned in the MX record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:ns

The result of a DNS NS record lookup.

The base type for the form can be found at inet:dns:ns.

An example of inet:dns:ns:

• (vertex.link,ns.dnshost.com)

Properties:

name	type	doc	opts
:zone	inet:fqdn	The domain queried for its DNS NS record.	Read Only: True
:ns	inet:fqdn	The domain returned in the NS record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:query

A DNS query unique to a given client.

The base type for the form can be found at inet:dns:query.

An example of inet:dns:query:

• (1.2.3.4, woot.com, 1)

Properties:

name	type	doc	opts
:client	inet:client	A network client address.	Read Only: True
:name	inet:dns:name	A DNS query name string. Likely an FQDN but not always.	Read Only: True
:name:ipv4	inet:ipv4	An IPv4 address.
:name:ipv6	inet:ipv6	An IPv6 address.
:name:fqdn	inet:fqdn	A Fully Qualified Domain Name (FQDN).
:type	int	The base 64 bit signed integer type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:request

A single instance of a DNS resolver request and optional reply info.

The base type for the form can be found at inet:dns:request.

Properties:

name	type	doc
:time	time	A date/time value.
:query	inet:dns:query	A DNS query unique to a given client.
:query:name	inet:dns:name	A DNS query name string. Likely an FQDN but not always.
:query:name:ipv4	inet:ipv4	An IPv4 address.
:query:name:ipv6	inet:ipv6	An IPv6 address.
:query:name:fqdn	inet:fqdn	A Fully Qualified Domain Name (FQDN).
:query:type	int	The base 64 bit signed integer type.
:server	inet:server	A network server address.
:reply:code	int enums: ((0, 'NOERROR'), (1, 'FORMERR'), (2, 'SERVFAIL'), (3, 'NXDOMAIN'), (4, 'NOTIMP'), (5, 'REFUSED'), (6, 'YXDOMAIN'), (7, 'YXRRSET'), (8, 'NXRRSET'), (9, 'NOTAUTH'), (10, 'NOTZONE'), (11, 'DSOTYPENI'), (16, 'BADSIG'), (17, 'BADKEY'), (18, 'BADTIME'), (19, 'BADMODE'), (20, 'BADNAME'), (21, 'BADALG'), (22, 'BADTRUNC'), (23, 'BADCOOKIE')) enums:strict: False	The DNS server response code.
:exe	file:bytes	The file containing the code that attempted the DNS lookup.
:proc	it:exec:proc	The process that attempted the DNS lookup.
:host	it:host	The host that attempted the DNS lookup.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:rev

The transformed result of a DNS PTR record lookup.

The base type for the form can be found at inet:dns:rev.

An example of inet:dns:rev:

• (1.2.3.4,vertex.link)

Properties:

name	type	doc	opts
:ipv4	inet:ipv4	The IPv4 address queried for its DNS PTR record.	Read Only: True
:fqdn	inet:fqdn	The domain returned in the PTR record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:rev6

The transformed result of a DNS PTR record for an IPv6 address.

The base type for the form can be found at inet:dns:rev6.

An example of inet:dns:rev6:

• (2607:f8b0:4004:809::200e,vertex.link)

Properties:

name	type	doc	opts
:ipv6	inet:ipv6	The IPv6 address queried for its DNS PTR record.	Read Only: True
:fqdn	inet:fqdn	The domain returned in the PTR record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:soa

The result of a DNS SOA record lookup.

The base type for the form can be found at inet:dns:soa.

Properties:

name	type	doc
:fqdn	inet:fqdn	The domain queried for its SOA record.
:ns	inet:fqdn	The domain (MNAME) returned in the SOA record.
:email	inet:email	The email address (RNAME) returned in the SOA record.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:txt

The result of a DNS TXT record lookup.

The base type for the form can be found at inet:dns:txt.

An example of inet:dns:txt:

• (hehe.vertex.link,"fancy TXT record")

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain queried for its TXT record.	Read Only: True
:txt	str	The string returned in the TXT record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:wild:a

A DNS A wild card record and the IPv4 it resolves to.

The base type for the form can be found at inet:dns:wild:a.

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain containing a wild card record.	Read Only: True
:ipv4	inet:ipv4	The IPv4 address returned by wild card resolutions.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:wild:aaaa

A DNS AAAA wild card record and the IPv6 it resolves to.

The base type for the form can be found at inet:dns:wild:aaaa.

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain containing a wild card record.	Read Only: True
:ipv6	inet:ipv6	The IPv6 address returned by wild card resolutions.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:download

An instance of a file downloaded from a server.

The base type for the form can be found at inet:download.

Properties:

name	type	doc
:time	time	The time the file was downloaded.
:fqdn	inet:fqdn	The FQDN used to resolve the server.
:file	file:bytes	The file that was downloaded.
:server	inet:server	The inet:addr of the server.
:server:host	it:host	The it:host node for the server.
:server:ipv4	inet:ipv4	The IPv4 of the server.
:server:ipv6	inet:ipv6	The IPv6 of the server.
:server:port	inet:port	The server tcp/udp port.
:server:proto	str lower: True	The server network layer protocol.
:client	inet:client	The inet:addr of the client.
:client:host	it:host	The it:host node for the client.
:client:ipv4	inet:ipv4	The IPv4 of the client.
:client:ipv6	inet:ipv6	The IPv6 of the client.
:client:port	inet:port	The client tcp/udp port.
:client:proto	str lower: True	The client network layer protocol.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:egress

A host using a specific network egress client address.

The base type for the form can be found at inet:egress.

Properties:

name	type	doc
:host	it:host	The host that used the network egress.
:host:iface	inet:iface	The interface which the host used to connect out via the egress.
:account	inet:service:account	The service account which used the client address to egress.
:client	inet:client	The client address the host used as a network egress.
:client:ipv4	inet:ipv4	The client IPv4 address the host used as a network egress.
:client:ipv6	inet:ipv6	The client IPv6 address the host used as a network egress.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:email

An e-mail address.

The base type for the form can be found at inet:email.

Properties:

name	type	doc	opts
:user	inet:user	The username of the email address.	Read Only: True
:fqdn	inet:fqdn	The domain of the email address.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:email:header

A unique email message header.

The base type for the form can be found at inet:email:header.

Properties:

name	type	doc	opts
:name	inet:email:header:name	The name of the email header.	Read Only: True
:value	str	The value of the email header.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:email:message

An individual email message delivered to an inbox.

The base type for the form can be found at inet:email:message.

Properties:

name	type	doc	opts
:id	str strip: True	The ID parsed from the “message-id” header.
:to	inet:email	The email address of the recipient.
:from	inet:email	The email address of the sender.
:replyto	inet:email	The email address parsed from the “reply-to” header.
:cc	array type: inet:email uniq: True sorted: True	Email addresses parsed from the “cc” header.
:subject	str	The email message subject parsed from the “subject” header.
:body	str	The body of the email message.	Display: {'hint': 'text'}
:date	time	The time the email message was delivered.
:bytes	file:bytes	The file bytes which contain the email message.
:headers	array type: inet:email:header	An array of email headers from the message.
:received:from:ipv4	inet:ipv4	The sending SMTP server IPv4, potentially from the Received: header.
:received:from:ipv6	inet:ipv6	The sending SMTP server IPv6, potentially from the Received: header.
:received:from:fqdn	inet:fqdn	The sending server FQDN, potentially from the Received: header.
:flow	inet:flow	The inet:flow which delivered the message.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:email:message:attachment

A file which was attached to an email message.

The base type for the form can be found at inet:email:message:attachment.

Properties:

name	type	doc	opts
:message	inet:email:message	The message containing the attached file.	Read Only: True
:file	file:bytes	The attached file.	Read Only: True
:name	file:base	The name of the attached file.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:email:message:link

A url/link embedded in an email message.

The base type for the form can be found at inet:email:message:link.

Properties:

name	type	doc	opts
:message	inet:email:message	The message containing the embedded link.	Read Only: True
:url	inet:url	The url contained within the email message.	Read Only: True
:text	str	The displayed hyperlink text if it was not the raw URL.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:flow

An individual network connection between a given source and destination.

The base type for the form can be found at inet:flow.

Properties:

name	type	doc	opts
:time	time	The time the network connection was initiated.
:duration	int	The duration of the flow in seconds.
:from	guid	The ingest source file/iden. Used for reparsing.
:dst	inet:server	The destination address / port for a connection.
:dst:ipv4	inet:ipv4	The destination IPv4 address.
:dst:ipv6	inet:ipv6	The destination IPv6 address.
:dst:port	inet:port	The destination port.
:dst:proto	str lower: True	The destination protocol.
:dst:host	it:host	The guid of the destination host.
:dst:proc	it:exec:proc	The guid of the destination process.
:dst:exe	file:bytes	The file (executable) that received the connection.
:dst:txfiles	array type: file:attachment sorted: True uniq: True	An array of files sent by the destination host.
:dst:txcount	int	The number of packets sent by the destination host.
:dst:txbytes	int	The number of bytes sent by the destination host.
:dst:handshake	str	A text representation of the initial handshake sent by the server.	Display: {'hint': 'text'}
:src	inet:client	The source address / port for a connection.
:src:ipv4	inet:ipv4	The source IPv4 address.
:src:ipv6	inet:ipv6	The source IPv6 address.
:src:port	inet:port	The source port.
:src:proto	str lower: True	The source protocol.
:src:host	it:host	The guid of the source host.
:src:proc	it:exec:proc	The guid of the source process.
:src:exe	file:bytes	The file (executable) that created the connection.
:src:txfiles	array type: file:attachment sorted: True uniq: True	An array of files sent by the source host.
:src:txcount	int	The number of packets sent by the source host.
:src:txbytes	int	The number of bytes sent by the source host.
:tot:txcount	int	The number of packets sent in both directions.
:tot:txbytes	int	The number of bytes sent in both directions.
:src:handshake	str	A text representation of the initial handshake sent by the client.	Display: {'hint': 'text'}
:dst:cpes	array type: it:sec:cpe uniq: True sorted: True	An array of NIST CPEs identified on the destination host.
:dst:softnames	array type: it:prod:softname uniq: True sorted: True	An array of software names identified on the destination host.
:src:cpes	array type: it:sec:cpe uniq: True sorted: True	An array of NIST CPEs identified on the source host.
:src:softnames	array type: it:prod:softname uniq: True sorted: True	An array of software names identified on the source host.
:ip:proto	int min: 0 max: 255	The IP protocol number of the flow.
:ip:tcp:flags	int min: 0 max: 255	An aggregation of observed TCP flags commonly provided by flow APIs.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:src:ssl:cert	crypto:x509:cert	The x509 certificate sent by the client as part of an SSL/TLS negotiation.
:dst:ssl:cert	crypto:x509:cert	The x509 certificate sent by the server as part of an SSL/TLS negotiation.
:src:rdp:hostname	it:hostname	The hostname sent by the client as part of an RDP session setup.
:src:rdp:keyboard:layout	str lower: True onespace: True	The keyboard layout sent by the client as part of an RDP session setup.
:src:ssh:key	crypto:key	The key sent by the client as part of an SSH session setup.
:dst:ssh:key	crypto:key	The key sent by the server as part of an SSH session setup.
:capture:host	it:host	The host which captured the flow.
:raw	data	A raw record used to create the flow which may contain additional protocol details.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:fqdn

A Fully Qualified Domain Name (FQDN).

