Synapse Data Model - Forms¶
Forms¶
Forms are derived from types, or base types. Forms represent node types in the graph.
auth:access¶
An instance of using creds to access a resource.
The base type for the form can be found at auth:access.
Properties:
- :creds / auth:access:creds
The credentials used to attempt access.
The property type is auth:creds.
- :time / auth:access:time
The time of the access attempt.
The property type is time.
- :success / auth:access:success
Set to true if the access was successful.
The property type is bool.
- :person / auth:access:person
The person who attempted access.
The property type is ps:person.
auth:creds¶
A unique set of credentials used to access a resource.
The base type for the form can be found at auth:creds.
Properties:
- :email / auth:creds:email
The email address used to identify the user.
The property type is inet:email.
- :user / auth:creds:user
The user name used to identify the user.
The property type is inet:user.
- :phone / auth:creds:phone
The phone number used to identify the user.
The property type is tel:phone.
- :passwd / auth:creds:passwd
The password used to authenticate.
The property type is inet:passwd.
- :passwdhash / auth:creds:passwdhash
The password hash used to authenticate.
The property type is it:auth:passwdhash.
- :website / auth:creds:website
The base URL of the website that the credentials allow access to.
The property type is inet:url.
- :host / auth:creds:host
The host that the credentials allow access to.
The property type is it:host.
- :wifi:ssid / auth:creds:wifi:ssid
The WiFi SSID that the credentials allow access to.
The property type is inet:wifi:ssid.
crypto:currency:address¶
An individual crypto currency address.
The base type for the form can be found at crypto:currency:address.
An example of crypto:currency:address:
(btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2)
Properties:
- :coin / crypto:currency:address:coin
The crypto coin to which the address belongs.
The property type is str.
- :desc / crypto:currency:address:desc
A free-form description of the address.
The property type is str.
- :iden / crypto:currency:address:iden
The coin specific address identifier.
The property type is str.
- :contact / crypto:currency:address:contact
Contact information associated with the address.
The property type is ps:contact.
crypto:currency:client¶
A fused node representing a crypto currency address used by an Internet client.
The base type for the form can be found at crypto:currency:client.
An example of crypto:currency:client:
(1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))
Properties:
- :inetaddr / crypto:currency:client:inetaddr
The Internet client address observed using the crypto currency address.
The property type is inet:client.
- :coinaddr / crypto:currency:client:coinaddr
The crypto currency address observed in use the the Internet client.
The property type is crypto:currency:address.
crypto:currency:coin¶
An individual crypto currency type.
The base type for the form can be found at crypto:currency:coin.
An example of crypto:currency:coin:
btc
Properties:
- :name / crypto:currency:coin:name
The full name of the crypto coin.
The property type is str.
crypto:x509:cert¶
A unique X.509 certificate.
The base type for the form can be found at crypto:x509:cert.
Properties:
- :subject / crypto:x509:cert:subject
The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.
The property type is str.
- :issuer / crypto:x509:cert:issuer
The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.
The property type is str.
- :serial / crypto:x509:cert:serial
The serial number string in the certificate.
The property type is str.
- :version / crypto:x509:cert:version
The version integer in the certificate. (ex. 2 == v3 ).
The property type is int. Its type has the following options set:
- enums:
((0, 'v1'), (2, 'v3'))
- enums:
- :validity:notbefore / crypto:x509:cert:validity:notbefore
The timestamp for the beginning of the certificate validity period.
The property type is time.
- :validity:notafter / crypto:x509:cert:validity:notafter
The timestamp for the end of the certificate validity period.
The property type is time.
- :md5 / crypto:x509:cert:md5
The MD5 fingerprint for the certificate.
The property type is hash:md5.
- :sha1 / crypto:x509:cert:sha1
The SHA1 fingerprint for the certificate.
The property type is hash:sha1.
- :sha256 / crypto:x509:cert:sha256
The SHA256 fingerprint for the certificate.
The property type is hash:sha256.
- :rsa:key / crypto:x509:cert:rsa:key
The optional RSA public key associated with the certificate.
The property type is rsa:key.
- :algo / crypto:x509:cert:algo
The X.509 signature algorithm OID.
The property type is iso:oid.
- :signature / crypto:x509:cert:signature
The hexadecimal representation of the digital signature.
The property type is hex.
- :ext:sans / crypto:x509:cert:ext:sans
The Subject Alternate Names (SANs) listed in the certficate.
The property type is array. Its type has the following options set:
- type:
crypto:x509:san
- type:
- :ext:crls / crypto:x509:cert:ext:crls
A list of Subject Alternate Names (SANs) for Distribution Points.
The property type is array. Its type has the following options set:
- type:
crypto:x509:san
- type:
- :identities:fqdns / crypto:x509:cert:identities:fqdns
The fused list of FQDNs identified by the cert CN and SANs.
The property type is array. Its type has the following options set:
- type:
inet:fqdn
- type:
- :identities:emails / crypto:x509:cert:identities:emails
The fused list of e-mail addresses identified by the cert CN and SANs.
The property type is array. Its type has the following options set:
- type:
inet:email
- type:
- :identities:ipv4s / crypto:x509:cert:identities:ipv4s
The fused list of IPv4 addresses identified by the cert CN and SANs.
The property type is array. Its type has the following options set:
- type:
inet:ipv4
- type:
- :identities:ipv6s / crypto:x509:cert:identities:ipv6s
The fused list of IPv6 addresses identified by the cert CN and SANs.
The property type is array. Its type has the following options set:
- type:
inet:ipv6
- type:
- :identities:urls / crypto:x509:cert:identities:urls
The fused list of URLs identified by the cert CN and SANs.
The property type is array. Its type has the following options set:
- type:
inet:url
- type:
- :crl:urls / crypto:x509:cert:crl:urls
The extracted URL values from the CRLs extension.
The property type is array. Its type has the following options set:
- type:
inet:url
- type:
crypto:x509:crl¶
A unique X.509 Certificate Revocation List.
The base type for the form can be found at crypto:x509:crl.
Properties:
- :file / crypto:x509:crl:file
The file containing the CRL.
The property type is file:bytes.
- :url / crypto:x509:crl:url
The URL where the CRL was published.
The property type is inet:url.
crypto:x509:revoked¶
A revocation relationship between a CRL and an X.509 certificate.
The base type for the form can be found at crypto:x509:revoked.
Properties:
- :crl / crypto:x509:revoked:crl
The CRL which revoked the certificate.
The property type is crypto:x509:crl.
- :cert / crypto:x509:revoked:cert
The certificate revoked by the CRL.
The property type is crypto:x509:cert.
crypto:x509:signedfile¶
A digital signature relationship between an X.509 certificate and a file.
The base type for the form can be found at crypto:x509:signedfile.
Properties:
- :cert / crypto:x509:signedfile:cert
The certificate for the key which signed the file.
The property type is crypto:x509:cert.
- :file / crypto:x509:signedfile:file
The file which was signed by the certificates key.
The property type is file:bytes.
econ:acct:payment¶
A payment moving currency from one monetary instrument to another.
The base type for the form can be found at econ:acct:payment.
Properties:
- :from:pay:card / econ:acct:payment:from:pay:card
The payment card making the payment.
The property type is econ:pay:card.
- :from:coinaddr / econ:acct:payment:from:coinaddr
The crypto currency address making the payment.
The property type is crypto:currency:address.
- :from:contact / econ:acct:payment:from:contact
Contact information for the person/org being paid.
The property type is ps:contact.
- :to:coinaddr / econ:acct:payment:to:coinaddr
The crypto currency address receiving the payment.
The property type is crypto:currency:address.
- :to:contact / econ:acct:payment:to:contact
Contact information for the person/org being paid.
The property type is ps:contact.
- :time / econ:acct:payment:time
The time the payment was processed.
The property type is time.
- :purchase / econ:acct:payment:purchase
The purchase which the payment was paying for.
The property type is econ:purchase.
- :amount / econ:acct:payment:amount
The amount of money transferred in the payment.
The property type is econ:price.
- :currency / econ:acct:payment:currency
The currency of the payment.
The property type is econ:currency.
econ:acquired¶
A relationship between a purchase event and a purchased item.
The base type for the form can be found at econ:acquired.
Properties:
- :purchase / econ:acquired:purchase
The purchase event which acquired an item.
The property type is econ:purchase.
- :item / econ:acquired:item
A reference to the item that was acquired.
The property type is ndef.
- :item:form / econ:acquired:item:form
The form of item purchased.
The property type is str.
econ:fin:bar¶
A sample of the open, close, high, low prices of a security in a specific time window.
The base type for the form can be found at econ:fin:bar.
Properties:
- :security / econ:fin:bar:security
The security measured by the bar.
The property type is econ:fin:security.
- :ival / econ:fin:bar:ival
The the interval of measurement.
The property type is ival.
- :price:open / econ:fin:bar:price:open
The opening price of the security.
The property type is econ:price.
- :price:close / econ:fin:bar:price:close
The closing price of the security.
The property type is econ:price.
- :price:low / econ:fin:bar:price:low
The low price of the security.
The property type is econ:price.
- :price:high / econ:fin:bar:price:high
The high price of the security.
The property type is econ:price.
econ:fin:exchange¶
A financial exchange where securities are traded.
The base type for the form can be found at econ:fin:exchange.
Properties:
- :name / econ:fin:exchange:name
A simple name for the exchange. It has the following property options set:
- Example:
nasdaq
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- Example:
- :org / econ:fin:exchange:org
The organization that operates the exchange.
The property type is ou:org.
- :currency / econ:fin:exchange:currency
The currency used for all transactions in the exchange. It has the following property options set:
- Example:
usd
The property type is econ:currency.
- Example:
econ:fin:security¶
A financial security which is typically traded on an exchange.
The base type for the form can be found at econ:fin:security.
Properties:
- :exchange / econ:fin:security:exchange
The exchange on which the security is traded.
The property type is econ:fin:exchange.
- :ticker / econ:fin:security:ticker
The identifier for this security within the exchange.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
- :type / econ:fin:security:type
A user defined type such as stock, bond, option, future, or forex.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
- :price / econ:fin:security:price
The last known/available price of the security.
The property type is econ:price.
- :time / econ:fin:security:time
The time of the last know price sample.
The property type is time.
econ:fin:tick¶
A sample of the price of a security at a single moment in time.
The base type for the form can be found at econ:fin:tick.
Properties:
- :security / econ:fin:tick:security
The security measured by the tick.
The property type is econ:fin:security.
- :time / econ:fin:tick:time
The time the price was sampled.
The property type is time.
- :price / econ:fin:tick:price
The price of the security at the time.
The property type is econ:price.
econ:pay:card¶
A single payment card.
The base type for the form can be found at econ:pay:card.
Properties:
- :pan / econ:pay:card:pan
The payment card number.
The property type is econ:pay:pan.
- :pan:mii / econ:pay:card:pan:mii
The payment card MII.
The property type is econ:pay:mii.
- :pan:iin / econ:pay:card:pan:iin
The payment card IIN.
The property type is econ:pay:iin.
- :name / econ:pay:card:name
The name as it appears on the card.
The property type is ps:name.
- :expr / econ:pay:card:expr
The expiration date for the card.
The property type is time.
- :cvv / econ:pay:card:cvv
The Card Verification Value on the card.
The property type is econ:pay:cvv.
- :pin / econ:pay:card:pin
The Personal Identification Number on the card.
The property type is econ:pay:pin.
econ:pay:iin¶
An Issuer Id Number (IIN).
The base type for the form can be found at econ:pay:iin.
Properties:
econ:purchase¶
A purchase event.
The base type for the form can be found at econ:purchase.
Properties:
- :by:contact / econ:purchase:by:contact
The contact information used to make the purchase.
The property type is ps:contact.
- :from:contact / econ:purchase:from:contact
The contact information used to sell the item.
The property type is ps:contact.
- :time / econ:purchase:time
The time of the purchase.
The property type is time.
- :place / econ:purchase:place
The place where the purchase took place.
The property type is geo:place.
- :paid / econ:purchase:paid
Set to True if the purchase has been paid in full.
The property type is bool.
- :paid:time / econ:purchase:paid:time
The point in time where the purchase was paid in full.
The property type is time.
- :campaign / econ:purchase:campaign
The campaign that the purchase was in support of.
The property type is ou:campaign.
- :price / econ:purchase:price
The econ:price of the purchase.
The property type is econ:price.
- :currency / econ:purchase:currency
The econ:price of the purchase.
The property type is econ:currency.
edge:has¶
A digraph edge which records that N1 has N2.
The base type for the form can be found at edge:has.
Properties:
- :n1 / edge:has:n1
The node definition type for a (form,valu) compound field. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
- :n1:form / edge:has:n1:form
The base string type. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
- :n2 / edge:has:n2
The node definition type for a (form,valu) compound field. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
- :n2:form / edge:has:n2:form
The base string type. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
edge:refs¶
A digraph edge which records that N1 refers to or contains N2.
The base type for the form can be found at edge:refs.
Properties:
- :n1 / edge:refs:n1
The node definition type for a (form,valu) compound field. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
- :n1:form / edge:refs:n1:form
The base string type. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
- :n2 / edge:refs:n2
The node definition type for a (form,valu) compound field. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
- :n2:form / edge:refs:n2:form
The base string type. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
edge:wentto¶
A digraph edge which records that N1 went to N2 at a specific time.
The base type for the form can be found at edge:wentto.
Properties:
- :n1 / edge:wentto:n1
The node definition type for a (form,valu) compound field. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
- :n1:form / edge:wentto:n1:form
The base string type. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
- :n2 / edge:wentto:n2
The node definition type for a (form,valu) compound field. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
- :n2:form / edge:wentto:n2:form
The base string type. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
- :time / edge:wentto:time
A date/time value. It has the following property options set:
- Read Only:
1
The property type is time.
- Read Only:
file:base¶
A file name with no path.
The base type for the form can be found at file:base.
An example of file:base:
woot.exe
Properties:
- :ext / file:base:ext
The file extension (if any). It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
file:bytes¶
The file bytes type with SHA256 based primary property.
The base type for the form can be found at file:bytes.
Properties:
- :size / file:bytes:size
The file size in bytes.
The property type is int.
- :md5 / file:bytes:md5
The md5 hash of the file. It has the following property options set:
- Read Only:
1
The property type is hash:md5.
- Read Only:
- :sha1 / file:bytes:sha1
The sha1 hash of the file. It has the following property options set:
- Read Only:
1
The property type is hash:sha1.
- Read Only:
- :sha256 / file:bytes:sha256
The sha256 hash of the file. It has the following property options set:
- Read Only:
1
The property type is hash:sha256.
- Read Only:
- :sha512 / file:bytes:sha512
The sha512 hash of the file. It has the following property options set:
- Read Only:
1
The property type is hash:sha512.
- Read Only:
- :name / file:bytes:name
The best known base name for the file.
The property type is file:base.