The base type for the form can be found at inet:fqdn.

An example of inet:fqdn:

• vertex.link

Properties:

name	type	doc	opts
:domain	inet:fqdn	The parent domain for the FQDN.	Read Only: True
:host	str lower: True	The host part of the FQDN.	Read Only: True
:issuffix	bool	True if the FQDN is considered a suffix.
:iszone	bool	True if the FQDN is considered a zone.
:zone	inet:fqdn	The zone level parent for this FQDN.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:group

A group name string.

The base type for the form can be found at inet:group.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:cookie

An individual HTTP cookie string.

The base type for the form can be found at inet:http:cookie.

An example of inet:http:cookie:

• PHPSESSID=el4ukv0kqbvoirg7nkp4dncpk3

Properties:

name	type	doc
:name	str	The name of the cookie preceding the equal sign.
:value	str	The value of the cookie after the equal sign if present.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:param

An HTTP request path query parameter.

The base type for the form can be found at inet:http:param.

Properties:

name	type	doc	opts
:name	str lower: True	The name of the HTTP query parameter.	Read Only: True
:value	str	The value of the HTTP query parameter.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:request

A single HTTP request.

The base type for the form can be found at inet:http:request.

Properties:

name	type	doc
:method	str	The HTTP request method string.
:path	str	The requested HTTP path (without query parameters).
:url	inet:url	The reconstructed URL for the request if known.
:query	str	The HTTP query string which optionally follows the path.
:headers	array type: inet:http:request:header	An array of HTTP headers from the request.
:body	file:bytes	The body of the HTTP request.
:referer	inet:url	The referer URL parsed from the “Referer:” header in the request.
:cookies	array type: inet:http:cookie sorted: True uniq: True	An array of HTTP cookie values parsed from the “Cookies:” header in the request.
:response:time	time	A date/time value.
:response:code	int	The base 64 bit signed integer type.
:response:reason	str	The base string type.
:response:headers	array type: inet:http:response:header	An array of HTTP headers from the response.
:response:body	file:bytes	The file bytes type with SHA256 based primary property.
:session	inet:http:session	The HTTP session this request was part of.
:flow	inet:flow	The raw inet:flow containing the request.
:client	inet:client	The inet:addr of the client.
:client:ipv4	inet:ipv4	The server IPv4 address that the request was sent from.
:client:ipv6	inet:ipv6	The server IPv6 address that the request was sent from.
:client:host	it:host	The host that the request was sent from.
:server	inet:server	The inet:addr of the server.
:server:ipv4	inet:ipv4	The server IPv4 address that the request was sent to.
:server:ipv6	inet:ipv6	The server IPv6 address that the request was sent to.
:server:port	inet:port	The server port that the request was sent to.
:server:host	it:host	The host that the request was sent to.
:exe	file:bytes	The executable file which caused the activity.
:proc	it:exec:proc	The host process which caused the activity.
:thread	it:exec:thread	The host thread which caused the activity.
:host	it:host	The host on which the activity occurred.
:time	time	The time that the activity started.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:request:header

An HTTP request header.

The base type for the form can be found at inet:http:request:header.

Properties:

name	type	doc	opts
:name	inet:http:header:name	The name of the HTTP request header.	Read Only: True
:value	str	The value of the HTTP request header.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:response:header

An HTTP response header.

The base type for the form can be found at inet:http:response:header.

Properties:

name	type	doc	opts
:name	inet:http:header:name	The name of the HTTP response header.	Read Only: True
:value	str	The value of the HTTP response header.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:session

An HTTP session.

The base type for the form can be found at inet:http:session.

Properties:

name	type	doc
:contact	ps:contact	The ps:contact which owns the session.
:cookies	array type: inet:http:cookie sorted: True uniq: True	An array of cookies used to identify this specific session.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:iface

A network interface with a set of associated protocol addresses.

The base type for the form can be found at inet:iface.

Properties:

name	type	doc	opts
:host	it:host	The guid of the host the interface is associated with.
:name	str strip: True	The interface name.	Example: eth0
:network	it:network	The guid of the it:network the interface connected to.
:type	str lower: True	The free-form interface type.
:mac	inet:mac	The ethernet (MAC) address of the interface.
:ipv4	inet:ipv4	The IPv4 address of the interface.
:ipv6	inet:ipv6	The IPv6 address of the interface.
:phone	tel:phone	The telephone number of the interface.
:wifi:ssid	inet:wifi:ssid	The wifi SSID of the interface.
:wifi:bssid	inet:mac	The wifi BSSID of the interface.
:adid	it:adid	An advertising ID associated with the interface.
:mob:imei	tel:mob:imei	The IMEI of the interface.
:mob:imsi	tel:mob:imsi	The IMSI of the interface.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:ipv4

An IPv4 address.

The base type for the form can be found at inet:ipv4.

An example of inet:ipv4:

• 1.2.3.4

Properties:

name	type	doc
:asn	inet:asn	The ASN to which the IPv4 address is currently assigned.
:latlong	geo:latlong	The best known latitude/longitude for the node.
:loc	loc	The geo-political location string for the IPv4.
:place	geo:place	The geo:place associated with the latlong property.
:type	str	The type of IP address (e.g., private, multicast, etc.).
:dns:rev	inet:fqdn	The most current DNS reverse lookup for the IPv4.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
inet:whois:iprec	-(ipwhois)>	inet:ipv4	The source IP whois record describes the target IPv4 address.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:ipv6

An IPv6 address.

The base type for the form can be found at inet:ipv6.

An example of inet:ipv6:

• 2607:f8b0:4004:809::200e

Properties:

name	type	doc
:asn	inet:asn	The ASN to which the IPv6 address is currently assigned.
:ipv4	inet:ipv4	The mapped ipv4.
:latlong	geo:latlong	The last known latitude/longitude for the node.
:place	geo:place	The geo:place associated with the latlong property.
:dns:rev	inet:fqdn	The most current DNS reverse lookup for the IPv6.
:loc	loc	The geo-political location string for the IPv6.
:type	str	The type of IP address (e.g., private, multicast, etc.).
:scope	str enums: reserved,interface-local,link-local,realm-local,admin-local,site-local,organization-local,global,unassigned	The IPv6 scope of the address (e.g., global, link-local, etc.).

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
inet:whois:iprec	-(ipwhois)>	inet:ipv6	The source IP whois record describes the target IPv6 address.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:mac

A 48-bit Media Access Control (MAC) address.

The base type for the form can be found at inet:mac.

An example of inet:mac:

• aa:bb:cc:dd:ee:ff

Properties:

name	type	doc
:vendor	str	The vendor associated with the 24-bit prefix of a MAC address.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:passwd

A password string.

The base type for the form can be found at inet:passwd.

Properties:

name	type	doc	opts
:md5	hash:md5	The MD5 hash of the password.	Read Only: True
:sha1	hash:sha1	The SHA1 hash of the password.	Read Only: True
:sha256	hash:sha256	The SHA256 hash of the password.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:proto

A network protocol name.

The base type for the form can be found at inet:proto.

Properties:

name	type	doc
:port	inet:port	The default port this protocol typically uses if applicable.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:rfc2822:addr

An RFC 2822 Address field.

The base type for the form can be found at inet:rfc2822:addr.

An example of inet:rfc2822:addr:

• "Visi Kenshoto" <visi@vertex.link>

Properties:

name	type	doc	opts
:name	ps:name	The name field parsed from an RFC 2822 address string.	Read Only: True
:email	inet:email	The email field parsed from an RFC 2822 address string.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:search:query

An instance of a search query issued to a search engine.

The base type for the form can be found at inet:search:query.

Properties:

name	type	doc	opts
:text	str	The search query text.	Display: {'hint': 'text'}
:time	time	The time the web search was issued.
:acct	inet:web:acct	The account that the query was issued as.
:host	it:host	The host that issued the query.
:engine	str lower: True	A simple name for the search engine used.	Example: google
:request	inet:http:request	The HTTP request used to issue the query.
:app	inet:service:app	The app which handled the action.
:account	inet:service:account	The account which initiated the action.
:success	bool	Set to true if the action was successful.
:rule	inet:service:rule	The rule which allowed or denied the action.
:error:code	str strip: True	The platform specific error code if the action was unsuccessful.
:error:reason	str strip: True	The platform specific friendly error reason if the action was unsuccessful.
:platform	inet:service:platform	The platform where the action was initiated.
:instance	inet:service:instance	The platform instance where the action was initiated.
:session	inet:service:session	The session which initiated the action.
:client	inet:client	The network address of the client which initiated the action.
:client:host	it:host	The client host which initiated the action.
:client:app	inet:service:app	The client service app which initiated the action.
:server	inet:server	The network address of the server which handled the action.
:server:host	it:host	The server host which handled the action.
:id	str strip: True	A platform specific ID which identifies the node.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:search:result

A single result from a web search.

The base type for the form can be found at inet:search:result.

Properties:

name	type	doc
:query	inet:search:query	The search query that produced the result.
:title	str lower: True	The title of the matching web page.
:rank	int	The rank/order of the query result.
:url	inet:url	The URL hosting the matching content.
:text	str lower: True	Extracted/matched text from the matched content.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:server

A network server address.

The base type for the form can be found at inet:server.

An example of inet:server:

• tcp://1.2.3.4:80

Properties:

name	type	doc	opts
:proto	str lower: True	The network protocol of the server.	Read Only: True
:ipv4	inet:ipv4	The IPv4 of the server.	Read Only: True
:ipv6	inet:ipv6	The IPv6 of the server.	Read Only: True
:host	it:host	The it:host node for the server.	Read Only: True
:port	inet:port	The server tcp/udp port.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:servfile

A file hosted on a server for access over a network protocol.

The base type for the form can be found at inet:servfile.

Properties:

name	type	doc	opts
:file	file:bytes	The file hosted by the server.	Read Only: True
:server	inet:server	The inet:addr of the server.	Read Only: True
:server:proto	str lower: True	The network protocol of the server.	Read Only: True
:server:ipv4	inet:ipv4	The IPv4 of the server.	Read Only: True
:server:ipv6	inet:ipv6	The IPv6 of the server.	Read Only: True
:server:host	it:host	The it:host node for the server.	Read Only: True
:server:port	inet:port	The server tcp/udp port.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:access

Represents a user access request to a service resource.

The base type for the form can be found at inet:service:access.

Properties:

name	type	doc
:action	inet:service:access:action:taxonomy	The platform specific action which this access records.
:resource	inet:service:resource	The resource which the account attempted to access.
:type	int enums: ((10, 'create'), (30, 'read'), (40, 'update'), (50, 'delete'), (60, 'list'), (70, 'execute'))	The type of access requested.
:app	inet:service:app	The app which handled the action.
:time	time	The time that the account initiated the action.
:account	inet:service:account	The account which initiated the action.
:success	bool	Set to true if the action was successful.
:rule	inet:service:rule	The rule which allowed or denied the action.
:error:code	str strip: True	The platform specific error code if the action was unsuccessful.
:error:reason	str strip: True	The platform specific friendly error reason if the action was unsuccessful.
:platform	inet:service:platform	The platform where the action was initiated.
:instance	inet:service:instance	The platform instance where the action was initiated.
:session	inet:service:session	The session which initiated the action.
:client	inet:client	The network address of the client which initiated the action.
:client:host	it:host	The client host which initiated the action.
:client:app	inet:service:app	The client service app which initiated the action.
:server	inet:server	The network address of the server which handled the action.
:server:host	it:host	The server host which handled the action.
:id	str strip: True	A platform specific ID which identifies the node.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:account

An account within a service platform. Accounts may be instance specific.

The base type for the form can be found at inet:service:account.

Properties:

name	type	doc
:user	inet:user	The current user name of the account.
:email	inet:email	The current email address associated with the account.
:tenant	inet:service:tenant	The tenant which contains the account.
:profile	ps:contact	The primary contact information for the account.
:url	inet:url	The primary URL associated with the account.
:status	inet:service:object:status	The status of the account.
:period	ival	The period when the account existed.
:creator	inet:service:account	The service account which created the account.
:remover	inet:service:account	The service account which removed or decommissioned the account.
:id	str strip: True	A platform specific ID which identifies the account.
:platform	inet:service:platform	The platform which defines the account.
:instance	inet:service:instance	The platform instance which defines the account.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:app

A platform specific application.

The base type for the form can be found at inet:service:app.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The name of the platform specific application.	alts: ('names',)
:names	array type: str typeopts: {'onespace': True, 'lower': True} sorted: True uniq: True	An array of alternate names for the application.
:desc	str	A description of the platform specific application.	Display: {'hint': 'text'}
:url	inet:url	The primary URL associated with the application.
:status	inet:service:object:status	The status of the application.
:period	ival	The period when the application existed.
:creator	inet:service:account	The service account which created the application.
:remover	inet:service:account	The service account which removed or decommissioned the application.
:id	str strip: True	A platform specific ID which identifies the application.
:platform	inet:service:platform	The platform which defines the application.
:instance	inet:service:instance	The platform instance which defines the application.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:bucket

A file/blob storage object within a service architecture.

The base type for the form can be found at inet:service:bucket.

Properties:

name	type	doc
:name	str onespace: True lower: True	The name of the service resource.
:url	inet:url	The primary URL associated with the bucket.
:status	inet:service:object:status	The status of the bucket.
:period	ival	The period when the bucket existed.
:creator	inet:service:account	The service account which created the bucket.
:remover	inet:service:account	The service account which removed or decommissioned the bucket.
:id	str strip: True	A platform specific ID which identifies the bucket.
:platform	inet:service:platform	The platform which defines the bucket.
:instance	inet:service:instance	The platform instance which defines the bucket.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:bucket:item

An individual file stored within a bucket.

The base type for the form can be found at inet:service:bucket:item.

Properties:

name	type	doc
:bucket	inet:service:bucket	The bucket which contains the item.
:file	file:bytes	The bytes stored within the bucket item.
:file:name	file:path	The name of the file stored in the bucket item.
:url	inet:url	The primary URL associated with the bucket item.
:status	inet:service:object:status	The status of the bucket item.
:period	ival	The period when the bucket item existed.
:creator	inet:service:account	The service account which created the bucket item.
:remover	inet:service:account	The service account which removed or decommissioned the bucket item.
:id	str strip: True	A platform specific ID which identifies the bucket item.
:platform	inet:service:platform	The platform which defines the bucket item.
:instance	inet:service:instance	The platform instance which defines the bucket item.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:channel

A channel used to distribute messages.

The base type for the form can be found at inet:service:channel.

Properties:

name	type	doc
:name	str onespace: True lower: True	The name of the channel.
:period	ival	The time period where the channel was available.
:topic	media:topic	The visible topic of the channel.
:url	inet:url	The primary URL associated with the channel.
:status	inet:service:object:status	The status of the channel.
:creator	inet:service:account	The service account which created the channel.
:remover	inet:service:account	The service account which removed or decommissioned the channel.
:id	str strip: True	A platform specific ID which identifies the channel.
:platform	inet:service:platform	The platform which defines the channel.
:instance	inet:service:instance	The platform instance which defines the channel.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:channel:member

Represents a service account being a member of a channel.

The base type for the form can be found at inet:service:channel:member.

Properties:

name	type	doc
:channel	inet:service:channel	The channel that the account was a member of.
:account	inet:service:account	The account that was a member of the channel.
:period	ival	The time period where the account was a member of the channel.
:url	inet:url	The primary URL associated with the channel membership.
:status	inet:service:object:status	The status of the channel membership.
:creator	inet:service:account	The service account which created the channel membership.
:remover	inet:service:account	The service account which removed or decommissioned the channel membership.
:id	str strip: True	A platform specific ID which identifies the channel membership.
:platform	inet:service:platform	The platform which defines the channel membership.
:instance	inet:service:instance	The platform instance which defines the channel membership.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:emote

An emote or reaction by an account.

The base type for the form can be found at inet:service:emote.

Properties:

name	type	doc	opts
:about	inet:service:object	The node that the emote is about.
:text	str strip: True	The unicode or emote text of the reaction.	Example: :partyparrot:
:url	inet:url	The primary URL associated with the emote.
:status	inet:service:object:status	The status of the emote.
:period	ival	The period when the emote existed.
:creator	inet:service:account	The service account which created the emote.
:remover	inet:service:account	The service account which removed or decommissioned the emote.
:id	str strip: True	A platform specific ID which identifies the emote.
:platform	inet:service:platform	The platform which defines the emote.
:instance	inet:service:instance	The platform instance which defines the emote.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:group

A group or role which contains member accounts.

The base type for the form can be found at inet:service:group.

Properties:

name	type	doc
:name	inet:group	The name of the group on this platform.
:profile	ps:contact	Current detailed contact information for this group.
:url	inet:url	The primary URL associated with the group.
:status	inet:service:object:status	The status of the group.
:period	ival	The period when the group existed.
:creator	inet:service:account	The service account which created the group.
:remover	inet:service:account	The service account which removed or decommissioned the group.
:id	str strip: True	A platform specific ID which identifies the group.
:platform	inet:service:platform	The platform which defines the group.
:instance	inet:service:instance	The platform instance which defines the group.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:group:member

Represents a service account being a member of a group.

The base type for the form can be found at inet:service:group:member.

Properties:

name	type	doc
:account	inet:service:account	The account that is a member of the group.
:group	inet:service:group	The group that the account is a member of.
:period	ival	The time period when the account was a member of the group.
:url	inet:url	The primary URL associated with the group membership.
:status	inet:service:object:status	The status of the group membership.
:creator	inet:service:account	The service account which created the group membership.
:remover	inet:service:account	The service account which removed or decommissioned the group membership.
:id	str strip: True	A platform specific ID which identifies the group membership.
:platform	inet:service:platform	The platform which defines the group membership.
:instance	inet:service:instance	The platform instance which defines the group membership.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:instance

An instance of the platform such as Slack or Discord instances.

The base type for the form can be found at inet:service:instance.

Properties:

name	type	doc	opts
:id	str strip: True	A platform specific ID to identify the service instance.	Example: B8ZS2
:platform	inet:service:platform	The platform which defines the service instance.
:url	inet:url	The primary URL which identifies the service instance.	Example: https://v.vtx.lk/slack
:name	str lower: True onespace: True	The name of the service instance.	Example: synapse users slack
:desc	str	A description of the service instance.	Display: {'hint': 'text'}
:period	ival	The time period where the instance existed.
:status	inet:service:object:status	The status of this instance.
:creator	inet:service:account	The service account which created the instance.
:owner	inet:service:account	The service account which owns the instance.
:tenant	inet:service:tenant	The tenant which contains the instance.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:login

A login event for a service account.

The base type for the form can be found at inet:service:login.