- :mime / file:bytes:mime
The “best” mime type name for the file.
The property type is file:mime.
- :mime:x509:cn / file:bytes:mime:x509:cn
The Common Name (CN) attribute of the x509 Subject.
The property type is str.
- :mime:pe:size / file:bytes:mime:pe:size
The size of the executable file according to the PE file header.
The property type is int.
- :mime:pe:imphash / file:bytes:mime:pe:imphash
The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .
The property type is guid.
- :mime:pe:compiled / file:bytes:mime:pe:compiled
The compile time of the file according to the PE header.
The property type is time.
- :mime:pe:pdbpath / file:bytes:mime:pe:pdbpath
The PDB string according to the PE.
The property type is file:path.
- :mime:pe:exports:time / file:bytes:mime:pe:exports:time
The export time of the file according to the PE.
The property type is time.
- :mime:pe:exports:libname / file:bytes:mime:pe:exports:libname
The export library name according to the PE.
The property type is str.
- :mime:pe:richhdr / file:bytes:mime:pe:richhdr
The sha256 hash of the rich header bytes.
The property type is hash:sha256.
file:filepath¶
The fused knowledge of the association of a file:bytes node and a file:path.
The base type for the form can be found at file:filepath.
Properties:
- :file / file:filepath:file
The file seen at a path. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :path / file:filepath:path
The path a file was seen at. It has the following property options set:
- Read Only:
True
The property type is file:path.
- Read Only:
- :path:dir / file:filepath:path:dir
The parent directory. It has the following property options set:
- Read Only:
True
The property type is file:path.
- Read Only:
- :path:base / file:filepath:path:base
The name of the file. It has the following property options set:
- Read Only:
True
The property type is file:base.
- Read Only:
- :path:base:ext / file:filepath:path:base:ext
The extension of the file name. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
file:ismime¶
Records one, of potentially multiple, mime types for a given file.
The base type for the form can be found at file:ismime.
Properties:
- :file / file:ismime:file
The file node that is an instance of the named mime type. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :mime / file:ismime:mime
The mime type of the file. It has the following property options set:
- Read Only:
True
The property type is file:mime.
- Read Only:
file:mime¶
A file mime name string.
The base type for the form can be found at file:mime.
An example of file:mime:
text/plain
Properties:
file:mime:pe:export¶
The fused knowledge of a file:bytes node containing a pe named export.
The base type for the form can be found at file:mime:pe:export.
Properties:
- :file / file:mime:pe:export:file
The file containing the export. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :name / file:mime:pe:export:name
The name of the export in the file. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
file:mime:pe:resource¶
The fused knowledge of a file:bytes node containing a pe resource.
The base type for the form can be found at file:mime:pe:resource.
Properties:
- :file / file:mime:pe:resource:file
The file containing the resource. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :type / file:mime:pe:resource:type
The typecode for the resource. It has the following property options set:
- Read Only:
True
The property type is pe:resource:type.
- Read Only:
- :langid / file:mime:pe:resource:langid
The language code for the resource. It has the following property options set:
- Read Only:
True
The property type is pe:langid.
- Read Only:
- :resource / file:mime:pe:resource:resource
The sha256 hash of the resource bytes. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
file:mime:pe:section¶
The fused knowledge a file:bytes node containing a pe section.
The base type for the form can be found at file:mime:pe:section.
Properties:
- :file / file:mime:pe:section:file
The file containing the section. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :name / file:mime:pe:section:name
The textual name of the section. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
- :sha256 / file:mime:pe:section:sha256
The sha256 hash of the section. Relocations must be zeroed before hashing. It has the following property options set:
- Read Only:
True
The property type is hash:sha256.
- Read Only:
file:mime:pe:vsvers:info¶
knowledge of a file:bytes node containing vsvers info.
The base type for the form can be found at file:mime:pe:vsvers:info.
Properties:
- :file / file:mime:pe:vsvers:info:file
The file containing the vsversion keyval pair. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :keyval / file:mime:pe:vsvers:info:keyval
The vsversion info keyval in this file:bytes node. It has the following property options set:
- Read Only:
True
The property type is file:mime:pe:vsvers:keyval.
- Read Only:
file:mime:pe:vsvers:keyval¶
A key value pair found in a PE vsversion info structure.
The base type for the form can be found at file:mime:pe:vsvers:keyval.
Properties:
- :name / file:mime:pe:vsvers:keyval:name
The key for the vsversion keyval pair. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
- :value / file:mime:pe:vsvers:keyval:value
The value for the vsversion keyval pair. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
file:path¶
A normalized file path.
The base type for the form can be found at file:path.
An example of file:path:
c:/windows/system32/calc.exe
Properties:
- :dir / file:path:dir
The parent directory. It has the following property options set:
- Read Only:
1
The property type is file:path.
- Read Only:
- :base / file:path:base
The file base name. It has the following property options set:
- Read Only:
1
The property type is file:base.
- Read Only:
- :base:ext / file:path:base:ext
The file extension. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
file:string¶
The fused knowledge of a file:bytes node containing a string.
The base type for the form can be found at file:string.
Properties:
- :file / file:string:file
The file containing the string. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :string / file:string:string
The string contained in this file:bytes node. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
file:subfile¶
A parent file that fully contains the specified child file.
The base type for the form can be found at file:subfile.
Properties:
- :parent / file:subfile:parent
The parent file containing the child file. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :child / file:subfile:child
The child file contained in the parent file. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :name / file:subfile:name
The name of the child file. Because a given set of bytes can have any number of arbitrary names, this field is used for display purposes only.
The property type is file:base.
geo:nloc¶
Records a node latitude/longitude in space-time.
The base type for the form can be found at geo:nloc.
Properties:
- :ndef / geo:nloc:ndef
The node with location in geospace and time. It has the following property options set:
- Read Only:
True
The property type is ndef.
- Read Only:
- :ndef:form / geo:nloc:ndef:form
The form of node referenced by the ndef. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
- :latlong / geo:nloc:latlong
The latitude/longitude the node was observed. It has the following property options set:
- Read Only:
True
The property type is geo:latlong.
- Read Only:
- :time / geo:nloc:time
The time the node was observed at location. It has the following property options set:
- Read Only:
True
The property type is time.
- Read Only:
- :place / geo:nloc:place
The place corresponding to the latlong property.
The property type is geo:place.
- :loc / geo:nloc:loc
The geo-political location string for the node.
The property type is loc.
geo:place¶
A GUID for a geographic place.
The base type for the form can be found at geo:place.
Properties:
- :name / geo:place:name
The name of the place.
The property type is str. Its type has the following options set:
- lower:
1 - onespace:
1
- lower:
- :parent / geo:place:parent
A parent place, possibly from reverse geocoding.
The property type is geo:place.
- :desc / geo:place:desc
A long form description of the place.
The property type is str.
- :loc / geo:place:loc
The geo-political location string for the node.
The property type is loc.
- :address / geo:place:address
The street/mailing address for the place.
The property type is geo:address.
- :geojson / geo:place:geojson
A GeoJSON representation of the place.
The property type is geo:json.
- :latlong / geo:place:latlong
The lat/long position for the place.
The property type is geo:latlong.
- :bbox / geo:place:bbox
A bounding box which encompases the place.
The property type is geo:bbox.
- :radius / geo:place:radius
An approximate radius to use for bounding box calculation.
The property type is geo:dist.
gov:cn:icp¶
A Chinese Internet Content Provider ID.
The base type for the form can be found at gov:cn:icp.
Properties:
- :org / gov:cn:icp:org
The org with the Internet Content Provider ID.
The property type is ou:org.
gov:cn:mucd¶
A Chinese PLA MUCD.
The base type for the form can be found at gov:cn:mucd.
Properties:
gov:us:cage¶
A Commercial and Government Entity (CAGE) code.
The base type for the form can be found at gov:us:cage.
Properties:
- :name0 / gov:us:cage:name0
The name of the organization.
The property type is ou:name.
- :name1 / gov:us:cage:name1
Name Part 1.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :street / gov:us:cage:street
The base string type.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :city / gov:us:cage:city
The base string type.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :state / gov:us:cage:state
The base string type.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :zip / gov:us:cage:zip
A US Postal Zip Code.
The property type is gov:us:zip.
- :cc / gov:us:cage:cc
The 2 digit ISO country code.
The property type is pol:iso2.
- :country / gov:us:cage:country
The base string type.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :phone0 / gov:us:cage:phone0
A phone number.
The property type is tel:phone.
- :phone1 / gov:us:cage:phone1
A phone number.
The property type is tel:phone.
gov:us:ssn¶
A US Social Security Number (SSN).
The base type for the form can be found at gov:us:ssn.
Properties:
gov:us:zip¶
A US Postal Zip Code.
The base type for the form can be found at gov:us:zip.
Properties:
graph:cluster¶
A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model.
The base type for the form can be found at graph:cluster.
Properties:
- :name / graph:cluster:name
A human friendly name for the cluster.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :desc / graph:cluster:desc
A human friendly long form description for the cluster.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :type / graph:cluster:type
An optional type field used to group clusters.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
graph:edge¶
A generic digraph edge to show relationships outside the model.
The base type for the form can be found at graph:edge.
Properties:
- :n1 / graph:edge:n1
The node definition type for a (form,valu) compound field. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
- :n1:form / graph:edge:n1:form
The base string type. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
- :n2 / graph:edge:n2
The node definition type for a (form,valu) compound field. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
- :n2:form / graph:edge:n2:form
The base string type. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
graph:event¶
A generic event node to represent events outside the model.
The base type for the form can be found at graph:event.
Properties:
- :time / graph:event:time
The time of the event.
The property type is time.
- :type / graph:event:type
A arbitrary type string for the event.
The property type is str.
- :name / graph:event:name
A name for the event.
The property type is str.
- :data / graph:event:data
Aribtrary non-indexed msgpack data attached to the event.
The property type is data.
graph:node¶
A generic node used to represent objects outside the model.
The base type for the form can be found at graph:node.
Properties:
graph:timeedge¶
A generic digraph time edge to show relationships outside the model.
The base type for the form can be found at graph:timeedge.
Properties:
- :time / graph:timeedge:time
A date/time value. It has the following property options set:
- Read Only:
1
The property type is time.
- Read Only:
- :n1 / graph:timeedge:n1
The node definition type for a (form,valu) compound field. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
- :n1:form / graph:timeedge:n1:form
The base string type. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
- :n2 / graph:timeedge:n2
The node definition type for a (form,valu) compound field. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
- :n2:form / graph:timeedge:n2:form
The base string type. It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
hash:md5¶
A hex encoded MD5 hash.
The base type for the form can be found at hash:md5.
An example of hash:md5:
d41d8cd98f00b204e9800998ecf8427e
Properties:
hash:sha1¶
A hex encoded SHA1 hash.
The base type for the form can be found at hash:sha1.
An example of hash:sha1:
da39a3ee5e6b4b0d3255bfef95601890afd80709
Properties:
hash:sha256¶
A hex encoded SHA256 hash.
The base type for the form can be found at hash:sha256.
An example of hash:sha256:
ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c
Properties:
hash:sha384¶
A hex encoded SHA384 hash.
The base type for the form can be found at hash:sha384.
An example of hash:sha384:
d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c
Properties:
hash:sha512¶
A hex encoded SHA512 hash.
The base type for the form can be found at hash:sha512.
An example of hash:sha512:
ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11
Properties:
inet:asn¶
An Autonomous System Number (ASN).
The base type for the form can be found at inet:asn.
Properties:
inet:asnet4¶
An Autonomous System Number (ASN) and its associated IPv4 address range.
The base type for the form can be found at inet:asnet4.
An example of inet:asnet4:
(54959, (1.2.3.4, 1.2.3.20))
Properties:
- :asn / inet:asnet4:asn
The Autonomous System Number (ASN) of the netblock. It has the following property options set:
- Read Only:
True
The property type is inet:asn.
- Read Only:
- :net4 / inet:asnet4:net4
The IPv4 address range assigned to the ASN. It has the following property options set:
- Read Only:
True
The property type is inet:net4.
- Read Only:
- :net4:min / inet:asnet4:net4:min
The first IPv4 in the range assigned to the ASN. It has the following property options set:
- Read Only:
True
The property type is inet:ipv4.
- Read Only:
- :net4:max / inet:asnet4:net4:max
The last IPv4 in the range assigned to the ASN. It has the following property options set:
- Read Only:
True
The property type is inet:ipv4.
- Read Only:
inet:banner¶
A network protocol banner string presented by a server.
The base type for the form can be found at inet:banner.
Properties:
- :server / inet:banner:server
The server which presented the banner string. It has the following property options set:
- Read Only:
1
The property type is inet:server.
- Read Only:
- :server:ipv4 / inet:banner:server:ipv4
The IPv4 address of the server. It has the following property options set:
- Read Only:
1
The property type is inet:ipv4.
- Read Only:
- :server:ipv6 / inet:banner:server:ipv6
The IPv6 address of the server. It has the following property options set:
- Read Only:
1
The property type is inet:ipv6.
- Read Only:
- :server:port / inet:banner:server:port
The network port. It has the following property options set:
- Read Only:
1
The property type is inet:port.
- Read Only:
- :text / inet:banner:text
The banner text. It has the following property options set:
- Read Only:
1
The property type is it:dev:str.
- Read Only:
inet:cidr4¶
An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation.
The base type for the form can be found at inet:cidr4.
An example of inet:cidr4:
1.2.3.0/24
Properties:
- :broadcast / inet:cidr4:broadcast
The broadcast IP address from the CIDR notation. It has the following property options set:
- Read Only:
True
The property type is inet:ipv4.
- Read Only:
- :mask / inet:cidr4:mask
The mask from the CIDR notation. It has the following property options set:
- Read Only:
True
The property type is int.
- Read Only:
- :network / inet:cidr4:network
The network IP address from the CIDR notation. It has the following property options set:
- Read Only:
True
The property type is inet:ipv4.
- Read Only:
inet:cidr6¶
An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation.
The base type for the form can be found at inet:cidr6.
An example of inet:cidr6:
2001:db8::/101
Properties:
- :broadcast / inet:cidr6:broadcast
The broadcast IP address from the CIDR notation. It has the following property options set:
- Read Only:
True
The property type is inet:ipv6.
- Read Only:
- :mask / inet:cidr6:mask
The mask from the CIDR notation. It has the following property options set:
- Read Only:
True
The property type is int.
- Read Only:
- :network / inet:cidr6:network
The network IP address from the CIDR notation. It has the following property options set:
- Read Only:
True
The property type is inet:ipv6.
- Read Only:
inet:client¶
A network client address.
The base type for the form can be found at inet:client.
An example of inet:client:
tcp://1.2.3.4:80
Properties:
- :proto / inet:client:proto
The network protocol of the client. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True
- Read Only:
- :ipv4 / inet:client:ipv4
The IPv4 of the client. It has the following property options set:
- Read Only:
True
The property type is inet:ipv4.
- Read Only:
- :ipv6 / inet:client:ipv6
The IPv6 of the client. It has the following property options set:
- Read Only:
True
The property type is inet:ipv6.
- Read Only:
- :host / inet:client:host
The it:host node for the client. It has the following property options set:
- Read Only:
True
The property type is it:host.
- Read Only:
- :port / inet:client:port
The client tcp/udp port.
The property type is inet:port.
inet:dns:a¶
The result of a DNS A record lookup.
The base type for the form can be found at inet:dns:a.
An example of inet:dns:a:
(vertex.link,1.2.3.4)
Properties:
- :fqdn / inet:dns:a:fqdn
The domain queried for its DNS A record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
- :ipv4 / inet:dns:a:ipv4
The IPv4 address returned in the A record. It has the following property options set:
- Read Only:
1
The property type is inet:ipv4.
- Read Only:
inet:dns:aaaa¶
The result of a DNS AAAA record lookup.
The base type for the form can be found at inet:dns:aaaa.
An example of inet:dns:aaaa:
(vertex.link,2607:f8b0:4004:809::200e)
Properties:
- :fqdn / inet:dns:aaaa:fqdn
The domain queried for its DNS AAAA record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
- :ipv6 / inet:dns:aaaa:ipv6
The IPv6 address returned in the AAAA record. It has the following property options set:
- Read Only:
1
The property type is inet:ipv6.
- Read Only:
inet:dns:answer¶
A single answer from within a DNS reply.
The base type for the form can be found at inet:dns:answer.
Properties:
- :ttl / inet:dns:answer:ttl
The base 64 bit signed integer type.
The property type is int.
- :request / inet:dns:answer:request
A single instance of a DNS resolver request and optional reply info.
The property type is inet:dns:request.
- :a / inet:dns:answer:a
The DNS A record returned by the lookup. It has the following property options set:
- Read Only:
True
The property type is inet:dns:a.
- Read Only:
- :ns / inet:dns:answer:ns
The DNS NS record returned by the lookup. It has the following property options set:
- Read Only:
True
The property type is inet:dns:ns.
- Read Only:
- :rev / inet:dns:answer:rev
The DNS PTR record returned by the lookup. It has the following property options set:
- Read Only:
True
The property type is inet:dns:rev.
- Read Only:
- :aaaa / inet:dns:answer:aaaa
The DNS AAAA record returned by the lookup. It has the following property options set:
- Read Only:
True
The property type is inet:dns:aaaa.
- Read Only:
- :rev6 / inet:dns:answer:rev6
The DNS PTR record returned by the lookup of an IPv6 address. It has the following property options set:
- Read Only:
True
The property type is inet:dns:rev6.
- Read Only:
- :cname / inet:dns:answer:cname
The DNS CNAME record returned by the lookup. It has the following property options set:
- Read Only:
True
The property type is inet:dns:cname.
- Read Only:
- :mx / inet:dns:answer:mx
The DNS MX record returned by the lookup. It has the following property options set:
- Read Only:
True
The property type is inet:dns:mx.
- Read Only:
- :soa / inet:dns:answer:soa
The domain queried for its SOA record. It has the following property options set:
- Read Only:
True
The property type is inet:dns:soa.
- Read Only:
- :txt / inet:dns:answer:txt
The DNS TXT record returned by the lookup. It has the following property options set:
- Read Only:
True
The property type is inet:dns:txt.
- Read Only:
inet:dns:cname¶
The result of a DNS CNAME record lookup.
The base type for the form can be found at inet:dns:cname.
An example of inet:dns:cname:
(foo.vertex.link,vertex.link)
Properties:
- :fqdn / inet:dns:cname:fqdn
The domain queried for its CNAME record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
- :cname / inet:dns:cname:cname
The domain returned in the CNAME record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
inet:dns:mx¶
The result of a DNS MX record lookup.
The base type for the form can be found at inet:dns:mx.
An example of inet:dns:mx:
(vertex.link,mail.vertex.link)
Properties:
inet:dns:ns¶
The result of a DNS NS record lookup.
The base type for the form can be found at inet:dns:ns.
An example of inet:dns:ns:
(vertex.link,ns.dnshost.com)
Properties:
- :zone / inet:dns:ns:zone
The domain queried for its DNS NS record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
- :ns / inet:dns:ns:ns
The domain returned in the NS record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
inet:dns:query¶
A DNS query unique to a given client.
The base type for the form can be found at inet:dns:query.
An example of inet:dns:query:
(1.2.3.4, woot.com, 1)
Properties:
- :client / inet:dns:query:client
A network client address.
The property type is inet:client.
- :name / inet:dns:query:name
A DNS query name string. Likely an FQDN but not always.
The property type is inet:dns:name.
- :name:ipv4 / inet:dns:query:name:ipv4
An IPv4 address.
The property type is inet:ipv4.
- :name:ipv6 / inet:dns:query:name:ipv6
An IPv6 address.
The property type is inet:ipv6.
- :name:fqdn / inet:dns:query:name:fqdn
A Fully Qualified Domain Name (FQDN).
The property type is inet:fqdn.
- :type / inet:dns:query:type
The base 64 bit signed integer type.
The property type is int.
inet:dns:request¶
A single instance of a DNS resolver request and optional reply info.
The base type for the form can be found at inet:dns:request.
Properties:
- :time / inet:dns:request:time
A date/time value.
The property type is time.
- :query / inet:dns:request:query
A DNS query unique to a given client.
The property type is inet:dns:query.
- :query:name / inet:dns:request:query:name
A DNS query name string. Likely an FQDN but not always.
The property type is inet:dns:name.
- :query:name:ipv4 / inet:dns:request:query:name:ipv4
An IPv4 address.
The property type is inet:ipv4.
- :query:name:ipv6 / inet:dns:request:query:name:ipv6
An IPv6 address.
The property type is inet:ipv6.
- :query:name:fqdn / inet:dns:request:query:name:fqdn
A Fully Qualified Domain Name (FQDN).
The property type is inet:fqdn.
- :query:type / inet:dns:request:query:type
The base 64 bit signed integer type.
The property type is int.
- :server / inet:dns:request:server
A network server address.
The property type is inet:server.
- :reply:code / inet:dns:request:reply:code
The DNS server response code.
The property type is int.
- :exe / inet:dns:request:exe
The file containing the code that attempted the DNS lookup.
The property type is file:bytes.
- :proc / inet:dns:request:proc
The process that attempted the DNS lookup.
The property type is it:exec:proc.
- :host / inet:dns:request:host
The host that attempted the DNS lookup.
The property type is it:host.
inet:dns:rev¶
The transformed result of a DNS PTR record lookup.
The base type for the form can be found at inet:dns:rev.
An example of inet:dns:rev:
(1.2.3.4,vertex.link)
Properties:
- :ipv4 / inet:dns:rev:ipv4
The IPv4 address queried for its DNS PTR record. It has the following property options set:
- Read Only:
1
The property type is inet:ipv4.
- Read Only:
- :fqdn / inet:dns:rev:fqdn
The domain returned in the PTR record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
inet:dns:rev6¶
The transformed result of a DNS PTR record for an IPv6 address.
The base type for the form can be found at inet:dns:rev6.
An example of inet:dns:rev6:
(2607:f8b0:4004:809::200e,vertex.link)
Properties:
- :ipv6 / inet:dns:rev6:ipv6
The IPv6 address queried for its DNS PTR record. It has the following property options set:
- Read Only:
1
The property type is inet:ipv6.
- Read Only:
- :fqdn / inet:dns:rev6:fqdn
The domain returned in the PTR record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
inet:dns:soa¶
The result of a DNS SOA record lookup.
The base type for the form can be found at inet:dns:soa.
Properties:
- :fqdn / inet:dns:soa:fqdn
The domain queried for its SOA record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
- :ns / inet:dns:soa:ns
The domain (MNAME) returned in the SOA record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
- :email / inet:dns:soa:email
The email address (RNAME) returned in the SOA record. It has the following property options set:
- Read Only:
1
The property type is inet:email.
- Read Only:
inet:dns:txt¶
The result of a DNS MX record lookup.
The base type for the form can be found at inet:dns:txt.
An example of inet:dns:txt:
(hehe.vertex.link,"fancy TXT record")
Properties:
inet:dns:wild:a¶
A DNS A wild card record and the IPv4 it resolves to.
The base type for the form can be found at inet:dns:wild:a.
Properties:
- :fqdn / inet:dns:wild:a:fqdn
The domain containing a wild card record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
- :ipv4 / inet:dns:wild:a:ipv4
The IPv4 address returned by wild card resolutions. It has the following property options set:
- Read Only:
1
The property type is inet:ipv4.
- Read Only:
inet:dns:wild:aaaa¶
A DNS AAAA wild card record and the IPv6 it resolves to.
The base type for the form can be found at inet:dns:wild:aaaa.
Properties:
- :fqdn / inet:dns:wild:aaaa:fqdn
The domain containing a wild card record. It has the following property options set:
- Read Only:
1
The property type is inet:fqdn.
- Read Only:
- :ipv6 / inet:dns:wild:aaaa:ipv6
The IPv6 address returned by wild card resolutions. It has the following property options set:
- Read Only:
1
The property type is inet:ipv6.
- Read Only:
inet:download¶
An instance of a file downloaded from a server.
The base type for the form can be found at inet:download.
Properties:
- :time / inet:download:time
The time the file was downloaded.
The property type is time.
- :fqdn / inet:download:fqdn
The FQDN used to resolve the server.
The property type is inet:fqdn.
- :file / inet:download:file
The file that was downloaded.
The property type is file:bytes.
- :server / inet:download:server
The inet:addr of the server.
The property type is inet:server.
- :server:host / inet:download:server:host
The it:host node for the server.
The property type is it:host.
- :server:ipv4 / inet:download:server:ipv4
The IPv4 of the server.
The property type is inet:ipv4.
- :server:ipv6 / inet:download:server:ipv6
The IPv6 of the server.
The property type is inet:ipv6.
- :server:port / inet:download:server:port
The server tcp/udp port.
The property type is inet:port.
- :server:proto / inet:download:server:proto
The server network layer protocol.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :client / inet:download:client
The inet:addr of the client.
The property type is inet:client.
- :client:host / inet:download:client:host
The it:host node for the client.
The property type is it:host.
- :client:ipv4 / inet:download:client:ipv4
The IPv4 of the client.
The property type is inet:ipv4.
- :client:ipv6 / inet:download:client:ipv6
The IPv6 of the client.
The property type is inet:ipv6.
- :client:port / inet:download:client:port
The client tcp/udp port.
The property type is inet:port.
- :client:proto / inet:download:client:proto
The client network layer protocol.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
inet:email:header¶
A unique email message header.
The base type for the form can be found at inet:email:header.
Properties:
- :name / inet:email:header:name
The name of the email header. It has the following property options set:
- Read Only:
True
The property type is inet:email:header:name.
- Read Only:
- :value / inet:email:header:value
The value of the email header. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
inet:email:message¶
A unique email message.
The base type for the form can be found at inet:email:message.
Properties:
- :to / inet:email:message:to
The email address of the recipient.
The property type is inet:email.
- :from / inet:email:message:from
The email address of the sender.
The property type is inet:email.
- :replyto / inet:email:message:replyto
The email address from the reply-to header.
The property type is inet:email.
- :subject / inet:email:message:subject
The email message subject line.
The property type is str.
- :body / inet:email:message:body
The body of the email message.
The property type is str.
- :date / inet:email:message:date
The time the email message was received.
The property type is time.
- :bytes / inet:email:message:bytes
The file bytes which contain the email message.
The property type is file:bytes.
- :headers / inet:email:message:headers
An array of email headers from the message.
The property type is array. Its type has the following options set:
- type:
inet:email:header
- type:
inet:email:message:attachment¶
A file which was attached to an email message.
The base type for the form can be found at inet:email:message:attachment.
Properties:
- :message / inet:email:message:attachment:message
The message containing the attached file. It has the following property options set:
- Read Only:
True
The property type is inet:email:message.
- Read Only:
- :file / inet:email:message:attachment:file
The attached file. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :name / inet:email:message:attachment:name
The name of the attached file.
The property type is file:base.
inet:email:message:link¶
A url/link embedded in an email message.
The base type for the form can be found at inet:email:message:link.
Properties:
- :message / inet:email:message:link:message
The message containing the embedded link. It has the following property options set:
- Read Only:
True
The property type is inet:email:message.
- Read Only:
- :url / inet:email:message:link:url
The url contained within the email message. It has the following property options set:
- Read Only:
True
The property type is inet:url.
- Read Only:
inet:flow¶
An individual network connection between a given source and destination.
The base type for the form can be found at inet:flow.
Properties:
- :time / inet:flow:time
The time the network connection was initiated.
The property type is time.
- :duration / inet:flow:duration
The duration of the flow in seconds.
The property type is int.
- :from / inet:flow:from
The ingest source file/iden. Used for reparsing.
The property type is guid.
- :dst / inet:flow:dst
The destination address / port for a connection.
The property type is inet:server.
- :dst:ipv4 / inet:flow:dst:ipv4
The destination IPv4 address.
The property type is inet:ipv4.
- :dst:ipv6 / inet:flow:dst:ipv6
The destination IPv6 address.
The property type is inet:ipv6.
- :dst:port / inet:flow:dst:port
The destination port.
The property type is inet:port.
- :dst:proto / inet:flow:dst:proto
The destination protocol.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :dst:host / inet:flow:dst:host
The guid of the destination host.
The property type is it:host.
- :dst:proc / inet:flow:dst:proc
The guid of the destination process.
The property type is it:exec:proc.
- :dst:exe / inet:flow:dst:exe
The file (executable) that received the connection.
The property type is file:bytes.
- :dst:txbytes / inet:flow:dst:txbytes
The number of bytes sent by the destination host / process / file.
The property type is int.
- :src / inet:flow:src
The source address / port for a connection.
The property type is inet:client.
- :src:ipv4 / inet:flow:src:ipv4
The source IPv4 address.
The property type is inet:ipv4.
- :src:ipv6 / inet:flow:src:ipv6
The source IPv6 address.
The property type is inet:ipv6.
- :src:port / inet:flow:src:port
The source port.
The property type is inet:port.
- :src:proto / inet:flow:src:proto
The source protocol.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :src:host / inet:flow:src:host
The guid of the source host.
The property type is it:host.
- :src:proc / inet:flow:src:proc
The guid of the source process.
The property type is it:exec:proc.
- :src:exe / inet:flow:src:exe
The file (executable) that created the connection.
The property type is file:bytes.
- :src:txbytes / inet:flow:src:txbytes
The number of bytes sent by the source host / process / file.
The property type is int.
inet:fqdn¶
A Fully Qualified Domain Name (FQDN).
The base type for the form can be found at inet:fqdn.