Properties:

name	type	doc
:method	inet:service:login:method:taxonomy	The type of authentication used for the login. For example “password” or “multifactor.sms”.
:app	inet:service:app	The app which handled the action.
:time	time	The time that the account initiated the action.
:account	inet:service:account	The account which initiated the action.
:success	bool	Set to true if the action was successful.
:rule	inet:service:rule	The rule which allowed or denied the action.
:error:code	str strip: True	The platform specific error code if the action was unsuccessful.
:error:reason	str strip: True	The platform specific friendly error reason if the action was unsuccessful.
:platform	inet:service:platform	The platform where the action was initiated.
:instance	inet:service:instance	The platform instance where the action was initiated.
:session	inet:service:session	The session which initiated the action.
:client	inet:client	The network address of the client which initiated the action.
:client:host	it:host	The client host which initiated the action.
:client:app	inet:service:app	The client service app which initiated the action.
:server	inet:server	The network address of the server which handled the action.
:server:host	it:host	The server host which handled the action.
:id	str strip: True	A platform specific ID which identifies the node.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:message

A message or post created by an account.

The base type for the form can be found at inet:service:message.

Properties:

name	type	doc	opts
:account	inet:service:account	The account which sent the message.
:to	inet:service:account	The destination account. Used for direct messages.
:url	inet:url	The URL where the message may be viewed.
:group	inet:service:group	The group that the message was sent to.
:channel	inet:service:channel	The channel that the message was sent to.
:thread	inet:service:thread	The thread which contains the message.
:public	bool	Set to true if the message is publicly visible.
:title	str lower: True onespace: True	The message title.
:text	str	The text body of the message.	Display: {'hint': 'text'}
:status	inet:service:object:status	The message status.
:replyto	inet:service:message	The message that this message was sent in reply to. Used for message threading.
:repost	inet:service:message	The original message reposted by this message.
:links	array type: inet:service:message:link uniq: True sorted: True	An array of links contained within the message.
:attachments	array type: inet:service:message:attachment uniq: True sorted: True	An array of files attached to the message.
:hashtags	array type: inet:web:hashtag uniq: True sorted: True split: ,	An array of hashtags mentioned within the message.
:place	geo:place	The place that the message was sent from.
:place:name	geo:name	The name of the place that the message was sent from.
:client:address	inet:client	Deprecated. Please use :client.	Deprecated: True
:client:software	it:prod:softver	The client software version used to send the message.
:client:software:name	it:prod:softname	The name of the client software used to send the message.
:file	file:bytes	The raw file that the message was extracted from.
:type	inet:service:message:type:taxonomy	The type of message.
:mentions	array type: ndef typeopts: {'forms': ('inet:service:account', 'inet:service:group')} uniq: True sorted: True	Contactable entities mentioned within the message.
:app	inet:service:app	The app which handled the action.
:time	time	The time that the account initiated the action.
:success	bool	Set to true if the action was successful.
:rule	inet:service:rule	The rule which allowed or denied the action.
:error:code	str strip: True	The platform specific error code if the action was unsuccessful.
:error:reason	str strip: True	The platform specific friendly error reason if the action was unsuccessful.
:platform	inet:service:platform	The platform where the action was initiated.
:instance	inet:service:instance	The platform instance where the action was initiated.
:session	inet:service:session	The session which initiated the action.
:client	inet:client	The network address of the client which initiated the action.
:client:host	it:host	The client host which initiated the action.
:client:app	inet:service:app	The client service app which initiated the action.
:server	inet:server	The network address of the server which handled the action.
:server:host	it:host	The server host which handled the action.
:id	str strip: True	A platform specific ID which identifies the node.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:message:attachment

A file attachment included within a message.

The base type for the form can be found at inet:service:message:attachment.

Properties:

name	type	doc
:name	file:path	The name of the attached file.
:text	str	Any text associated with the file such as alt-text for images.
:file	file:bytes	The file which was attached to the message.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:message:link

A URL link included within a message.

The base type for the form can be found at inet:service:message:link.

Properties:

name	type	doc
:title	str strip: True	The title text for the link.
:url	inet:url	The URL which was attached to the message.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:message:type:taxonomy

A message type taxonomy.

The base type for the form can be found at inet:service:message:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	inet:service:message:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:permission

A permission which may be granted to a service account or role.

The base type for the form can be found at inet:service:permission.

Properties:

name	type	doc
:name	str onespace: True lower: True	The name of the permission.
:type	inet:service:permission:type:taxonomy	The type of permission.
:url	inet:url	The primary URL associated with the permission.
:status	inet:service:object:status	The status of the permission.
:period	ival	The period when the permission existed.
:creator	inet:service:account	The service account which created the permission.
:remover	inet:service:account	The service account which removed or decommissioned the permission.
:id	str strip: True	A platform specific ID which identifies the permission.
:platform	inet:service:platform	The platform which defines the permission.
:instance	inet:service:instance	The platform instance which defines the permission.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:permission:type:taxonomy

A permission type taxonomy.

The base type for the form can be found at inet:service:permission:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	inet:service:permission:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:platform

A network platform which provides services.

The base type for the form can be found at inet:service:platform.

Properties:

name	type	doc	opts
:url	inet:url	The primary URL of the platform.	Example: https://twitter.com alts: ('urls',)
:urls	array type: inet:url sorted: True uniq: True	An array of alternate URLs for the platform.
:name	str onespace: True lower: True	A friendly name for the platform.	Example: twitter alts: ('names',)
:names	array type: str typeopts: {'onespace': True, 'lower': True} sorted: True uniq: True	An array of alternate names for the platform.
:desc	str	A description of the service platform.	Display: {'hint': 'text'}
:provider	ou:org	The organization which operates the platform.
:provider:name	ou:name	The name of the organization which operates the platform.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:relationship

A relationship between two service objects.

The base type for the form can be found at inet:service:relationship.

Properties:

name	type	doc	opts
:source	inet:service:object	The source object.
:target	inet:service:object	The target object.
:type	inet:service:relationship:type:taxonomy	The type of relationship between the source and the target.	Example: follows
:url	inet:url	The primary URL associated with the relationship.
:status	inet:service:object:status	The status of the relationship.
:period	ival	The period when the relationship existed.
:creator	inet:service:account	The service account which created the relationship.
:remover	inet:service:account	The service account which removed or decommissioned the relationship.
:id	str strip: True	A platform specific ID which identifies the relationship.
:platform	inet:service:platform	The platform which defines the relationship.
:instance	inet:service:instance	The platform instance which defines the relationship.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:relationship:type:taxonomy

A service object relationship type taxonomy.

The base type for the form can be found at inet:service:relationship:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	inet:service:relationship:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:resource

A generic resource provided by the service architecture.

The base type for the form can be found at inet:service:resource.

Properties:

name	type	doc	opts
:name	str onespace: True lower: True	The name of the service resource.
:desc	str	A description of the service resource.	Display: {'hint': 'text'}
:url	inet:url	The primary URL where the resource is available from the service.
:type	inet:service:resource:type:taxonomy	The resource type. For example “rpc.endpoint”.
:status	inet:service:object:status	The status of the resource.
:period	ival	The period when the resource existed.
:creator	inet:service:account	The service account which created the resource.
:remover	inet:service:account	The service account which removed or decommissioned the resource.
:id	str strip: True	A platform specific ID which identifies the resource.
:platform	inet:service:platform	The platform which defines the resource.
:instance	inet:service:instance	The platform instance which defines the resource.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:resource:type:taxonomy

A taxonomy of inet service resource types.

The base type for the form can be found at inet:service:resource:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	inet:service:resource:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:rule

A rule which grants or denies a permission to a service account or role.

The base type for the form can be found at inet:service:rule.

Properties:

name	type	doc
:permission	inet:service:permission	The permission which is granted.
:denied	bool	Set to (true) to denote that the rule is an explicit deny.
:object	ndef interface: inet:service:object	The object that the permission controls access to.
:grantee	ndef forms: ('inet:service:account', 'inet:service:group')	The user or role which is granted the permission.
:url	inet:url	The primary URL associated with the rule.
:status	inet:service:object:status	The status of the rule.
:period	ival	The period when the rule existed.
:creator	inet:service:account	The service account which created the rule.
:remover	inet:service:account	The service account which removed or decommissioned the rule.
:id	str strip: True	A platform specific ID which identifies the rule.
:platform	inet:service:platform	The platform which defines the rule.
:instance	inet:service:instance	The platform instance which defines the rule.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:ruleset	-(has)>	inet:service:rule	The meta:ruleset includes the inet:service:rule.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:mitigation	-(uses)>	inet:service:rule	The mitigation uses the service rule.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:session

An authenticated session.

The base type for the form can be found at inet:service:session.

Properties:

name	type	doc
:creator	inet:service:account	The account which authenticated to create the session.
:period	ival	The period where the session was valid.
:http:session	inet:http:session	The HTTP session associated with the service session.
:url	inet:url	The primary URL associated with the session.
:status	inet:service:object:status	The status of the session.
:remover	inet:service:account	The service account which removed or decommissioned the session.
:id	str strip: True	A platform specific ID which identifies the session.
:platform	inet:service:platform	The platform which defines the session.
:instance	inet:service:instance	The platform instance which defines the session.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:subscription

A subscription to a service platform or instance.

The base type for the form can be found at inet:service:subscription.

Properties:

name	type	doc
:level	inet:service:subscription:level:taxonomy	A platform specific subscription level.
:pay:instrument	econ:pay:instrument	The primary payment instrument used to pay for the subscription.
:subscriber	inet:service:subscriber	The subscriber who owns the subscription.
:url	inet:url	The primary URL associated with the subscription.
:status	inet:service:object:status	The status of the subscription.
:period	ival	The period when the subscription existed.
:creator	inet:service:account	The service account which created the subscription.
:remover	inet:service:account	The service account which removed or decommissioned the subscription.
:id	str strip: True	A platform specific ID which identifies the subscription.
:platform	inet:service:platform	The platform which defines the subscription.
:instance	inet:service:instance	The platform instance which defines the subscription.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:subscription:level:taxonomy

A taxonomy of platform specific subscription levels.

The base type for the form can be found at inet:service:subscription:level:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	inet:service:subscription:level:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:tenant

A tenant which groups accounts and instances.

The base type for the form can be found at inet:service:tenant.

Properties:

name	type	doc
:profile	ps:contact	The primary contact information for the tenant.
:url	inet:url	The primary URL associated with the tenant.
:status	inet:service:object:status	The status of the tenant.
:period	ival	The period when the tenant existed.
:creator	inet:service:account	The service account which created the tenant.
:remover	inet:service:account	The service account which removed or decommissioned the tenant.
:id	str strip: True	A platform specific ID which identifies the tenant.
:platform	inet:service:platform	The platform which defines the tenant.
:instance	inet:service:instance	The platform instance which defines the tenant.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:service:thread

A message thread.

The base type for the form can be found at inet:service:thread.

Properties:

name	type	doc
:title	str lower: True onespace: True	The title of the thread.
:channel	inet:service:channel	The channel that contains the thread.
:message	inet:service:message	The message which initiated the thread.
:url	inet:url	The primary URL associated with the thread.
:status	inet:service:object:status	The status of the thread.
:period	ival	The period when the thread existed.
:creator	inet:service:account	The service account which created the thread.
:remover	inet:service:account	The service account which removed or decommissioned the thread.
:id	str strip: True	A platform specific ID which identifies the thread.
:platform	inet:service:platform	The platform which defines the thread.
:instance	inet:service:instance	The platform instance which defines the thread.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:ssl:cert

Deprecated. Please use inet:tls:servercert or inet:tls:clientcert.

The base type for the form can be found at inet:ssl:cert.

Properties:

name	type	doc	opts
:file	file:bytes	The file bytes for the SSL certificate.	Read Only: True
:server	inet:server	The server that presented the SSL certificate.	Read Only: True
:server:ipv4	inet:ipv4	The SSL server IPv4 address.	Read Only: True
:server:ipv6	inet:ipv6	The SSL server IPv6 address.	Read Only: True
:server:port	inet:port	The SSL server listening port.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:ssl:jarmhash

A TLS JARM fingerprint hash.

The base type for the form can be found at inet:ssl:jarmhash.

Properties:

name	type	doc	opts
:ciphers	str lower: True strip: True regex: ^[0-9a-f]{30}$	The encoded cipher and TLS version of the server.	Read Only: True
:extensions	str lower: True strip: True regex: ^[0-9a-f]{32}$	The truncated SHA256 of the TLS server extensions.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:ssl:jarmsample

A JARM hash sample taken from a server.

The base type for the form can be found at inet:ssl:jarmsample.

Properties:

name	type	doc	opts
:jarmhash	inet:ssl:jarmhash	The JARM hash computed from the server responses.	Read Only: True
:server	inet:server	The server that was sampled to compute the JARM hash.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:clientcert

An x509 certificate sent by a client for TLS.

The base type for the form can be found at inet:tls:clientcert.

An example of inet:tls:clientcert:

• (1.2.3.4:443, 3fdf364e081c14997b291852d1f23868)

Properties:

name	type	doc	opts
:client	inet:client	The client associated with the x509 certificate.	Read Only: True
:cert	crypto:x509:cert	The x509 certificate sent by the client.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:handshake

An instance of a TLS handshake between a server and client.

The base type for the form can be found at inet:tls:handshake.

Properties:

name	type	doc	opts
:time	time	The time the handshake was initiated.
:flow	inet:flow	The raw inet:flow associated with the handshake.
:server	inet:server	The TLS server during the handshake.
:server:cert	crypto:x509:cert	The x509 certificate sent by the server during the handshake.
:server:ja3s	hash:md5	The JA3S fingerprint of the server response.
:server:ja4s	inet:tls:ja4s	The JA4S fingerprint of the server response.
:client	inet:client	The TLS client during the handshake.
:client:cert	crypto:x509:cert	The x509 certificate sent by the client during the handshake.
:client:ja3	hash:md5	The JA3 fingerprint of the client request.
:client:ja4	inet:tls:ja4	The JA4 fingerprint of the client request.
:client:fingerprint:ja3	hash:md5	Deprecated. Please use :client:ja3.	Deprecated: True
:server:fingerprint:ja3	hash:md5	Deprecated. Please use :server:ja3s.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:ja3:sample

A JA3 sample taken from a client.

The base type for the form can be found at inet:tls:ja3:sample.

Properties:

name	type	doc	opts
:client	inet:client	The client that was sampled to produce the JA3 hash.	Read Only: True
:ja3	hash:md5	The JA3 hash computed from the client’s TLS hello packet.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:ja3s:sample

A JA3 sample taken from a server.

The base type for the form can be found at inet:tls:ja3s:sample.

Properties:

name	type	doc	opts
:server	inet:server	The server that was sampled to produce the JA3S hash.	Read Only: True
:ja3s	hash:md5	The JA3S hash computed from the server’s TLS hello packet.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:ja4

A JA4 TLS client fingerprint.

The base type for the form can be found at inet:tls:ja4.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:ja4:sample

A JA4 TLS client fingerprint used by a client.

The base type for the form can be found at inet:tls:ja4:sample.

Properties:

name	type	doc	opts
:ja4	inet:tls:ja4	The JA4 TLS client fingerprint.	Read Only: True
:client	inet:client	The client which initiated the TLS handshake with a JA4 fingerprint.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:ja4s

A JA4S TLS server fingerprint.

The base type for the form can be found at inet:tls:ja4s.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:ja4s:sample

A JA4S TLS server fingerprint used by a server.

The base type for the form can be found at inet:tls:ja4s:sample.

Properties:

name	type	doc	opts
:ja4s	inet:tls:ja4s	The JA4S TLS server fingerprint.	Read Only: True
:server	inet:server	The server which responded to the TLS handshake with a JA4S fingerprint.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:servercert

An x509 certificate sent by a server for TLS.

The base type for the form can be found at inet:tls:servercert.

An example of inet:tls:servercert:

• (1.2.3.4:443, c7437790af01ae1bb2f8f3b684c70bf8)

Properties:

name	type	doc	opts
:server	inet:server	The server associated with the x509 certificate.	Read Only: True
:cert	crypto:x509:cert	The x509 certificate sent by the server.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tunnel

A specific sequence of hosts forwarding connections such as a VPN or proxy.

The base type for the form can be found at inet:tunnel.

Properties:

name	type	doc
:anon	bool	Indicates that this tunnel provides anonymization.
:type	inet:tunnel:type:taxonomy	The type of tunnel such as vpn or proxy.
:ingress	inet:server	The server where client traffic enters the tunnel.
:egress	inet:server	The server where client traffic leaves the tunnel.
:operator	ps:contact	The contact information for the tunnel operator.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tunnel:type:taxonomy

A taxonomy of network tunnel types.

The base type for the form can be found at inet:tunnel:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	inet:tunnel:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:url

A Universal Resource Locator (URL).

The base type for the form can be found at inet:url.

An example of inet:url:

• http://www.woot.com/files/index.html

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The fqdn used in the URL (e.g., http://www.woot.com/page.html).	Read Only: True
:ipv4	inet:ipv4	The IPv4 address used in the URL (e.g., http://1.2.3.4/page.html).	Read Only: True
:ipv6	inet:ipv6	The IPv6 address used in the URL.	Read Only: True
:passwd	inet:passwd	The optional password used to access the URL.	Read Only: True
:base	str	The base scheme, user/pass, fqdn, port and path w/o parameters.	Read Only: True
:path	str	The path in the URL w/o parameters.	Read Only: True
:params	str	The URL parameter string.	Read Only: True
:port	inet:port	The port of the URL. URLs prefixed with http will be set to port 80 and URLs prefixed with https will be set to port 443 unless otherwise specified.	Read Only: True
:proto	str lower: True	The protocol in the URL.	Read Only: True
:user	inet:user	The optional username used to access the URL.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:dev:repo	-(has)>	inet:url	The repo has content hosted at the URL.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:url:mirror

A URL mirror site.

The base type for the form can be found at inet:url:mirror.

Properties:

name	type	doc	opts
:of	inet:url	The URL being mirrored.	Read Only: True
:at	inet:url	The URL of the mirror.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:urlfile

A file hosted at a specific Universal Resource Locator (URL).

The base type for the form can be found at inet:urlfile.

Properties:

name	type	doc	opts
:url	inet:url	The URL where the file was hosted.	Read Only: True
:file	file:bytes	The file that was hosted at the URL.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:urlredir

A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response.

The base type for the form can be found at inet:urlredir.

An example of inet:urlredir:

• (http://foo.com/,http://bar.com/)

Properties:

name	type	doc	opts
:src	inet:url	The original/source URL before redirect.	Read Only: True
:src:fqdn	inet:fqdn	The FQDN within the src URL (if present).	Read Only: True
:dst	inet:url	The redirected/destination URL.	Read Only: True
:dst:fqdn	inet:fqdn	The FQDN within the dst URL (if present).	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:user

A username string.

The base type for the form can be found at inet:user.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:acct

An account with a given Internet-based site or service.

The base type for the form can be found at inet:web:acct.

An example of inet:web:acct:

• twitter.com/invisig0th

Properties:

name	type	doc	opts
:avatar	file:bytes	The file representing the avatar (e.g., profile picture) for the account.
:banner	file:bytes	The file representing the banner for the account.
:dob	time	A self-declared date of birth for the account (if the account belongs to a person).
:email	inet:email	The email address associated with the account.
:linked:accts	array type: inet:web:acct uniq: True sorted: True	Linked accounts specified in the account profile.
:latlong	geo:latlong	The last known latitude/longitude for the node.
:place	geo:place	The geo:place associated with the latlong property.
:loc	loc	A self-declared location for the account.
:name	inet:user	The localized name associated with the account (may be different from the account identifier, e.g., a display name).
:name:en	inet:user	The English version of the name associated with the (may be different from the account identifier, e.g., a display name).	Deprecated: True
:aliases	array type: inet:user uniq: True sorted: True	An array of alternate names for the user.
:occupation	str lower: True	A self-declared occupation for the account.
:passwd	inet:passwd	The current password for the account.
:phone	tel:phone	The phone number associated with the account.
:realname	ps:name	The localized version of the real name of the account owner / registrant.
:realname:en	ps:name	The English version of the real name of the account owner / registrant.	Deprecated: True
:signup	time	The date and time the account was registered.
:signup:client	inet:client	The client address used to sign up for the account.
:signup:client:ipv4	inet:ipv4	The IPv4 address used to sign up for the account.
:signup:client:ipv6	inet:ipv6	The IPv6 address used to sign up for the account.
:site	inet:fqdn	The site or service associated with the account.	Read Only: True
:tagline	str	The text of the account status or tag line.
:url	inet:url	The service provider URL where the account is hosted.
:user	inet:user	The unique identifier for the account (may be different from the common name or display name).	Read Only: True
:webpage	inet:url	A related URL specified by the account (e.g., a personal or company web page, blog, etc.).
:recovery:email	inet:email	An email address registered as a recovery email address for the account.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:action

An instance of an account performing an action at an Internet-based site or service.