An example of inet:fqdn:
vertex.link
Properties:
- :domain / inet:fqdn:domain
The parent domain for the FQDN. It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :host / inet:fqdn:host
The host part of the FQDN. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True
- Read Only:
- :issuffix / inet:fqdn:issuffix
True if the FQDN is considered a suffix.
The property type is bool.
- :iszone / inet:fqdn:iszone
True if the FQDN is considered a zone.
The property type is bool.
- :zone / inet:fqdn:zone
The zone level parent for this FQDN.
The property type is inet:fqdn.
inet:http:cookie¶
An HTTP cookie string.
The base type for the form can be found at inet:http:cookie.
Properties:
inet:http:param¶
An HTTP request path query parameter.
The base type for the form can be found at inet:http:param.
Properties:
- :name / inet:http:param:name
The name of the HTTP query parameter. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True
- Read Only:
- :value / inet:http:param:value
The value of the HTTP query parameter. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
inet:http:request¶
A single HTTP request.
The base type for the form can be found at inet:http:request.
Properties:
- :flow / inet:http:request:flow
An individual network connection between a given source and destination.
The property type is inet:flow.
- :client / inet:http:request:client
A network client address.
The property type is inet:client.
- :client:ipv4 / inet:http:request:client:ipv4
An IPv4 address.
The property type is inet:ipv4.
- :client:ipv6 / inet:http:request:client:ipv6
An IPv6 address.
The property type is inet:ipv6.
- :server / inet:http:request:server
A network server address.
The property type is inet:server.
- :server:ipv4 / inet:http:request:server:ipv4
An IPv4 address.
The property type is inet:ipv4.
- :server:ipv6 / inet:http:request:server:ipv6
An IPv6 address.
The property type is inet:ipv6.
- :server:port / inet:http:request:server:port
A network port.
The property type is inet:port.
- :time / inet:http:request:time
The time that the HTTP request was sent.
The property type is time.
- :method / inet:http:request:method
The HTTP request method string.
The property type is str.
- :path / inet:http:request:path
The requested HTTP path (without query parameters).
The property type is str.
- :url / inet:http:request:url
The reconstructed URL for the request if known.
The property type is inet:url.
- :query / inet:http:request:query
The HTTP query string which optionally follows the path.
The property type is str.
- :headers / inet:http:request:headers
An array of HTTP headers from the request.
The property type is array. Its type has the following options set:
- type:
inet:http:request:header
- type:
- :body / inet:http:request:body
The body of the HTTP request.
The property type is file:bytes.
- :response:time / inet:http:request:response:time
A date/time value.
The property type is time.
- :response:code / inet:http:request:response:code
The base 64 bit signed integer type.
The property type is int.
- :response:reason / inet:http:request:response:reason
The base string type.
The property type is str.
- :response:headers / inet:http:request:response:headers
An array of HTTP headers from the response.
The property type is array. Its type has the following options set:
- type:
inet:http:response:header
- type:
- :response:body / inet:http:request:response:body
The file bytes type with SHA256 based primary property.
The property type is file:bytes.
inet:http:request:header¶
An HTTP request header.
The base type for the form can be found at inet:http:request:header.
Properties:
- :name / inet:http:request:header:name
The name of the HTTP request header. It has the following property options set:
- Read Only:
True
The property type is inet:http:header:name.
- Read Only:
- :value / inet:http:request:header:value
The value of the HTTP request header. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
inet:http:response:header¶
An HTTP response header.
The base type for the form can be found at inet:http:response:header.
Properties:
- :name / inet:http:response:header:name
The name of the HTTP response header. It has the following property options set:
- Read Only:
True
The property type is inet:http:header:name.
- Read Only:
- :value / inet:http:response:header:value
The value of the HTTP response header. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
inet:iface¶
A network interface with a set of associated protocol addresses.
The base type for the form can be found at inet:iface.
Properties:
- :host / inet:iface:host
The guid of the host the interface is associated with.
The property type is it:host.
- :type / inet:iface:type
The free-form interface type.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :mac / inet:iface:mac
The ethernet (MAC) address of the interface.
The property type is inet:mac.
- :ipv4 / inet:iface:ipv4
The IPv4 address of the interface.
The property type is inet:ipv4.
- :ipv6 / inet:iface:ipv6
The IPv6 address of the interface.
The property type is inet:ipv6.
- :phone / inet:iface:phone
The telephone number of the interface.
The property type is tel:phone.
- :wifi:ssid / inet:iface:wifi:ssid
The wifi SSID of the interface.
The property type is inet:wifi:ssid.
- :wifi:bssid / inet:iface:wifi:bssid
The wifi BSSID of the interface.
The property type is inet:mac.
- :mob:imei / inet:iface:mob:imei
The IMEI of the interface.
The property type is tel:mob:imei.
- :mob:imsi / inet:iface:mob:imsi
The IMSI of the interface.
The property type is tel:mob:imsi.
inet:ipv4¶
An IPv4 address.
The base type for the form can be found at inet:ipv4.
An example of inet:ipv4:
1.2.3.4
Properties:
- :asn / inet:ipv4:asn
The ASN to which the IPv4 address is currently assigned.
The property type is inet:asn.
- :latlong / inet:ipv4:latlong
The best known latitude/longitude for the node.
The property type is geo:latlong.
- :loc / inet:ipv4:loc
The geo-political location string for the IPv4.
The property type is loc.
- :place / inet:ipv4:place
The geo:place assocated with the latlong property.
The property type is geo:place.
- :type / inet:ipv4:type
The type of IP address (e.g., private, multicast, etc.).
The property type is str.
- :dns:rev / inet:ipv4:dns:rev
The most current DNS reverse lookup for the IPv4.
The property type is inet:fqdn.
inet:ipv6¶
An IPv6 address.
The base type for the form can be found at inet:ipv6.
An example of inet:ipv6:
2607:f8b0:4004:809::200e
Properties:
- :asn / inet:ipv6:asn
The ASN to which the IPv6 address is currently assigned.
The property type is inet:asn.
- :ipv4 / inet:ipv6:ipv4
The mapped ipv4.
The property type is inet:ipv4.
- :latlong / inet:ipv6:latlong
The last known latitude/longitude for the node.
The property type is geo:latlong.
- :place / inet:ipv6:place
The geo:place assocated with the latlong property.
The property type is geo:place.
- :dns:rev / inet:ipv6:dns:rev
The most current DNS reverse lookup for the IPv6.
The property type is inet:fqdn.
- :loc / inet:ipv6:loc
The geo-political location string for the IPv6.
The property type is loc.
inet:mac¶
A 48-bit Media Access Control (MAC) address.
The base type for the form can be found at inet:mac.
An example of inet:mac:
aa:bb:cc:dd:ee:ff
Properties:
- :vendor / inet:mac:vendor
The vendor associated with the 24-bit prefix of a MAC address.
The property type is str.
inet:passwd¶
A password string.
The base type for the form can be found at inet:passwd.
Properties:
- :md5 / inet:passwd:md5
The MD5 hash of the password. It has the following property options set:
- Read Only:
True
The property type is hash:md5.
- Read Only:
- :sha1 / inet:passwd:sha1
The SHA1 hash of the password. It has the following property options set:
- Read Only:
True
The property type is hash:sha1.
- Read Only:
- :sha256 / inet:passwd:sha256
The SHA256 hash of the password. It has the following property options set:
- Read Only:
True
The property type is hash:sha256.
- Read Only:
inet:rfc2822:addr¶
An RFC 2822 Address field.
The base type for the form can be found at inet:rfc2822:addr.
An example of inet:rfc2822:addr:
"Visi Kenshoto" <visi@vertex.link>
Properties:
- :name / inet:rfc2822:addr:name
The name field parsed from an RFC 2822 address string. It has the following property options set:
- Read Only:
True
The property type is ps:name.
- Read Only:
- :email / inet:rfc2822:addr:email
The email field parsed from an RFC 2822 address string. It has the following property options set:
- Read Only:
True
The property type is inet:email.
- Read Only:
inet:search:query¶
An instance of a search query issued to a search engine.
The base type for the form can be found at inet:search:query.
Properties:
- :text / inet:search:query:text
The search query text.
The property type is str.
- :time / inet:search:query:time
The time the web search was issued.
The property type is time.
- :engine / inet:search:query:engine
A simple name for the search engine used. It has the following property options set:
- Example:
google
The property type is str. Its type has the following options set:
- lower:
True
- Example:
inet:search:result¶
A single result from a web search.
The base type for the form can be found at inet:search:result.
Properties:
- :query / inet:search:result:query
The search query that produced the result.
The property type is inet:search:query.
- :title / inet:search:result:title
The title of the matching web page.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :rank / inet:search:result:rank
The rank/order of the query result.
The property type is int.
- :url / inet:search:result:url
The URL hosting the matching content.
The property type is inet:url.
- :text / inet:search:result:text
Extracted/matched text from the matched content.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
inet:server¶
A network server address.
The base type for the form can be found at inet:server.
An example of inet:server:
tcp://1.2.3.4:80
Properties:
- :proto / inet:server:proto
The network protocol of the server. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True
- Read Only:
- :ipv4 / inet:server:ipv4
The IPv4 of the server. It has the following property options set:
- Read Only:
True
The property type is inet:ipv4.
- Read Only:
- :ipv6 / inet:server:ipv6
The IPv6 of the server. It has the following property options set:
- Read Only:
True
The property type is inet:ipv6.
- Read Only:
- :host / inet:server:host
The it:host node for the server. It has the following property options set:
- Read Only:
True
The property type is it:host.
- Read Only:
- :port / inet:server:port
The server tcp/udp port.
The property type is inet:port.
inet:servfile¶
A file hosted on a server for access over a network protocol.
The base type for the form can be found at inet:servfile.
Properties:
- :file / inet:servfile:file
The file hosted by the server. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :server / inet:servfile:server
The inet:addr of the server. It has the following property options set:
- Read Only:
True
The property type is inet:server.
- Read Only:
- :server:proto / inet:servfile:server:proto
The network protocol of the server. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True
- Read Only:
- :server:ipv4 / inet:servfile:server:ipv4
The IPv4 of the server. It has the following property options set:
- Read Only:
True
The property type is inet:ipv4.
- Read Only:
- :server:ipv6 / inet:servfile:server:ipv6
The IPv6 of the server. It has the following property options set:
- Read Only:
True
The property type is inet:ipv6.
- Read Only:
- :server:host / inet:servfile:server:host
The it:host node for the server. It has the following property options set:
- Read Only:
True
The property type is it:host.
- Read Only:
- :server:port / inet:servfile:server:port
The server tcp/udp port.
The property type is inet:port.
inet:ssl:cert¶
An SSL certificate file served by a server.
The base type for the form can be found at inet:ssl:cert.
An example of inet:ssl:cert:
(1.2.3.4:443, guid:d41d8cd98f00b204e9800998ecf8427e)
Properties:
- :file / inet:ssl:cert:file
The file bytes for the SSL certificate. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :server / inet:ssl:cert:server
The server that presented the SSL certificate. It has the following property options set:
- Read Only:
True
The property type is inet:server.
- Read Only:
- :server:ipv4 / inet:ssl:cert:server:ipv4
The SSL server IPv4 address. It has the following property options set:
- Read Only:
True
The property type is inet:ipv4.
- Read Only:
- :server:ipv6 / inet:ssl:cert:server:ipv6
The SSL server IPv6 address. It has the following property options set:
- Read Only:
True
The property type is inet:ipv6.
- Read Only:
- :server:port / inet:ssl:cert:server:port
The SSL server listening port. It has the following property options set:
- Read Only:
True
The property type is inet:port.
- Read Only:
inet:url¶
A Universal Resource Locator (URL).
The base type for the form can be found at inet:url.
An example of inet:url:
http://www.woot.com/files/index.html
Properties:
- :fqdn / inet:url:fqdn
The fqdn used in the URL (e.g., http://www.woot.com/page.html). It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :ipv4 / inet:url:ipv4
The IPv4 address used in the URL (e.g., http://1.2.3.4/page.html). It has the following property options set:
- Read Only:
True
The property type is inet:ipv4.
- Read Only:
- :ipv6 / inet:url:ipv6
The IPv6 address used in the URL. It has the following property options set:
- Read Only:
True
The property type is inet:ipv6.
- Read Only:
- :passwd / inet:url:passwd
The optional password used to access the URL. It has the following property options set:
- Read Only:
True
The property type is inet:passwd.
- Read Only:
- :base / inet:url:base
The base scheme, user/pass, fqdn, port and path w/o parameters. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
- :path / inet:url:path
The path in the URL w/o parameters. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
- :params / inet:url:params
The URL parameter string. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
- :port / inet:url:port
The port of the URL. URLs prefixed with http will be set to port 80 and URLs prefixed with https will be set to port 443 unless otherwise specified. It has the following property options set:
- Read Only:
True
The property type is inet:port.
- Read Only:
- :proto / inet:url:proto
The protocol in the URL. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True
- Read Only:
- :user / inet:url:user
The optional username used to access the URL. It has the following property options set:
- Read Only:
True
The property type is inet:user.
- Read Only:
inet:url:mirror¶
A URL mirror site.
The base type for the form can be found at inet:url:mirror.
Properties:
inet:urlfile¶
A file hosted at a specific Universal Resource Locator (URL).
The base type for the form can be found at inet:urlfile.
Properties:
- :url / inet:urlfile:url
The URL where the file was hosted. It has the following property options set:
- Read Only:
True
The property type is inet:url.
- Read Only:
- :file / inet:urlfile:file
The file that was hosted at the URL. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
inet:urlredir¶
A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response.
The base type for the form can be found at inet:urlredir.
An example of inet:urlredir:
(http://foo.com/,http://bar.com/)
Properties:
- :src / inet:urlredir:src
The original/source URL before redirect. It has the following property options set:
- Read Only:
True
The property type is inet:url.
- Read Only:
- :src:fqdn / inet:urlredir:src:fqdn
The FQDN within the src URL (if present). It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :dst / inet:urlredir:dst
The redirected/destination URL. It has the following property options set:
- Read Only:
True
The property type is inet:url.
- Read Only:
- :dst:fqdn / inet:urlredir:dst:fqdn
The FQDN within the dst URL (if present). It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
inet:web:acct¶
An account with a given Internet-based site or service.
The base type for the form can be found at inet:web:acct.
An example of inet:web:acct:
(twitter.com, invisig0th)
Properties:
- :avatar / inet:web:acct:avatar
The file representing the avatar (e.g., profile picture) for the account.
The property type is file:bytes.
- :dob / inet:web:acct:dob
A self-declared date of birth for the account (if the account belongs to a person).
The property type is time.
- :email / inet:web:acct:email
The email address associated with the account.
The property type is inet:email.
- :latlong / inet:web:acct:latlong
The last known latitude/longitude for the node.
The property type is geo:latlong.
- :place / inet:web:acct:place
The geo:place assocated with the latlong property.
The property type is geo:place.
- :loc / inet:web:acct:loc
A self-declared location for the account.
The property type is loc.