The base type for the form can be found at inet:web:action.

Properties:

name	type	doc
:act	str lower: True strip: True	The action performed by the account.
:acct	inet:web:acct	The web account associated with the action.
:acct:site	inet:fqdn	The site or service associated with the account.
:acct:user	inet:user	The unique identifier for the account.
:time	time	The date and time the account performed the action.
:client	inet:client	The source client address of the action.
:client:ipv4	inet:ipv4	The source IPv4 address of the action.
:client:ipv6	inet:ipv6	The source IPv6 address of the action.
:loc	loc	The location of the user executing the web action.
:latlong	geo:latlong	The latlong of the user when executing the web action.
:place	geo:place	The geo:place of the user when executing the web action.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:attachment

An instance of a file being sent to a web service by an account.

The base type for the form can be found at inet:web:attachment.

Properties:

name	type	doc	opts
:acct	inet:web:acct	The account that uploaded the file.
:post	inet:web:post	The optional web post that the file was attached to.
:mesg	inet:web:mesg	The optional web message that the file was attached to.
:proto	inet:proto	The protocol used to transmit the file to the web service.	Example: https
:interactive	bool	Set to true if the upload was interactive. False if automated.
:file	file:bytes	The file that was sent.
:name	file:path	The name of the file at the time it was sent.
:time	time	The time the file was sent.
:client	inet:client	The client address which initiated the upload.
:client:ipv4	inet:ipv4	The IPv4 address of the client that initiated the upload.
:client:ipv6	inet:ipv6	The IPv6 address of the client that initiated the upload.
:place	geo:place	The place the file was sent from.
:place:loc	loc	The geopolitical location that the file was sent from.
:place:name	geo:name	The reported name of the place that the file was sent from.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:channel

A channel within a web service or instance such as slack or discord.

The base type for the form can be found at inet:web:channel.

Properties:

name	type	doc	opts
:url	inet:url	The primary URL used to identify the channel.	Example: https://app.slack.com/client/T2XK1223Y/C2XHHNDS7
:id	str strip: True	The operator specified ID of this channel.	Example: C2XHHNDS7
:instance	inet:web:instance	The instance which contains the channel.
:name	str strip: True	The visible name of the channel.	Example: general
:topic	str strip: True	The visible topic of the channel.	Example: Synapse Discussion - Feel free to invite others!
:created	time	The time the channel was created.
:creator	inet:web:acct	The account which created the channel.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:chprofile

A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node.

The base type for the form can be found at inet:web:chprofile.

Properties:

name	type	doc
:acct	inet:web:acct	The web account associated with the change.
:acct:site	inet:fqdn	The site or service associated with the account.
:acct:user	inet:user	The unique identifier for the account.
:client	inet:client	The source address used to make the account change.
:client:ipv4	inet:ipv4	The source IPv4 address used to make the account change.
:client:ipv6	inet:ipv6	The source IPv6 address used to make the account change.
:time	time	The date and time when the account change occurred.
:pv	nodeprop	The prop=valu of the account property that was changed. Valu should be the old / original value, while the new value should be updated on the inet:web:acct form.
:pv:prop	str	The property that was changed.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:file

A file posted by a web account.

The base type for the form can be found at inet:web:file.

Properties:

name	type	doc	opts
:acct	inet:web:acct	The account that owns or is associated with the file.	Read Only: True
:acct:site	inet:fqdn	The site or service associated with the account.	Read Only: True
:acct:user	inet:user	The unique identifier for the account.	Read Only: True
:file	file:bytes	The file owned by or associated with the account.	Read Only: True
:name	file:base	The name of the file owned by or associated with the account.
:posted	time	Deprecated. Instance data belongs on inet:web:attachment.	Deprecated: True
:client	inet:client	Deprecated. Instance data belongs on inet:web:attachment.	Deprecated: True
:client:ipv4	inet:ipv4	Deprecated. Instance data belongs on inet:web:attachment.	Deprecated: True
:client:ipv6	inet:ipv6	Deprecated. Instance data belongs on inet:web:attachment.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:follows

A web account follows or is connected to another web account.

The base type for the form can be found at inet:web:follows.

Properties:

name	type	doc	opts
:follower	inet:web:acct	The account following an account.	Read Only: True
:followee	inet:web:acct	The account followed by an account.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:group

A group hosted within or registered with a given Internet-based site or service.

The base type for the form can be found at inet:web:group.

An example of inet:web:group:

• somesite.com/mycoolgroup

Properties:

name	type	doc	opts
:site	inet:fqdn	The site or service associated with the group.	Read Only: True
:id	inet:group	The site-specific unique identifier for the group (may be different from the common name or display name).	Read Only: True
:name	inet:group	The localized name associated with the group (may be different from the account identifier, e.g., a display name).
:aliases	array type: inet:group uniq: True sorted: True	An array of alternate names for the group.
:name:en	inet:group	The English version of the name associated with the group (may be different from the localized name).	Deprecated: True
:url	inet:url	The service provider URL where the group is hosted.
:avatar	file:bytes	The file representing the avatar (e.g., profile picture) for the group.
:desc	str	The text of the description of the group.
:webpage	inet:url	A related URL specified by the group (e.g., primary web site, etc.).
:loc	str lower: True	A self-declared location for the group.
:latlong	geo:latlong	The last known latitude/longitude for the node.
:place	geo:place	The geo:place associated with the latlong property.
:signup	time	The date and time the group was created on the site.
:signup:client	inet:client	The client address used to create the group.
:signup:client:ipv4	inet:ipv4	The IPv4 address used to create the group.
:signup:client:ipv6	inet:ipv6	The IPv6 address used to create the group.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:hashtag

A hashtag used in a web post.

The base type for the form can be found at inet:web:hashtag.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:instance

An instance of a web service such as slack or discord.

The base type for the form can be found at inet:web:instance.

Properties:

name	type	doc	opts
:url	inet:url	The primary URL used to identify the instance.	Example: https://app.slack.com/client/T2XK1223Y
:id	str strip: True	The operator specified ID of this instance.	Example: T2XK1223Y
:name	str strip: True	The visible name of the instance.	Example: vertex synapse
:created	time	The time the instance was created.
:creator	inet:web:acct	The account which created the instance.
:owner	ou:org	The organization which created the instance.
:owner:fqdn	inet:fqdn	The FQDN of the organization which created the instance. Used for entity resolution.	Example: vertex.link
:owner:name	ou:name	The name of the organization which created the instance. Used for entity resolution.	Example: the vertex project, llc.
:operator	ou:org	The organization which operates the instance.
:operator:name	ou:name	The name of the organization which operates the instance. Used for entity resolution.	Example: slack
:operator:fqdn	inet:fqdn	The FQDN of the organization which operates the instance. Used for entity resolution.	Example: slack.com

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:logon

An instance of an account authenticating to an Internet-based site or service.

The base type for the form can be found at inet:web:logon.

Properties:

name	type	doc
:acct	inet:web:acct	The web account associated with the logon event.
:acct:site	inet:fqdn	The site or service associated with the account.
:acct:user	inet:user	The unique identifier for the account.
:time	time	The date and time the account logged into the service.
:client	inet:client	The source address of the logon.
:client:ipv4	inet:ipv4	The source IPv4 address of the logon.
:client:ipv6	inet:ipv6	The source IPv6 address of the logon.
:logout	time	The date and time the account logged out of the service.
:loc	loc	The location of the user executing the logon.
:latlong	geo:latlong	The latlong of the user executing the logon.
:place	geo:place	The geo:place of the user executing the logon.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:memb

Deprecated. Please use inet:web:member.

The base type for the form can be found at inet:web:memb.

Properties:

name	type	doc	opts
:acct	inet:web:acct	The account that is a member of the group.	Read Only: True
:group	inet:web:group	The group that the account is a member of.	Read Only: True
:title	str lower: True	The title or status of the member (e.g., admin, new member, etc.).
:joined	time	The date / time the account joined the group.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:member

Represents a web account membership in a channel or group.

The base type for the form can be found at inet:web:member.

Properties:

name	type	doc
:acct	inet:web:acct	The account that is a member of the group or channel.
:group	inet:web:group	The group that the account is a member of.
:channel	inet:web:channel	The channel that the account is a member of.
:added	time	The date / time the account was added to the group or channel.
:removed	time	The date / time the account was removed from the group or channel.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:mesg

A message sent from one web account to another web account or channel.

The base type for the form can be found at inet:web:mesg.

An example of inet:web:mesg:

• ((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)

Properties:

name	type	doc	opts
:from	inet:web:acct	The web account that sent the message.	Read Only: True
:to	inet:web:acct	The web account that received the message.	Read Only: True
:client	inet:client	The source address of the message.
:client:ipv4	inet:ipv4	The source IPv4 address of the message.
:client:ipv6	inet:ipv6	The source IPv6 address of the message.
:time	time	The date and time at which the message was sent.	Read Only: True
:url	inet:url	The URL where the message is posted / visible.
:text	str	The text of the message.	Display: {'hint': 'text'}
:deleted	bool	The message was deleted.
:file	file:bytes	The file attached to or sent with the message.
:place	geo:place	The place that the message was reportedly sent from.
:place:name	geo:name	The name of the place that the message was reportedly sent from. Used for entity resolution.
:instance	inet:web:instance	The instance where the message was sent.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:post

A post made by a web account.

The base type for the form can be found at inet:web:post.