- :name / inet:web:acct:name
The localized name associated with the account (may be different from the account identifier, e.g., a display name).
The property type is inet:user.
- :name:en / inet:web:acct:name:en
The English version of the name associated with the (may be different from the account identifier, e.g., a display name).
The property type is inet:user.
- :occupation / inet:web:acct:occupation
A self-declared occupation for the account.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :passwd / inet:web:acct:passwd
The current password for the account.
The property type is inet:passwd.
- :phone / inet:web:acct:phone
The phone number associated with the account.
The property type is tel:phone.
- :realname / inet:web:acct:realname
The localized version of the real name of the account owner / registrant.
The property type is ps:name.
- :realname:en / inet:web:acct:realname:en
The English version of the real name of the account owner / registrant.
The property type is ps:name.
- :signup / inet:web:acct:signup
The date and time the account was registered.
The property type is time.
- :signup:client / inet:web:acct:signup:client
The client address used to sign up for the account.
The property type is inet:client.
- :signup:client:ipv4 / inet:web:acct:signup:client:ipv4
The IPv4 address used to sign up for the account.
The property type is inet:ipv4.
- :signup:client:ipv6 / inet:web:acct:signup:client:ipv6
The IPv6 address used to sign up for the account.
The property type is inet:ipv4.
- :site / inet:web:acct:site
The site or service associated with the account. It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :tagline / inet:web:acct:tagline
The text of the account status or tag line.
The property type is str.
- :url / inet:web:acct:url
The service provider URL where the account is hosted.
The property type is inet:url.
- :user / inet:web:acct:user
The unique identifier for the account (may be different from the common name or display name). It has the following property options set:
- Read Only:
True
The property type is inet:user.
- Read Only:
- :webpage / inet:web:acct:webpage
A related URL specified by the account (e.g., a personal or company web page, blog, etc.).
The property type is inet:url.
inet:web:action¶
An instance of an account performing an action at an Internet-based site or service.
The base type for the form can be found at inet:web:action.
Properties:
- :act / inet:web:action:act
The action performed by the account.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
- :acct / inet:web:action:acct
The web account associated with the action.
The property type is inet:web:acct.
- :acct:site / inet:web:action:acct:site
The site or service associated with the account.
The property type is inet:fqdn.
- :acct:user / inet:web:action:acct:user
The unique identifier for the account.
The property type is inet:user.
- :time / inet:web:action:time
The date and time the account performed the action.
The property type is time.
- :client / inet:web:action:client
The source client address of the action.
The property type is inet:client.
- :client:ipv4 / inet:web:action:client:ipv4
The source IPv4 address of the action.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:action:client:ipv6
The source IPv6 address of the action.
The property type is inet:ipv6.
inet:web:chprofile¶
A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node.
The base type for the form can be found at inet:web:chprofile.
Properties:
- :acct / inet:web:chprofile:acct
The web account associated with the change.
The property type is inet:web:acct.
- :acct:site / inet:web:chprofile:acct:site
The site or service associated with the account.
The property type is inet:fqdn.
- :acct:user / inet:web:chprofile:acct:user
The unique identifier for the account.
The property type is inet:user.
- :client / inet:web:chprofile:client
The source address used to make the account change.
The property type is inet:client.
- :client:ipv4 / inet:web:chprofile:client:ipv4
The source IPv4 address used to make the account change.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:chprofile:client:ipv6
The source IPv6 address used to make the account change.
The property type is inet:ipv6.
- :time / inet:web:chprofile:time
The date and time when the account change occurred.
The property type is time.
- :pv / inet:web:chprofile:pv
The prop=valu of the account property that was changed. Valu should be the old / original value, while the new value should be updated on the inet:web:acct form.
The property type is nodeprop.
- :pv:prop / inet:web:chprofile:pv:prop
The property that was changed.
The property type is str.
inet:web:file¶
A file posted by a web account.
The base type for the form can be found at inet:web:file.
Properties:
- :acct / inet:web:file:acct
The account that owns or is associated with the file. It has the following property options set:
- Read Only:
True
The property type is inet:web:acct.
- Read Only:
- :acct:site / inet:web:file:acct:site
The site or service associated with the account. It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :acct:user / inet:web:file:acct:user
The unique identifier for the account. It has the following property options set:
- Read Only:
True
The property type is inet:user.
- Read Only:
- :file / inet:web:file:file
The file owned by or associated with the account. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :name / inet:web:file:name
The name of the file owned by or associated with the account.
The property type is file:base.
- :posted / inet:web:file:posted
The date and time the file was posted / submitted.
The property type is time.
- :client / inet:web:file:client
The source client address used to post or submit the file.
The property type is inet:client.
- :client:ipv4 / inet:web:file:client:ipv4
The source IPv4 address used to post or submit the file.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:file:client:ipv6
The source IPv6 address used to post or submit the file.
The property type is inet:ipv6.
inet:web:follows¶
A web account follows or is connected to another web account.
The base type for the form can be found at inet:web:follows.
Properties:
- :follower / inet:web:follows:follower
The account following an account. It has the following property options set:
- Read Only:
True
The property type is inet:web:acct.
- Read Only:
- :followee / inet:web:follows:followee
The account followed by an account. It has the following property options set:
- Read Only:
True
The property type is inet:web:acct.
- Read Only:
inet:web:group¶
A group hosted within or registered with a given Internet-based site or service.
The base type for the form can be found at inet:web:group.
An example of inet:web:group:
(somesite.com, mycoolgroup)
Properties:
- :site / inet:web:group:site
The site or service associated with the group. It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :id / inet:web:group:id
The site-specific unique identifier for the group (may be different from the common name or display name). It has the following property options set:
- Read Only:
True
The property type is inet:group.
- Read Only:
- :name / inet:web:group:name
The localized name associated with the group (may be different from the account identifier, e.g., a display name).
The property type is inet:group.
- :name:en / inet:web:group:name:en
The English version of the name associated with the group (may be different from the localized name).
The property type is inet:group.
- :url / inet:web:group:url
The service provider URL where the group is hosted.
The property type is inet:url.
- :avatar / inet:web:group:avatar
The file representing the avatar (e.g., profile picture) for the group.
The property type is file:bytes.
- :desc / inet:web:group:desc
The text of the description of the group.
The property type is str.
- :webpage / inet:web:group:webpage
A related URL specified by the group (e.g., primary web site, etc.).
The property type is inet:url.
- :loc / inet:web:group:loc
A self-declared location for the group.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :latlong / inet:web:group:latlong
The last known latitude/longitude for the node.
The property type is geo:latlong.
- :place / inet:web:group:place
The geo:place assocated with the latlong property.
The property type is geo:place.
- :signup / inet:web:group:signup
The date and time the group was created on the site.
The property type is time.
- :signup:client / inet:web:group:signup:client
The client address used to create the group.
The property type is inet:client.
- :signup:client:ipv4 / inet:web:group:signup:client:ipv4
The IPv4 address used to create the group.
The property type is inet:ipv4.
- :signup:client:ipv6 / inet:web:group:signup:client:ipv6
The IPv6 address used to create the group.
The property type is inet:ipv6.
inet:web:logon¶
An instance of an account authenticating to an Internet-based site or service.
The base type for the form can be found at inet:web:logon.
Properties:
- :acct / inet:web:logon:acct
The web account associated with the logon event. It has the following property options set:
- Read Only:
True
The property type is inet:web:acct.
- Read Only:
- :acct:site / inet:web:logon:acct:site
The site or service associated with the account. It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :acct:user / inet:web:logon:acct:user
The unique identifier for the account. It has the following property options set:
- Read Only:
True
The property type is inet:user.
- Read Only:
- :time / inet:web:logon:time
The date and time the account logged into the service. It has the following property options set:
- Read Only:
True
The property type is time.
- Read Only:
- :client / inet:web:logon:client
The source address of the logon.
The property type is inet:client.
- :client:ipv4 / inet:web:logon:client:ipv4
The source IPv4 address of the logon.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:logon:client:ipv6
The source IPv6 address of the logon.
The property type is inet:ipv6.
- :logout / inet:web:logon:logout
The date and time the account logged out of the service. It has the following property options set:
- Read Only:
True
The property type is time.
- Read Only:
inet:web:memb¶
A web account that is a member of a web group.
The base type for the form can be found at inet:web:memb.
Properties:
- :acct / inet:web:memb:acct
The account that is a member of the group. It has the following property options set:
- Read Only:
True
The property type is inet:web:acct.
- Read Only:
- :group / inet:web:memb:group
The group that the account is a member of. It has the following property options set:
- Read Only:
True
The property type is inet:web:group.
- Read Only:
- :title / inet:web:memb:title
The title or status of the member (e.g., admin, new member, etc.).
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :joined / inet:web:memb:joined
The date / time the account joined the group.
The property type is time.
inet:web:mesg¶
A message sent from one web account to another web account.
The base type for the form can be found at inet:web:mesg.
An example of inet:web:mesg:
((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)
Properties:
- :from / inet:web:mesg:from
The web account that sent the message. It has the following property options set:
- Read Only:
True
The property type is inet:web:acct.
- Read Only:
- :to / inet:web:mesg:to
The web account that received the message. It has the following property options set:
- Read Only:
True
The property type is inet:web:acct.
- Read Only:
- :client / inet:web:mesg:client
The source address of the message.
The property type is inet:client.
- :client:ipv4 / inet:web:mesg:client:ipv4
The source IPv4 address of the message.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:mesg:client:ipv6
The source IPv6 address of the message.
The property type is inet:ipv6.
- :time / inet:web:mesg:time
The date and time at which the message was sent. It has the following property options set:
- Read Only:
True
The property type is time.
- Read Only:
- :url / inet:web:mesg:url
The URL where the message is posted / visible.
The property type is inet:url.
- :text / inet:web:mesg:text
The text of the message. It has the following property options set:
- disp:
{'hint': 'text'}
The property type is str.
- disp:
- :file / inet:web:mesg:file
The file attached to or sent with the message.
The property type is file:bytes.
inet:web:post¶
A post made by a web account.
The base type for the form can be found at inet:web:post.
Properties:
- :acct / inet:web:post:acct
The web account that made the post.
The property type is inet:web:acct.
- :acct:site / inet:web:post:acct:site
The site or service associated with the account.
The property type is inet:fqdn.
- :client / inet:web:post:client
The source address of the post.
The property type is inet:client.
- :client:ipv4 / inet:web:post:client:ipv4
The source IPv4 address of the post.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:post:client:ipv6
The source IPv6 address of the post.
The property type is inet:ipv6.
- :acct:user / inet:web:post:acct:user
The unique identifier for the account.
The property type is inet:user.
- :text / inet:web:post:text
The text of the post. It has the following property options set:
- disp:
{'hint': 'text'}
The property type is str.
- disp:
- :time / inet:web:post:time
The date and time that the post was made.
The property type is time.
- :url / inet:web:post:url
The URL where the post is published / visible.
The property type is inet:url.
- :file / inet:web:post:file
The file that was attached to the post.
The property type is file:bytes.
- :replyto / inet:web:post:replyto
The post that this post is in reply to.
The property type is inet:web:post.
- :repost / inet:web:post:repost
The original post that this is a repost of.
The property type is inet:web:post.
inet:whois:contact¶
An individual contact from a domain whois record.
The base type for the form can be found at inet:whois:contact.
Properties:
- :rec / inet:whois:contact:rec
The whois record containing the contact data. It has the following property options set:
- Read Only:
True
The property type is inet:whois:rec.
- Read Only:
- :rec:fqdn / inet:whois:contact:rec:fqdn
The domain associated with the whois record. It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :rec:asof / inet:whois:contact:rec:asof
The date of the whois record. It has the following property options set:
- Read Only:
True
The property type is time.
- Read Only:
- :type / inet:whois:contact:type
The contact type (e.g., registrar, registrant, admin, billing, tech, etc.).
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :id / inet:whois:contact:id
The ID associated with the contact.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :name / inet:whois:contact:name
The name of the contact.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :email / inet:whois:contact:email
The email address of the contact.
The property type is inet:email.
- :orgname / inet:whois:contact:orgname
The name of the contact organization.
The property type is ou:name.
- :address / inet:whois:contact:address
The content of the street address field(s) of the contact.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :city / inet:whois:contact:city
The content of the city field of the contact.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :state / inet:whois:contact:state
The content of the state field of the contact.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :country / inet:whois:contact:country
The two-letter country code of the contact.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :phone / inet:whois:contact:phone
The content of the phone field of the contact.
The property type is tel:phone.
- :fax / inet:whois:contact:fax
The content of the fax field of the contact.
The property type is tel:phone.
- :url / inet:whois:contact:url
The URL specified for the contact.
The property type is inet:url.
- :whois:fqdn / inet:whois:contact:whois:fqdn
The whois server FQDN for the given contact (most likely a registrar).
The property type is inet:fqdn.
inet:whois:email¶
An email address associated with an FQDN via whois registration text.
The base type for the form can be found at inet:whois:email.
Properties:
- :fqdn / inet:whois:email:fqdn
The domain with a whois record containing the email address. It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :email / inet:whois:email:email
The email address associated with the domain whois record. It has the following property options set:
- Read Only:
True
The property type is inet:email.
- Read Only:
inet:whois:ipcontact¶
An individual contact from an IP block record.
The base type for the form can be found at inet:whois:ipcontact.
Properties:
- :contact / inet:whois:ipcontact:contact
Contact information associated with a registration.
The property type is ps:contact.
- :asof / inet:whois:ipcontact:asof
The date of the record.
The property type is time.
- :created / inet:whois:ipcontact:created
The “created” time from the record.
The property type is time.
- :updated / inet:whois:ipcontact:updated
The “last updated” time from the record.
The property type is time.
- :role / inet:whois:ipcontact:role
The primary role for the contact.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :roles / inet:whois:ipcontact:roles
Additional roles assigned to the contact.
The property type is array. Its type has the following options set:
- type:
str
- type:
- :asn / inet:whois:ipcontact:asn
The associated Autonomous System Number (ASN).
The property type is inet:asn.
- :id / inet:whois:ipcontact:id
The registry unique identifier (e.g. NET-74-0-0-0-1).
The property type is inet:whois:regid.
- :links / inet:whois:ipcontact:links
URLs provided with the record.
The property type is array. Its type has the following options set:
- type:
inet:url
- type:
- :status / inet:whois:ipcontact:status
The state of the registered contact (e.g. validated, obscured).
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :contacts / inet:whois:ipcontact:contacts
Additional contacts referenced by this contact.
The property type is array. Its type has the following options set:
- type:
inet:whois:ipcontact
- type:
inet:whois:ipquery¶
Query details used to retrieve an IP record.
The base type for the form can be found at inet:whois:ipquery.
Properties:
- :time / inet:whois:ipquery:time
The time the request was made.
The property type is time.
- :url / inet:whois:ipquery:url
The query URL when using the HTTP RDAP Protocol.