Properties:

name	type	doc	opts
:acct	inet:web:acct	The web account that made the post.
:acct:site	inet:fqdn	The site or service associated with the account.
:client	inet:client	The source address of the post.
:client:ipv4	inet:ipv4	The source IPv4 address of the post.
:client:ipv6	inet:ipv6	The source IPv6 address of the post.
:acct:user	inet:user	The unique identifier for the account.
:text	str	The text of the post.	Display: {'hint': 'text'}
:time	time	The date and time that the post was made.
:deleted	bool	The message was deleted by the poster.
:url	inet:url	The URL where the post is published / visible.
:file	file:bytes	The file that was attached to the post.
:replyto	inet:web:post	The post that this post is in reply to.
:repost	inet:web:post	The original post that this is a repost of.
:hashtags	array type: inet:web:hashtag uniq: True sorted: True split: ,	Hashtags mentioned within the post.
:mentions:users	array type: inet:web:acct uniq: True sorted: True split: ,	Accounts mentioned within the post.
:mentions:groups	array type: inet:web:group uniq: True sorted: True split: ,	Groups mentioned within the post.
:loc	loc	The location that the post was reportedly sent from.
:place	geo:place	The place that the post was reportedly sent from.
:place:name	geo:name	The name of the place that the post was reportedly sent from. Used for entity resolution.
:latlong	geo:latlong	The place that the post was reportedly sent from.
:channel	inet:web:channel	The channel where the post was made.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:post:link

A link contained within post text.

The base type for the form can be found at inet:web:post:link.

Properties:

name	type	doc
:post	inet:web:post	The post containing the embedded link.
:url	inet:url	The url that the link forwards to.
:text	str	The displayed hyperlink text if it was not the raw URL.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:contact

An individual contact from a domain whois record.

The base type for the form can be found at inet:whois:contact.

Properties:

name	type	doc	opts
:rec	inet:whois:rec	The whois record containing the contact data.	Read Only: True
:rec:fqdn	inet:fqdn	The domain associated with the whois record.	Read Only: True
:rec:asof	time	The date of the whois record.	Read Only: True
:type	str lower: True	The contact type (e.g., registrar, registrant, admin, billing, tech, etc.).	Read Only: True
:id	str lower: True	The ID associated with the contact.
:name	str lower: True	The name of the contact.
:email	inet:email	The email address of the contact.
:orgname	ou:name	The name of the contact organization.
:address	str lower: True	The content of the street address field(s) of the contact.
:city	str lower: True	The content of the city field of the contact.
:state	str lower: True	The content of the state field of the contact.
:country	str lower: True	The two-letter country code of the contact.
:phone	tel:phone	The content of the phone field of the contact.
:fax	tel:phone	The content of the fax field of the contact.
:url	inet:url	The URL specified for the contact.
:whois:fqdn	inet:fqdn	The whois server FQDN for the given contact (most likely a registrar).

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:email

An email address associated with an FQDN via whois registration text.

The base type for the form can be found at inet:whois:email.

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain with a whois record containing the email address.	Read Only: True
:email	inet:email	The email address associated with the domain whois record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:ipcontact

An individual contact from an IP block record.

The base type for the form can be found at inet:whois:ipcontact.

Properties:

name	type	doc
:contact	ps:contact	Contact information associated with a registration.
:asof	time	The date of the record.
:created	time	The “created” time from the record.
:updated	time	The “last updated” time from the record.
:role	str lower: True	The primary role for the contact.
:roles	array type: str uniq: True sorted: True	Additional roles assigned to the contact.
:asn	inet:asn	The associated Autonomous System Number (ASN).
:id	inet:whois:regid	The registry unique identifier (e.g. NET-74-0-0-0-1).
:links	array type: inet:url uniq: True sorted: True	URLs provided with the record.
:status	str lower: True	The state of the registered contact (e.g. validated, obscured).
:contacts	array type: inet:whois:ipcontact uniq: True sorted: True	Additional contacts referenced by this contact.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:ipquery

Query details used to retrieve an IP record.

The base type for the form can be found at inet:whois:ipquery.

Properties:

name	type	doc
:time	time	The time the request was made.
:url	inet:url	The query URL when using the HTTP RDAP Protocol.
:fqdn	inet:fqdn	The FQDN of the host server when using the legacy WHOIS Protocol.
:ipv4	inet:ipv4	The IPv4 address queried.
:ipv6	inet:ipv6	The IPv6 address queried.
:success	bool	Whether the host returned a valid response for the query.
:rec	inet:whois:iprec	The resulting record from the query.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:iprec

An IPv4/IPv6 block registration record.

The base type for the form can be found at inet:whois:iprec.

Properties:

name	type	doc	opts
:net4	inet:net4	The IPv4 address range assigned.
:net4:min	inet:ipv4	The first IPv4 in the range assigned.
:net4:max	inet:ipv4	The last IPv4 in the range assigned.
:net6	inet:net6	The IPv6 address range assigned.
:net6:min	inet:ipv6	The first IPv6 in the range assigned.
:net6:max	inet:ipv6	The last IPv6 in the range assigned.
:asof	time	The date of the record.
:created	time	The “created” time from the record.
:updated	time	The “last updated” time from the record.
:text	str lower: True	The full text of the record.	Display: {'hint': 'text'}
:desc	str lower: True	Notes concerning the record.	Display: {'hint': 'text'}
:asn	inet:asn	The associated Autonomous System Number (ASN).
:id	inet:whois:regid	The registry unique identifier (e.g. NET-74-0-0-0-1).
:name	str	The name assigned to the network by the registrant.
:parentid	inet:whois:regid	The registry unique identifier of the parent whois record (e.g. NET-74-0-0-0-0).
:registrant	inet:whois:ipcontact	Deprecated. Add the registrant inet:whois:ipcontact to the :contacts array.	Deprecated: True
:contacts	array type: inet:whois:ipcontact uniq: True sorted: True	Additional contacts from the record.
:country	str lower: True regex: ^[a-z]{2}$	The two-letter ISO 3166 country code.
:status	str lower: True	The state of the registered network.
:type	str lower: True	The classification of the registered network (e.g. direct allocation).
:links	array type: inet:url uniq: True sorted: True	URLs provided with the record.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
inet:whois:iprec	-(ipwhois)>	inet:ipv4	The source IP whois record describes the target IPv4 address.
inet:whois:iprec	-(ipwhois)>	inet:ipv6	The source IP whois record describes the target IPv6 address.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:rar

A domain registrar.

The base type for the form can be found at inet:whois:rar.

An example of inet:whois:rar:

• godaddy, inc.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:rec

A domain whois record.

The base type for the form can be found at inet:whois:rec.

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain associated with the whois record.	Read Only: True
:asof	time	The date of the whois record.	Read Only: True
:text	str lower: True	The full text of the whois record.	Display: {'hint': 'text'}
:created	time	The “created” time from the whois record.
:updated	time	The “last updated” time from the whois record.
:expires	time	The “expires” time from the whois record.
:registrar	inet:whois:rar	The registrar name from the whois record.
:registrant	inet:whois:reg	The registrant name from the whois record.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:recns

A nameserver associated with a domain whois record.

The base type for the form can be found at inet:whois:recns.

Properties:

name	type	doc	opts
:ns	inet:fqdn	A nameserver for a domain as listed in the domain whois record.	Read Only: True
:rec	inet:whois:rec	The whois record containing the nameserver data.	Read Only: True
:rec:fqdn	inet:fqdn	The domain associated with the whois record.	Read Only: True
:rec:asof	time	The date of the whois record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:reg

A domain registrant.

The base type for the form can be found at inet:whois:reg.

An example of inet:whois:reg:

• woot hostmaster

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:regid

The registry unique identifier of the registration record.

The base type for the form can be found at inet:whois:regid.

An example of inet:whois:regid:

• NET-10-0-0-0-1

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:wifi:ap

An SSID/MAC address combination for a wireless access point.

The base type for the form can be found at inet:wifi:ap.

Properties:

name	type	doc	opts
:ssid	inet:wifi:ssid	The SSID for the wireless access point.	Read Only: True
:bssid	inet:mac	The MAC address for the wireless access point.	Read Only: True
:latlong	geo:latlong	The best known latitude/longitude for the wireless access point.
:accuracy	geo:dist	The reported accuracy of the latlong telemetry reading.
:channel	int	The WIFI channel that the AP was last observed operating on.
:encryption	str lower: True strip: True	The type of encryption used by the WIFI AP such as “wpa2”.
:place	geo:place	The geo:place associated with the latlong property.
:loc	loc	The geo-political location string for the wireless access point.
:org	ou:org	The organization that owns/operates the access point.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:wifi:ssid

A WiFi service set identifier (SSID) name.

The base type for the form can be found at inet:wifi:ssid.

An example of inet:wifi:ssid:

• The Vertex Project

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

iso:oid

An ISO Object Identifier string.

The base type for the form can be found at iso:oid.

Properties:

name	type	doc
:descr	str	A description of the value or meaning of the OID.
:identifier	str	The string identifier for the deepest tree element.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:account

A GUID that represents an account on a host or network.

The base type for the form can be found at it:account.

Properties:

name	type	doc	opts
:user	inet:user	The username associated with the account.
:contact	ps:contact	Additional contact information associated with this account.
:host	it:host	The host where the account is registered.
:domain	it:domain	The authentication domain where the account is registered.
:posix:uid	int	The user ID of the account.	Example: 1001
:posix:gid	int	The primary group ID of the account.	Example: 1001
:posix:gecos	int	The GECOS field for the POSIX account.
:posix:home	file:path	The path to the POSIX account’s home directory.	Example: /home/visi
:posix:shell	file:path	The path to the POSIX account’s default shell.	Example: /bin/bash
:windows:sid	it:os:windows:sid	The Microsoft Windows Security Identifier of the account.
:groups	array type: it:group uniq: True sorted: True	An array of groups that the account is a member of.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:adid

An advertising identification string.

The base type for the form can be found at it:adid.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:snort:hit

An instance of a snort rule hit.

The base type for the form can be found at it:app:snort:hit.