The property type is inet:url.
- :fqdn / inet:whois:ipquery:fqdn
The FQDN of the host server when using the legacy WHOIS Protocol.
The property type is inet:fqdn.
- :ipv4 / inet:whois:ipquery:ipv4
The IPv4 address queried.
The property type is inet:ipv4.
- :ipv6 / inet:whois:ipquery:ipv6
The IPv6 address queried.
The property type is inet:ipv6.
- :success / inet:whois:ipquery:success
Whether the host returned a valid response for the query.
The property type is bool.
- :rec / inet:whois:ipquery:rec
The resulting record from the query.
The property type is inet:whois:iprec.
inet:whois:iprec¶
An IPv4/IPv6 block registration record.
The base type for the form can be found at inet:whois:iprec.
Properties:
- :net4 / inet:whois:iprec:net4
The IPv4 address range assigned.
The property type is inet:net4.
- :net4:min / inet:whois:iprec:net4:min
The first IPv4 in the range assigned.
The property type is inet:ipv4.
- :net4:max / inet:whois:iprec:net4:max
The last IPv4 in the range assigned.
The property type is inet:ipv4.
- :net6 / inet:whois:iprec:net6
The IPv6 address range assigned.
The property type is inet:net6.
- :net6:min / inet:whois:iprec:net6:min
The first IPv6 in the range assigned.
The property type is inet:ipv6.
- :net6:max / inet:whois:iprec:net6:max
The last IPv6 in the range assigned.
The property type is inet:ipv6.
- :asof / inet:whois:iprec:asof
The date of the record.
The property type is time.
- :created / inet:whois:iprec:created
The “created” time from the record.
The property type is time.
- :updated / inet:whois:iprec:updated
The “last updated” time from the record.
The property type is time.
- :text / inet:whois:iprec:text
The full text of the record.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :asn / inet:whois:iprec:asn
The associated Autonomous System Number (ASN).
The property type is inet:asn.
- :id / inet:whois:iprec:id
The registry unique identifier (e.g. NET-74-0-0-0-1).
The property type is inet:whois:regid.
- :name / inet:whois:iprec:name
The name assigned to the network by the registrant.
The property type is str.
- :parentid / inet:whois:iprec:parentid
The registry unique identifier of the parent whois record (e.g. NET-74-0-0-0-0).
The property type is inet:whois:regid.
- :registrant / inet:whois:iprec:registrant
The registrant contact from the record.
The property type is inet:whois:ipcontact.
- :contacts / inet:whois:iprec:contacts
Additional contacts from the record.
The property type is array. Its type has the following options set:
- type:
inet:whois:ipcontact
- type:
- :country / inet:whois:iprec:country
The two-letter ISO 3166 country code.
The property type is str. Its type has the following options set:
- lower:
True - regex:
^[a-z]{2}$
- lower:
- :status / inet:whois:iprec:status
The state of the registered network.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :type / inet:whois:iprec:type
The classification of the registered network (e.g. direct allocation).
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :links / inet:whois:iprec:links
URLs provided with the record.
The property type is array. Its type has the following options set:
- type:
inet:url
- type:
inet:whois:rar¶
A domain registrar.
The base type for the form can be found at inet:whois:rar.
An example of inet:whois:rar:
godaddy, inc.
Properties:
inet:whois:rec¶
A domain whois record.
The base type for the form can be found at inet:whois:rec.
Properties:
- :fqdn / inet:whois:rec:fqdn
The domain associated with the whois record. It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :asof / inet:whois:rec:asof
The date of the whois record. It has the following property options set:
- Read Only:
True
The property type is time.
- Read Only:
- :text / inet:whois:rec:text
The full text of the whois record. It has the following property options set:
- disp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
- lower:
True
- disp:
- :created / inet:whois:rec:created
The “created” time from the whois record.
The property type is time.
- :updated / inet:whois:rec:updated
The “last updated” time from the whois record.
The property type is time.
- :expires / inet:whois:rec:expires
The “expires” time from the whois record.
The property type is time.
- :registrar / inet:whois:rec:registrar
The registrar name from the whois record.
The property type is inet:whois:rar.
- :registrant / inet:whois:rec:registrant
The registrant name from the whois record.
The property type is inet:whois:reg.
inet:whois:recns¶
A nameserver associated with a domain whois record.
The base type for the form can be found at inet:whois:recns.
Properties:
- :ns / inet:whois:recns:ns
A nameserver for a domain as listed in the domain whois record. It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :rec / inet:whois:recns:rec
The whois record containing the nameserver data. It has the following property options set:
- Read Only:
True
The property type is inet:whois:rec.
- Read Only:
- :rec:fqdn / inet:whois:recns:rec:fqdn
The domain associated with the whois record. It has the following property options set:
- Read Only:
True
The property type is inet:fqdn.
- Read Only:
- :rec:asof / inet:whois:recns:rec:asof
The date of the whois record. It has the following property options set:
- Read Only:
True
The property type is time.
- Read Only:
inet:whois:reg¶
A domain registrant.
The base type for the form can be found at inet:whois:reg.
An example of inet:whois:reg:
woot hostmaster
Properties:
inet:whois:regid¶
The registry unique identifier of the registration record.
The base type for the form can be found at inet:whois:regid.
An example of inet:whois:regid:
NET-10-0-0-0-1
Properties:
inet:wifi:ap¶
An SSID/MAC address combination for a wireless access point.
The base type for the form can be found at inet:wifi:ap.
Properties:
- :ssid / inet:wifi:ap:ssid
The SSID for the wireless access point.
The property type is inet:wifi:ssid.
- :bssid / inet:wifi:ap:bssid
The MAC address for the wireless access point.
The property type is inet:mac.
- :latlong / inet:wifi:ap:latlong
The best known latitude/longitude for the wireless access point.
The property type is geo:latlong.
- :accuracy / inet:wifi:ap:accuracy
The reported accuracy of the latlong telemetry reading.
The property type is geo:dist.
- :place / inet:wifi:ap:place
The geo:place assocated with the latlong property.
The property type is geo:place.
- :loc / inet:wifi:ap:loc
The geo-political location string for the wireless access point.
The property type is loc.
- :org / inet:wifi:ap:org
The organization that owns/operates the access point.
The property type is ou:org.
inet:wifi:ssid¶
A WiFi service set identifier (SSID) name.
The base type for the form can be found at inet:wifi:ssid.
An example of inet:wifi:ssid:
The Vertex Project
Properties:
iso:oid¶
An ISO Object Identifier string.
The base type for the form can be found at iso:oid.
Properties:
it:app:snort:hit¶
An instance of a snort rule hit.
The base type for the form can be found at it:app:snort:hit.
Properties:
- :rule / it:app:snort:hit:rule
The snort rule that matched the file.
The property type is it:app:snort:rule.
- :flow / it:app:snort:hit:flow
The inet:flow that matched the snort rule.
The property type is inet:flow.
- :src / it:app:snort:hit:src
The source address of flow that caused the hit.
The property type is inet:addr.
- :src:ipv4 / it:app:snort:hit:src:ipv4
The source IPv4 address of the flow that caused the hit.
The property type is inet:ipv4.
- :src:ipv6 / it:app:snort:hit:src:ipv6
The source IPv6 address of the flow that caused the hit.
The property type is inet:ipv6.
- :src:port / it:app:snort:hit:src:port
The source port of the flow that caused the hit.
The property type is inet:port.
- :dst / it:app:snort:hit:dst
The destination address of the trigger.
The property type is inet:addr.
- :dst:ipv4 / it:app:snort:hit:dst:ipv4
The destination IPv4 address of the flow that caused the hit.
The property type is inet:ipv4.
- :dst:ipv6 / it:app:snort:hit:dst:ipv6
The destination IPv4 address of the flow that caused the hit.
The property type is inet:ipv6.
- :dst:port / it:app:snort:hit:dst:port
The destination port of the flow that caused the hit.
The property type is inet:port.
- :time / it:app:snort:hit:time
The time of the network flow that caused the hit.
The property type is time.
- :sensor / it:app:snort:hit:sensor
The sensor host node that produced the hit.
The property type is it:host.
- :version / it:app:snort:hit:version
The version of the rule at the time of match.
The property type is it:semver.
it:app:snort:rule¶
A snort rule unique identifier.
The base type for the form can be found at it:app:snort:rule.
Properties:
it:app:yara:match¶
A yara rule match to a file.
The base type for the form can be found at it:app:yara:match.
Properties:
- :rule / it:app:yara:match:rule
The yara rule that matched the file. It has the following property options set:
- Read Only:
True
The property type is it:app:yara:rule.
- Read Only:
- :file / it:app:yara:match:file
The file that matched the yara rule. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :version / it:app:yara:match:version
The most recent version of the rule evaluated as a match.
The property type is it:semver.
it:app:yara:rule¶
A yara rule unique identifier.
The base type for the form can be found at it:app:yara:rule.
Properties:
- :text / it:app:yara:rule:text
The yara rule text.
The property type is str.
- :name / it:app:yara:rule:name
The name of the yara rule.
The property type is str.
- :author / it:app:yara:rule:author
Contact info for the author of the yara rule.
The property type is ps:contact.
- :version / it:app:yara:rule:version
The current version of the rule.
The property type is it:semver.
it:auth:passwdhash¶
An instance of a password hash.
The base type for the form can be found at it:auth:passwdhash.
Properties:
- :salt / it:auth:passwdhash:salt
The (optional) hex encoded salt value used to calculate the password hash.
The property type is hex.
- :hash:md5 / it:auth:passwdhash:hash:md5
The MD5 password hash value.
The property type is hash:md5.
- :hash:sha1 / it:auth:passwdhash:hash:sha1
The SHA1 password hash value.
The property type is hash:sha1.
- :hash:sha256 / it:auth:passwdhash:hash:sha256
The SHA256 password hash value.
The property type is hash:sha256.
- :hash:sha512 / it:auth:passwdhash:hash:sha512
The SHA512 password hash value.
The property type is hash:sha512.
- :hash:lm / it:auth:passwdhash:hash:lm
The LM password hash value.
The property type is hash:lm.
- :hash:ntlm / it:auth:passwdhash:hash:ntlm
The NTLM password hash value.
The property type is hash:ntlm.
- :passwd / it:auth:passwdhash:passwd
The (optional) clear text password for this password hash.
The property type is inet:passwd.
it:av:filehit¶
A file that triggered an alert on a specific antivirus signature.
The base type for the form can be found at it:av:filehit.
Properties:
- :file / it:av:filehit:file
The file that triggered the signature hit. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :sig / it:av:filehit:sig
The signature that the file triggered on. It has the following property options set:
- Read Only:
True
The property type is it:av:sig.
- Read Only:
- :sig:name / it:av:filehit:sig:name
The signature name. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True
- Read Only:
- :sig:soft / it:av:filehit:sig:soft
The anti-virus product which contains the signature. It has the following property options set:
- Read Only:
True
The property type is it:prod:soft.
- Read Only:
it:av:sig¶
A signature name within the namespace of an antivirus engine name.
The base type for the form can be found at it:av:sig.
Properties:
- :soft / it:av:sig:soft
The anti-virus product which contains the signature. It has the following property options set:
- Read Only:
True
The property type is it:prod:soft.
- Read Only:
- :name / it:av:sig:name
The signature name. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True
- Read Only:
- :desc / it:av:sig:desc
A free-form description of the signature.
The property type is str.
- :url / it:av:sig:url
A reference URL for information about the signature.
The property type is inet:url.
it:dev:int¶
A developer selected integer constant.
The base type for the form can be found at it:dev:int.
Properties:
it:dev:mutex¶
A string representing a mutex.
The base type for the form can be found at it:dev:mutex.
Properties:
it:dev:pipe¶
A string representing a named pipe.
The base type for the form can be found at it:dev:pipe.
Properties:
it:dev:regkey¶
A Windows registry key.
The base type for the form can be found at it:dev:regkey.
An example of it:dev:regkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Properties:
it:dev:regval¶
A Windows registry key/value pair.
The base type for the form can be found at it:dev:regval.
Properties:
- :key / it:dev:regval:key
The Windows registry key.
The property type is it:dev:regkey.
- :str / it:dev:regval:str
The value of the registry key, if the value is a string.
The property type is it:dev:str.
- :int / it:dev:regval:int
The value of the registry key, if the value is an integer.
The property type is it:dev:int.
- :bytes / it:dev:regval:bytes
The file representing the value of the registry key, if the value is binary data.
The property type is file:bytes.
it:dev:str¶
A developer-selected string.
The base type for the form can be found at it:dev:str.
Properties:
- :norm / it:dev:str:norm
Lower case normalized version of the it:dev:str.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
it:exec:bind¶
An instance of a host binding a listening port.
The base type for the form can be found at it:exec:bind.
Properties:
- :proc / it:exec:bind:proc
The main process executing code that bound the listening port.
The property type is it:exec:proc.
- :host / it:exec:bind:host
The host running the process that bound the listening port. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:bind:exe
The specific file containing code that bound the listening port. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:bind:time
The time the port was bound.
The property type is time.
- :server / it:exec:bind:server
The inet:addr of the server when binding the port.
The property type is inet:server.
- :server:ipv4 / it:exec:bind:server:ipv4
The IPv4 address specified to bind().
The property type is inet:ipv4.
- :server:ipv6 / it:exec:bind:server:ipv6
The IPv6 address specified to bind().
The property type is inet:ipv6.
- :server:port / it:exec:bind:server:port
The bound (listening) TCP port.
The property type is inet:port.
it:exec:file:add¶
An instance of a host adding a file to a filesystem.
The base type for the form can be found at it:exec:file:add.
Properties:
- :proc / it:exec:file:add:proc
The main process executing code that created the new file.
The property type is it:exec:proc.
- :host / it:exec:file:add:host
The host running the process that created the new file. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:file:add:exe
The specific file containing code that created the new file. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:file:add:time
The time the file was created.
The property type is time.
- :path / it:exec:file:add:path
The path where the file was created.
The property type is file:path.
- :path:dir / it:exec:file:add:path:dir
The parent directory of the file path (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is file:path.
- Read Only:
- :path:ext / it:exec:file:add:path:ext
The file extension of the file name (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- Read Only:
- :path:base / it:exec:file:add:path:base
The final component of the file path (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is file:base.
- Read Only:
- :file / it:exec:file:add:file
The file that was created.
The property type is file:bytes.
it:exec:file:del¶
An instance of a host deleting a file from a filesystem.
The base type for the form can be found at it:exec:file:del.
Properties:
- :proc / it:exec:file:del:proc
The main process executing code that deleted the file.
The property type is it:exec:proc.
- :host / it:exec:file:del:host
The host running the process that deleted the file. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:file:del:exe
The specific file containing code that deleted the file. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:file:del:time
The time the file was deleted.
The property type is time.
- :path / it:exec:file:del:path
The path where the file was deleted.
The property type is file:path.
- :path:dir / it:exec:file:del:path:dir
The parent directory of the file path (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is file:path.
- Read Only:
- :path:ext / it:exec:file:del:path:ext
The file extension of the file name (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- Read Only:
- :path:base / it:exec:file:del:path:base
The final component of the file path (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is file:base.
- Read Only:
- :file / it:exec:file:del:file
The file that was deleted.
The property type is file:bytes.
it:exec:file:read¶
An instance of a host reading a file from a filesystem.
The base type for the form can be found at it:exec:file:read.
Properties:
- :proc / it:exec:file:read:proc
The main process executing code that read the file.
The property type is it:exec:proc.
- :host / it:exec:file:read:host
The host running the process that read the file. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:file:read:exe
The specific file containing code that read the file. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:file:read:time
The time the file was read.
The property type is time.
- :path / it:exec:file:read:path
The path where the file was read.
The property type is file:path.
- :path:dir / it:exec:file:read:path:dir
The parent directory of the file path (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is file:path.
- Read Only:
- :path:ext / it:exec:file:read:path:ext
The file extension of the file name (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- Read Only:
- :path:base / it:exec:file:read:path:base
The final component of the file path (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is file:base.
- Read Only:
- :file / it:exec:file:read:file
The file that was read.
The property type is file:bytes.
it:exec:file:write¶
An instance of a host writing a file to a filesystem.
The base type for the form can be found at it:exec:file:write.
Properties:
- :proc / it:exec:file:write:proc
The main process executing code that wrote to / modified the existing file.
The property type is it:exec:proc.
- :host / it:exec:file:write:host
The host running the process that wrote to the file. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:file:write:exe
The specific file containing code that wrote to the file. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:file:write:time
The time the file was written to/modified.
The property type is time.
- :path / it:exec:file:write:path
The path where the file was written to/modified.
The property type is file:path.
- :path:dir / it:exec:file:write:path:dir
The parent directory of the file path (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is file:path.
- Read Only:
- :path:ext / it:exec:file:write:path:ext
The file extension of the file name (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- Read Only:
- :path:base / it:exec:file:write:path:base
The final component of the file path (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is file:base.
- Read Only:
- :file / it:exec:file:write:file
The file that was modified.
The property type is file:bytes.
it:exec:mutex¶
A mutex created by a process at runtime.
The base type for the form can be found at it:exec:mutex.
Properties:
- :proc / it:exec:mutex:proc
The main process executing code that created the mutex.
The property type is it:exec:proc.
- :host / it:exec:mutex:host
The host running the process that created the mutex. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:mutex:exe
The specific file containing code that created the mutex. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:mutex:time
The time the mutex was created.
The property type is time.
- :name / it:exec:mutex:name
The mutex string.
The property type is it:dev:mutex.
it:exec:pipe¶
A named pipe created by a process at runtime.
The base type for the form can be found at it:exec:pipe.
Properties:
- :proc / it:exec:pipe:proc
The main process executing code that created the named pipe.
The property type is it:exec:proc.
- :host / it:exec:pipe:host
The host running the process that created the named pipe. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:pipe:exe
The specific file containing code that created the named pipe. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:pipe:time
The time the named pipe was created.
The property type is time.
- :name / it:exec:pipe:name
The named pipe string.
The property type is it:dev:pipe.
it:exec:proc¶
A process executing on a host. May be an actual (e.g., endpoint) or virtual (e.g., malware sandbox) host.
The base type for the form can be found at it:exec:proc.
Properties:
- :host / it:exec:proc:host
The host that executed the process. May be an actual or a virtual / notional host.
The property type is it:host.
- :exe / it:exec:proc:exe
The file considered the “main” executable for the process. For example, rundll32.exe may be considered the “main” executable for DLLs loaded by that program.
The property type is file:bytes.
- :cmd / it:exec:proc:cmd
The command string used to launch the process, including any command line parameters.
The property type is str.
- :pid / it:exec:proc:pid
The process ID.
The property type is int.
- :time / it:exec:proc:time
The start time for the process.
The property type is time.
- :user / it:exec:proc:user
The user name of the process owner.
The property type is inet:user.
- :path / it:exec:proc:path
The path to the executable of the process.
The property type is file:path.
- :src:exe / it:exec:proc:src:exe
The path to the executable which started the process.
The property type is file:path.
- :src:proc / it:exec:proc:src:proc
The process which created the process.
The property type is it:exec:proc.
it:exec:reg:del¶
An instance of a host deleting a registry key.
The base type for the form can be found at it:exec:reg:del.
Properties:
- :proc / it:exec:reg:del:proc
The main process executing code that deleted data from the registry.
The property type is it:exec:proc.
- :host / it:exec:reg:del:host
The host running the process that deleted data from the registry. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:reg:del:exe
The specific file containing code that deleted data from the registry. May or may not be the same :exe referenced in :proc, if present.
The property type is file:bytes.
- :time / it:exec:reg:del:time
The time the data from the registry was deleted.
The property type is time.
- :reg / it:exec:reg:del:reg
The registry key or value that was deleted.
The property type is it:dev:regval.
it:exec:reg:get¶
An instance of a host getting a registry key.
The base type for the form can be found at it:exec:reg:get.
Properties:
- :proc / it:exec:reg:get:proc
The main process executing code that read the registry.
The property type is it:exec:proc.
- :host / it:exec:reg:get:host
The host running the process that read the registry. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:reg:get:exe
The specific file containing code that read the registry. May or may not be the same :exe referenced in :proc, if present.
The property type is file:bytes.
- :time / it:exec:reg:get:time
The time the registry was read.
The property type is time.
- :reg / it:exec:reg:get:reg
The registry key or value that was read.
The property type is it:dev:regval.
it:exec:reg:set¶
An instance of a host creating or setting a registry key.
The base type for the form can be found at it:exec:reg:set.
Properties:
- :proc / it:exec:reg:set:proc
The main process executing code that wrote to the registry.
The property type is it:exec:proc.
- :host / it:exec:reg:set:host
The host running the process that wrote to the registry. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:reg:set:exe
The specific file containing code that wrote to the registry. May or may not be the same :exe referenced in :proc, if present.
The property type is file:bytes.
- :time / it:exec:reg:set:time
The time the registry was written to.
The property type is time.
- :reg / it:exec:reg:set:reg
The registry key or value that was written to.
The property type is it:dev:regval.
it:exec:url¶
An instance of a host requesting a URL.
The base type for the form can be found at it:exec:url.
Properties:
- :proc / it:exec:url:proc
The main process executing code that requested the URL.
The property type is it:exec:proc.
- :host / it:exec:url:host
The host running the process that requested the URL. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:url:exe
The specific file containing code that requested the URL. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:url:time
The time the URL was requested.
The property type is time.
- :url / it:exec:url:url
The URL that was requested.
The property type is inet:url.
- :client / it:exec:url:client
The address of the client during the URL retrieval.
The property type is inet:client.
- :client:ipv4 / it:exec:url:client:ipv4
The IPv4 of the client during the URL retrieval..
The property type is inet:ipv4.
- :client:ipv6 / it:exec:url:client:ipv6
The IPv6 of the client during the URL retrieval..
The property type is inet:ipv6.
- :client:port / it:exec:url:client:port
The client port during the URL retrieval..
The property type is inet:port.
it:fs:file¶
A file on a host.
The base type for the form can be found at it:fs:file.
Properties:
- :host / it:fs:file:host
The host containing the file.
The property type is it:host.
- :path / it:fs:file:path
The path for the file.
The property type is file:path.
- :path:dir / it:fs:file:path:dir
The parent directory of the file path (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is file:path.
- Read Only:
- :path:ext / it:fs:file:path:ext
The file extension of the file name (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- Read Only:
- :path:base / it:fs:file:path:base
The final component of the file path (parsed from :path). It has the following property options set:
- Read Only:
True
The property type is file:base.
- Read Only:
- :file / it:fs:file:file
The file on the host.
The property type is file:bytes.
- :ctime / it:fs:file:ctime
The file creation time.
The property type is time.
- :mtime / it:fs:file:mtime
The file modification time.
The property type is time.
- :atime / it:fs:file:atime
The file access time.
The property type is time.
- :user / it:fs:file:user
The owner of the file.
The property type is inet:user.
- :group / it:fs:file:group
The group owner of the file.
The property type is inet:user.
it:host¶
A GUID that represents a host or system.
The base type for the form can be found at it:host.
Properties:
- :name / it:host:name
The name of the host or system.
The property type is it:hostname.
- :desc / it:host:desc
A free-form description of the host.
The property type is str.
- :ipv4 / it:host:ipv4
The last known ipv4 address for the host.
The property type is inet:ipv4.
- :latlong / it:host:latlong
The last known location for the host.
The property type is geo:latlong.
- :place / it:host:place
The place where the host resides.
The property type is geo:place.
- :loc / it:host:loc
The geo-political location string for the node.
The property type is loc.
- :os / it:host:os
The operating system of the host.
The property type is it:prod:softver.
- :manu / it:host:manu
The manufacturer of the host.
The property type is str.
- :model / it:host:model
The product model of the host.
The property type is str.
- :serial / it:host:serial
The serial number of the host.
The property type is str.
it:hostname¶
The name of a host or system.
The base type for the form can be found at it:hostname.
Properties:
it:hostsoft¶
A version of a software product which is present on a given host.
The base type for the form can be found at it:hostsoft.
Properties:
- :host / it:hostsoft:host
Host with the software. It has the following property options set:
- Read Only:
True
The property type is it:host.
- Read Only:
- :softver / it:hostsoft:softver
Software on the host. It has the following property options set:
- Read Only:
True
The property type is it:prod:softver.
- Read Only:
it:hosturl¶
A url hosted on or served by a host or system.
The base type for the form can be found at it:hosturl.
Properties:
it:os:android:aaid¶
An android advertising identification string.
The base type for the form can be found at it:os:android:aaid.
Properties:
it:os:android:ibroadcast¶
The given software broadcasts the given Android intent.
The base type for the form can be found at it:os:android:ibroadcast.
Properties:
- :app / it:os:android:ibroadcast:app
The app software which broadcasts the android intent. It has the following property options set:
- Read Only:
True
The property type is it:prod:softver.
- Read Only:
- :intent / it:os:android:ibroadcast:intent
The android intent which is broadcast by the app. It has the following property options set:
- Read Only:
True
The property type is it:os:android:intent.
- Read Only:
it:os:android:ilisten¶
The given software listens for an android intent.
The base type for the form can be found at it:os:android:ilisten.
Properties:
- :app / it:os:android:ilisten:app
The app software which listens for the android intent. It has the following property options set:
- Read Only:
True
The property type is it:prod:softver.
- Read Only:
- :intent / it:os:android:ilisten:intent
The android intent which is listened for by the app. It has the following property options set:
- Read Only:
True
The property type is it:os:android:intent.
- Read Only:
it:os:android:intent¶
An android intent string.
The base type for the form can be found at it:os:android:intent.
Properties:
it:os:android:perm¶
An android permission string.
The base type for the form can be found at it:os:android:perm.
Properties:
it:os:android:reqperm¶
The given software requests the android permission.
The base type for the form can be found at it:os:android:reqperm.
Properties:
- :app / it:os:android:reqperm:app
The android app which requests the permission. It has the following property options set:
- Read Only:
True
The property type is it:prod:softver.
- Read Only:
- :perm / it:os:android:reqperm:perm
The android permission requested by the app. It has the following property options set:
- Read Only:
True
The property type is it:os:android:perm.
- Read Only:
it:os:ios:idfa¶
An iOS advertising identification string.
The base type for the form can be found at it:os:ios:idfa.
Properties:
it:prod:soft¶
A arbitrary, unversioned software product.
The base type for the form can be found at it:prod:soft.
Properties:
- :name / it:prod:soft:name
Name of the software.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
- :desc / it:prod:soft:desc
A description of the software.
The property type is str.
- :desc:short / it:prod:soft:desc:short
A short description of the software.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :author:org / it:prod:soft:author:org
Organization which authored the software.
The property type is ou:org.
- :author:acct / it:prod:soft:author:acct
Web account of the software author.
The property type is inet:web:acct.
- :author:email / it:prod:soft:author:email
Email address of the sofware author.
The property type is inet:email.
- :author:person / it:prod:soft:author:person
Person who authored the software.
The property type is ps:person.
- :url / it:prod:soft:url
URL relevant for the software.
The property type is inet:url.
- :isos / it:prod:soft:isos
Set to True if the software is an operating system.
The property type is bool.
- :islib / it:prod:soft:islib
Set to True if the software is a library.
The property type is bool.
it:prod:softfile¶
A file is distributed by a specific software version.
The base type for the form can be found at it:prod:softfile.
Properties:
- :soft / it:prod:softfile:soft
The software which distributes the file. It has the following property options set:
- Read Only:
True
The property type is it:prod:softver.
- Read Only:
- :file / it:prod:softfile:file
The file distributed by the software. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
it:prod:softlib¶
A software version contains a library software version.
The base type for the form can be found at it:prod:softlib.
Properties:
- :soft / it:prod:softlib:soft
The software version that contains the library. It has the following property options set:
- Read Only:
True
The property type is it:prod:softver.
- Read Only:
- :lib / it:prod:softlib:lib
The library software version. It has the following property options set:
- Read Only:
True
The property type is it:prod:softver.
- Read Only:
it:prod:softos¶
The software version is known to be compatible with the given os software version.
The base type for the form can be found at it:prod:softos.
Properties:
- :soft / it:prod:softos:soft
The software which can run on the operating system. It has the following property options set:
- Read Only:
True
The property type is it:prod:softver.
- Read Only:
- :os / it:prod:softos:os
The operating system which the software can run on. It has the following property options set:
- Read Only:
True
The property type is it:prod:softver.
- Read Only:
it:prod:softver¶
A specific version of a software product.
The base type for the form can be found at it:prod:softver.
Properties:
- :software / it:prod:softver:software
Software associated with this version instance.
The property type is it:prod:soft.
- :software:name / it:prod:softver:software:name
The name of the software at a particular version.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
- :vers / it:prod:softver:vers
Version string associated with this version instance.
The property type is it:dev:str.
- :vers:norm / it:prod:softver:vers:norm
Normalized version of the version string.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :arch / it:prod:softver:arch
Software architecture.
The property type is it:dev:str.
- :semver / it:prod:softver:semver
System normalized semantic version number.
The property type is it:semver.
- :semver:major / it:prod:softver:semver:major
Version major number.
The property type is int.
- :semver:minor / it:prod:softver:semver:minor
Version minor number.
The property type is int.
- :semver:patch / it:prod:softver:semver:patch
Version patch number.
The property type is int.
- :semver:pre / it:prod:softver:semver:pre
Semver prerelease string.
The property type is str.
- :semver:build / it:prod:softver:semver:build
Semver build string.
The property type is str.
- :url / it:prod:softver:url
URL where a specific version of the software is available from.