Properties:

name	type	doc
:rule	it:app:snort:rule	The snort rule that matched the file.
:flow	inet:flow	The inet:flow that matched the snort rule.
:src	inet:addr	The source address of flow that caused the hit.
:src:ipv4	inet:ipv4	The source IPv4 address of the flow that caused the hit.
:src:ipv6	inet:ipv6	The source IPv6 address of the flow that caused the hit.
:src:port	inet:port	The source port of the flow that caused the hit.
:dst	inet:addr	The destination address of the trigger.
:dst:ipv4	inet:ipv4	The destination IPv4 address of the flow that caused the hit.
:dst:ipv6	inet:ipv6	The destination IPv4 address of the flow that caused the hit.
:dst:port	inet:port	The destination port of the flow that caused the hit.
:time	time	The time of the network flow that caused the hit.
:sensor	it:host	The sensor host node that produced the hit.
:version	it:semver	The version of the rule at the time of match.
:dropped	bool	Set to true if the network traffic was dropped due to the match.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:snort:rule

A snort rule.

The base type for the form can be found at it:app:snort:rule.

Properties:

name	type	doc	opts
:id	str	The snort rule id.
:text	str	The snort rule text.	Display: {'hint': 'text'}
:name	str	The name of the snort rule.
:desc	str	A brief description of the snort rule.	Display: {'hint': 'text'}
:engine	int	The snort engine ID which can parse and evaluate the rule text.
:version	it:semver	The current version of the rule.
:author	ps:contact	Contact info for the author of the rule.
:created	time	The time the rule was initially created.
:updated	time	The time the rule was most recently modified.
:enabled	bool	The rule enabled status to be used for snort evaluation engines.
:family	it:prod:softname	The name of the software family the rule is designed to detect.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:ruleset	-(has)>	it:app:snort:rule	The meta:ruleset includes the it:app:snort:rule.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:mitigation	-(uses)>	it:app:snort:rule	The mitigation uses the Snort rule.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:yara:match

A YARA rule match to a file.

The base type for the form can be found at it:app:yara:match.

Properties:

name	type	doc	opts
:rule	it:app:yara:rule	The YARA rule that matched the file.	Read Only: True
:file	file:bytes	The file that matched the YARA rule.	Read Only: True
:version	it:semver	The most recent version of the rule evaluated as a match.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:yara:netmatch

An instance of a YARA rule network hunting match.

The base type for the form can be found at it:app:yara:netmatch.

Properties:

name	type	doc
:rule	it:app:yara:rule	The YARA rule that triggered the match.
:version	it:semver	The most recent version of the rule evaluated as a match.
:node	ndef forms: ('inet:fqdn', 'inet:ipv4', 'inet:ipv6', 'inet:url')	The node which matched the rule.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:yara:procmatch

An instance of a YARA rule match to a process.

The base type for the form can be found at it:app:yara:procmatch.

Properties:

name	type	doc
:rule	it:app:yara:rule	The YARA rule that matched the process.
:proc	it:exec:proc	The process that matched the YARA rule.
:time	time	The time that the YARA engine matched the process to the rule.
:version	it:semver	The most recent version of the rule evaluated as a match.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:yara:rule

A YARA rule unique identifier.

The base type for the form can be found at it:app:yara:rule.

Properties:

name	type	doc	opts
:text	str	The YARA rule text.	Display: {'hint': 'text', 'syntax': 'yara'}
:ext:id	str	The YARA rule ID from an external system.
:url	inet:url	A URL which documents the YARA rule.
:name	str	The name of the YARA rule.
:author	ps:contact	Contact info for the author of the YARA rule.
:version	it:semver	The current version of the rule.
:created	time	The time the YARA rule was initially created.
:updated	time	The time the YARA rule was most recently modified.
:enabled	bool	The rule enabled status to be used for YARA evaluation engines.
:family	it:prod:softname	The name of the software family the rule is designed to detect.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:ruleset	-(has)>	it:app:yara:rule	The meta:ruleset includes the it:app:yara:rule.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:mitigation	-(uses)>	it:app:yara:rule	The mitigation uses the YARA rule.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:auth:passwdhash

An instance of a password hash.

The base type for the form can be found at it:auth:passwdhash.

Properties:

name	type	doc
:salt	hex	The (optional) hex encoded salt value used to calculate the password hash.
:hash:md5	hash:md5	The MD5 password hash value.
:hash:sha1	hash:sha1	The SHA1 password hash value.
:hash:sha256	hash:sha256	The SHA256 password hash value.
:hash:sha512	hash:sha512	The SHA512 password hash value.
:hash:lm	hash:lm	The LM password hash value.
:hash:ntlm	hash:ntlm	The NTLM password hash value.
:passwd	inet:passwd	The (optional) clear text password for this password hash.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:av:filehit

Deprecated. Please use it:av:scan:result.

The base type for the form can be found at it:av:filehit.

Properties:

name	type	doc	opts
:file	file:bytes	The file that triggered the signature hit.	Read Only: True
:sig	it:av:sig	The signature that the file triggered on.	Read Only: True
:sig:name	it:av:signame	The signature name.	Read Only: True
:sig:soft	it:prod:soft	The anti-virus product which contains the signature.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:av:prochit

Deprecated. Please use it:av:scan:result.

The base type for the form can be found at it:av:prochit.

Properties:

name	type	doc
:proc	it:exec:proc	The file that triggered the signature hit.
:sig	it:av:sig	The signature that the file triggered on.
:time	time	The time that the AV engine detected the signature.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:av:scan:result

The result of running an antivirus scanner.

The base type for the form can be found at it:av:scan:result.

Properties:

name	type	doc
:time	time	The time the scan was run.
:verdict	int enums: ((10, 'benign'), (20, 'unknown'), (30, 'suspicious'), (40, 'malicious'))	The scanner provided verdict for the scan.
:scanner	it:prod:softver	The scanner software used to produce the result.
:scanner:name	it:prod:softname	The name of the scanner software.
:signame	it:av:signame	The name of the signature returned by the scanner.
:categories	array sorted: True uniq: True type: str typeopts: {'lower': True, 'onespace': True}	A list of categories for the result returned by the scanner.
:target:file	file:bytes	The file that was scanned to produce the result.
:target:proc	it:exec:proc	The process that was scanned to produce the result.
:target:host	it:host	The host that was scanned to produce the result.
:target:fqdn	inet:fqdn	The FQDN that was scanned to produce the result.
:target:url	inet:url	The URL that was scanned to produce the result.
:target:ipv4	inet:ipv4	The IPv4 address that was scanned to produce the result.
:target:ipv6	inet:ipv6	The IPv6 address that was scanned to produce the result.
:multi:scan	it:av:scan:result	Set if this result was part of running multiple scanners.
:multi:count	int min: 0	The total number of scanners which were run by a multi-scanner.
:multi:count:benign	int min: 0	The number of scanners which returned a benign verdict.
:multi:count:unknown	int min: 0	The number of scanners which returned a unknown/unsupported verdict.
:multi:count:suspicious	int min: 0	The number of scanners which returned a suspicious verdict.
:multi:count:malicious	int min: 0	The number of scanners which returned a malicious verdict.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:av:sig

Deprecated. Please use it:av:scan:result.

The base type for the form can be found at it:av:sig.

Properties:

name	type	doc	opts
:soft	it:prod:soft	The anti-virus product which contains the signature.	Read Only: True
:name	it:av:signame	The signature name.	Read Only: True
:desc	str	A free-form description of the signature.	Display: {'hint': 'text'}
:url	inet:url	A reference URL for information about the signature.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:av:signame

An antivirus signature name.

The base type for the form can be found at it:av:signame.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:cmd

A unique command-line string.

The base type for the form can be found at it:cmd.

An example of it:cmd:

• foo.exe --dostuff bar

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:cmd:history

A single command executed within a session.

The base type for the form can be found at it:cmd:history.

Properties:

name	type	doc
:cmd	it:cmd	The command that was executed.
:session	it:cmd:session	The session that contains this history entry.
:time	time	The time that the command was executed.
:index	int	Used to order the commands when times are not available.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:cmd:session

A command line session with multiple commands run over time.

The base type for the form can be found at it:cmd:session.

Properties:

name	type	doc
:host	it:host	The host where the command line session was executed.
:proc	it:exec:proc	The process which was interpreting this command line session.
:period	ival	The period over which the command line session was running.
:file	file:bytes	The file containing the command history such as a .bash_history file.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:int

A developer selected integer constant.

The base type for the form can be found at it:dev:int.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:mutex

A string representing a mutex.

The base type for the form can be found at it:dev:mutex.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:pipe

A string representing a named pipe.

The base type for the form can be found at it:dev:pipe.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:regkey

A Windows registry key.

The base type for the form can be found at it:dev:regkey.

An example of it:dev:regkey:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:regval

A Windows registry key/value pair.

The base type for the form can be found at it:dev:regval.

Properties:

name	type	doc
:key	it:dev:regkey	The Windows registry key.
:str	it:dev:str	The value of the registry key, if the value is a string.
:int	it:dev:int	The value of the registry key, if the value is an integer.
:bytes	file:bytes	The file representing the value of the registry key, if the value is binary data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
plan:procedure:step	-(uses)>	*	The step in the procedure makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:outage	-(impacted)>	*	The outage event impacted the availability of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo

A version control system instance.

The base type for the form can be found at it:dev:repo.

Properties:

name	type	doc	opts
:name	str lower: True strip: True	The name of the repository.
:desc	str	A free-form description of the repository.	Display: {'hint': 'text'}
:created	time	Deprecated. Please use :period.	Deprecated: True
:url	inet:url	The URL where the repository is hosted.
:type	it:dev:repo:type:taxonomy	The type of the version control system used.	Example: svn
:submodules	array type: it:dev:repo:commit	An array of other repos that this repo has as submodules, pinned at specific commits.
:status	inet:service:object:status	The status of the repository.
:period	ival	The period when the repository existed.
:creator	inet:service:account	The service account which created the repository.
:remover	inet:service:account	The service account which removed or decommissioned the repository.
:id	str strip: True	A platform specific ID which identifies the repository.
:platform	inet:service:platform	The platform which defines the repository.
:instance	inet:service:instance	The platform instance which defines the repository.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	Deprecated. Please use geo:telem:node.
it:dev:repo	-(has)>	inet:url	The repo has content hosted at the URL.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
math:algorithm	-(generates)>	*	The target node was generated by the algorithm.
meta:feed	-(found)>	*	The meta:feed produced the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)> <