The property type is inet:url.
it:reveng:filefunc¶
An instance of a function in an executable.
The base type for the form can be found at it:reveng:filefunc.
Properties:
- :function / it:reveng:filefunc:function
The guid matching the function. It has the following property options set:
- Read Only:
True
The property type is it:reveng:function.
- Read Only:
- :file / it:reveng:filefunc:file
The file that contains the function. It has the following property options set:
- Read Only:
True
The property type is file:bytes.
- Read Only:
- :va / it:reveng:filefunc:va
The virtual address of the first codeblock of the function.
The property type is int.
- :rank / it:reveng:filefunc:rank
The function rank score used to evaluate if it exhibits interesting behavior.
The property type is int.
- :complexity / it:reveng:filefunc:complexity
The complexity of the function.
The property type is int.
- :funccalls / it:reveng:filefunc:funccalls
Other function calls within the scope of the function.
The property type is array. Its type has the following options set:
- type:
it:reveng:filefunc
- type:
it:reveng:funcstr¶
A reference to a string inside a function.
The base type for the form can be found at it:reveng:funcstr.
Properties:
- :function / it:reveng:funcstr:function
The guid matching the function. It has the following property options set:
- Read Only:
True
The property type is it:reveng:function.
- Read Only:
- :string / it:reveng:funcstr:string
The string that the function references. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
it:reveng:function¶
A function inside an executable.
The base type for the form can be found at it:reveng:function.
Properties:
- :name / it:reveng:function:name
The name of the function.
The property type is str.
- :description / it:reveng:function:description
Notes concerning the function.
The property type is str.
- :impcalls / it:reveng:function:impcalls
Calls to imported library functions within the scope of the function.
The property type is array. Its type has the following options set:
- type:
it:reveng:impfunc
- type:
it:reveng:impfunc¶
A function from an imported library.
The base type for the form can be found at it:reveng:impfunc.
Properties:
it:sec:cve¶
A vulnerability as designated by a Common Vulnerabilities and Exposures (CVE) number.
The base type for the form can be found at it:sec:cve.
An example of it:sec:cve:
cve-2012-0158
Properties:
- :desc / it:sec:cve:desc
A free-form description of the CVE vulnerability.
The property type is str.
lang:trans¶
Raw text with a documented translation.
The base type for the form can be found at lang:trans.
Properties:
mat:item¶
A GUID assigned to a material object.
The base type for the form can be found at mat:item.
Properties:
- :name / mat:item:name
The human readable name of the material item.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :spec / mat:item:spec
The mat:spec of which this item is an instance.
The property type is mat:spec.
- :place / mat:item:place
The most recent place the item is known to reside.
The property type is geo:place.
- :latlong / mat:item:latlong
The last known lat/long location of the node.
The property type is geo:latlong.
- :loc / mat:item:loc
The geo-political location string for the node.
The property type is loc.
mat:itemimage¶
The base type for compound node fields.
The base type for the form can be found at mat:itemimage.
Properties:
- :item / mat:itemimage:item
The item contained within the image file.
The property type is mat:item.
- :file / mat:itemimage:file
The file containing an image of the item.
The property type is file:bytes.
mat:spec¶
A GUID assigned to a material specification.
The base type for the form can be found at mat:spec.
Properties:
- :name / mat:spec:name
The human readable name of the material spec.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
mat:specimage¶
The base type for compound node fields.
The base type for the form can be found at mat:specimage.
Properties:
- :spec / mat:specimage:spec
The spec contained within the image file.
The property type is mat:spec.
- :file / mat:specimage:file
The file containing an image of the spec.
The property type is file:bytes.
media:news¶
A GUID for a news article or report.
The base type for the form can be found at media:news.
Properties:
- :url / media:news:url
The (optional) URL where the news was published. It has the following property options set:
- Example:
http://cnn.com/news/mars-lander.html
The property type is inet:url.
- Example:
- :url:fqdn / media:news:url:fqdn
The FQDN within the news URL. It has the following property options set:
- Example:
cnn.com
The property type is inet:fqdn.
- Example:
- :file / media:news:file
The (optional) file blob containing or published as the news.
The property type is file:bytes.
- :title / media:news:title
Title/Headline for the news. It has the following property options set:
- Example:
mars lander reaches mars
The property type is str. Its type has the following options set:
- lower:
True
- Example:
- :summary / media:news:summary
A brief summary of the news item. It has the following property options set:
- Example:
lorum ipsum
The property type is str.
- Example:
- :published / media:news:published
The date the news item was published. It has the following property options set:
- Example:
20161201180433
The property type is time.
- Example:
- :org / media:news:org
The org alias which published the news. It has the following property options set:
- Example:
microsoft
The property type is ou:alias.
- Example:
- :author / media:news:author
The free-form author of the news. It has the following property options set:
- Example:
stark,anthony
The property type is ps:name.
- Example:
- :rss:feed / media:news:rss:feed
The RSS feed that published the news.
The property type is inet:url.
meta:seen¶
Annotates that the data in a node was obtained from or observed by a given source.
The base type for the form can be found at meta:seen.
Properties:
- :source / meta:seen:source
The source which observed or provided the node. It has the following property options set:
- Read Only:
1
The property type is meta:source.
- Read Only:
- :node / meta:seen:node
The node which was observed by or received from the source. It has the following property options set:
- Read Only:
1
The property type is ndef.
- Read Only:
meta:source¶
A data source unique identifier.
The base type for the form can be found at meta:source.
Properties:
ou:campaign¶
Represents an orgs activity in pursuit of a goal.
The base type for the form can be found at ou:campaign.
Properties:
- :org / ou:campaign:org
The org carrying out the campaign.
The property type is ou:org.
- :goal / ou:campaign:goal
The assessed primary goal of the campaign.
The property type is ou:goal.
- :goals / ou:campaign:goals
Additional assessed goals of the campaign.
The property type is array. Its type has the following options set:
- type:
ou:goal
- type:
- :name / ou:campaign:name
A terse name of the campaign.
The property type is str.
- :type / ou:campaign:type
A user specified campaign type.
The property type is str.
- :desc / ou:campaign:desc
A description of the campaign.
The property type is str.
ou:conference¶
A conference with a name and sponsoring org.
The base type for the form can be found at ou:conference.
Properties:
- :org / ou:conference:org
The org which created/managed the conference.
The property type is ou:org.
- :name / ou:conference:name
The full name of the conference. It has the following property options set:
- Example:
decfon 2017
The property type is str. Its type has the following options set:
- lower:
True
- Example:
- :desc / ou:conference:desc
A description of the conference. It has the following property options set:
- Example:
annual cybersecurity conference
The property type is str. Its type has the following options set:
- lower:
True
- Example:
- :base / ou:conference:base
The base name which is shared by all conference instances. It has the following property options set:
- Example:
defcon
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- Example:
- :start / ou:conference:start
The conference start date / time.
The property type is time.
- :end / ou:conference:end
The conference end date / time.
The property type is time.
- :place / ou:conference:place
The geo:place node where the conference was held.
The property type is geo:place.
- :url / ou:conference:url
The inet:url node for the conference website.
The property type is inet:url.
ou:conference:attendee¶
Represents a person attending a conference represented by an ou:conference node.
The base type for the form can be found at ou:conference:attendee.
Properties:
- :conference / ou:conference:attendee:conference
The conference which was attended. It has the following property options set:
- Read Only:
True
The property type is ou:conference.
- Read Only:
- :person / ou:conference:attendee:person
The person who attended the conference. It has the following property options set:
- Read Only:
True
The property type is ps:person.
- Read Only:
- :arrived / ou:conference:attendee:arrived
The time when a person arrived to the conference.
The property type is time.
- :departed / ou:conference:attendee:departed
The time when a person departed from the conference.
The property type is time.
- :role:staff / ou:conference:attendee:role:staff
The person worked as staff at the conference.
The property type is bool.
- :role:speaker / ou:conference:attendee:role:speaker
The person was a speaker or presenter at the conference.
The property type is bool.
- :roles / ou:conference:attendee:roles
List of the roles the person had at the conference.
The property type is array. Its type has the following options set:
- type:
str - lower:
True
- type:
ou:conference:event¶
A conference event with a name and associated conference.
The base type for the form can be found at ou:conference:event.
Properties:
- :conference / ou:conference:event:conference
The conference to which the event is associated. It has the following property options set:
- Read Only:
True
The property type is ou:conference.
- Read Only:
- :place / ou:conference:event:place
The geo:place where the event occurred.
The property type is geo:place.
- :name / ou:conference:event:name
The name of the conference event. It has the following property options set:
- Example:
foobar conference dinner
The property type is str. Its type has the following options set:
- lower:
True
- Example:
- :desc / ou:conference:event:desc
A description of the conference event. It has the following property options set:
- Example:
foobar conference networking dinner at ridge hotel
The property type is str. Its type has the following options set:
- lower:
True
- Example:
- :url / ou:conference:event:url
The inet:url node for the conference event website.
The property type is inet:url.
- :contact / ou:conference:event:contact
Contact info for the event.
The property type is ps:contact.
- :start / ou:conference:event:start
The event start date / time.
The property type is time.
- :end / ou:conference:event:end
The event end date / time.
The property type is time.
ou:conference:event:attendee¶
Represents a person attending a conference event represented by an ou:conference:event node.
The base type for the form can be found at ou:conference:event:attendee.
Properties:
- :event / ou:conference:event:attendee:event
The conference event which was attended. It has the following property options set:
- Read Only:
True
The property type is ou:conference:event.
- Read Only:
- :person / ou:conference:event:attendee:person
The person who attended the conference event. It has the following property options set:
- Read Only:
True
The property type is ps:person.
- Read Only:
- :arrived / ou:conference:event:attendee:arrived
The time when a person arrived to the conference event.
The property type is time.
- :departed / ou:conference:event:attendee:departed
The time when a person departed from the conference event.
The property type is time.
- :roles / ou:conference:event:attendee:roles
List of the roles the person had at the conference event.
The property type is array. Its type has the following options set:
- type:
str - lower:
True
- type:
ou:goal¶
An assessed or stated goal which may be abstract or org specific.
The base type for the form can be found at ou:goal.
Properties:
- :name / ou:goal:name
A terse name for the goal.
The property type is str.
- :type / ou:goal:type
A user specified goal type.
The property type is str.
- :desc / ou:goal:desc
A description of the goal.
The property type is str.
- :prev / ou:goal:prev
The previous/parent goal in a list or hierarchy.
The property type is ou:goal.
ou:hasalias¶
The knowledge that an organization has an alias.
The base type for the form can be found at ou:hasalias.
Properties:
ou:hasgoal¶
An org has an assessed or stated goal.
The base type for the form can be found at ou:hasgoal.
Properties:
- :org / ou:hasgoal:org
The org which has the goal.
The property type is ou:org.
- :goal / ou:hasgoal:goal
The goal which the org has.
The property type is ou:goal.
- :stated / ou:hasgoal:stated
Set to true/false if the goal is known to be self stated.
The property type is bool.
- :window / ou:hasgoal:window
Set if a goal has a limited time window.
The property type is ival.
ou:meet¶
An informal meeting of people which has no title or sponsor. See also: ou:conference.
The base type for the form can be found at ou:meet.
Properties:
- :name / ou:meet:name
A human friendly name for the meeting.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :start / ou:meet:start
The date / time the meet starts.
The property type is time.
- :end / ou:meet:end
The date / time the meet ends.
The property type is time.
- :place / ou:meet:place
The geo:place node where the meet was held.
The property type is geo:place.
ou:meet:attendee¶
Represents a person attending a meeting represented by an ou:meet node.
The base type for the form can be found at ou:meet:attendee.
Properties:
- :meet / ou:meet:attendee:meet
The meeting which was attended. It has the following property options set:
- Read Only:
True
The property type is ou:meet.
- Read Only:
- :person / ou:meet:attendee:person
The person who attended the meeting. It has the following property options set:
- Read Only:
True
The property type is ps:person.
- Read Only:
- :arrived / ou:meet:attendee:arrived
The time when a person arrived to the meeting.
The property type is time.
- :departed / ou:meet:attendee:departed
The time when a person departed from the meeting.
The property type is time.
ou:member¶
A person who is (or was) a member of an organization.
The base type for the form can be found at ou:member.
Properties:
- :org / ou:member:org
The GUID of the org the person is a member of. It has the following property options set:
- Read Only:
True
The property type is ou:org.
- Read Only:
- :person / ou:member:person
The GUID of the person that is a member of an org. It has the following property options set:
- Read Only:
True
The property type is ps:person.
- Read Only:
- :title / ou:member:title
The persons normalized title.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
- :start / ou:member:start
Earliest known association of the person with the org.
The property type is time. Its type has the following options set:
- ismin:
True
- ismin:
- :end / ou:member:end
Most recent known association of the person with the org.
The property type is time. Its type has the following options set:
- ismax:
True
- ismax:
ou:name¶
The name of an organization. This may be a formal name or informal name of the organization.
The base type for the form can be found at ou:name.
An example of ou:name:
acme corporation
Properties:
ou:org¶
A GUID for a human organization such as a company or military unit.
The base type for the form can be found at ou:org.
Properties:
- :loc / ou:org:loc
Location for an organization.
The property type is loc.
- :name / ou:org:name
The localized name of an organization.
The property type is ou:name.
- :names / ou:org:names
A list of alternate names for the organization.
The property type is array. Its type has the following options set:
- type:
ou:name
- type:
- :alias / ou:org:alias
The default alias for an organization.
The property type is ou:alias.
- :phone / ou:org:phone
The primary phone number for the organization.
The property type is tel:phone.
- :sic / ou:org:sic
The Standard Industrial Classification code for the organization.
The property type is ou:sic.
- :naics / ou:org:naics
The North American Industry Classification System code for the organization.
The property type is ou:naics.
- :us:cage / ou:org:us:cage
The Commercial and Government Entity (CAGE) code for the organization.
The property type is gov:us:cage.
- :founded / ou:org:founded
The date on which the org was founded.
The property type is time.
- :dissolved / ou:org:dissolved
The date on which the org was dissolved.
The property type is time.
- :url / ou:org:url
The primary url for the organization.
The property type is inet:url.
- :subs / ou:org:subs
An array of sub-organizations.
The property type is array. Its type has the following options set:
- type:
ou:org
- type:
- :orgchart / ou:org:orgchart
The root node for an orgchart made up ou:position nodes.
The property type is ou:position.
ou:org:has¶
An org owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The base type for the form can be found at ou:org:has.
Properties:
- :org / ou:org:has:org
The org who owns or controls the object or resource. It has the following property options set:
- Read Only:
True
The property type is ou:org.
- Read Only:
- :node / ou:org:has:node
The object or resource that is owned or controlled by the org. It has the following property options set:
- Read Only:
True
The property type is ndef.
- Read Only:
- :node:form / ou:org:has:node:form
The form of the object or resource that is owned or controlled by the org. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
ou:orgnet4¶
An organization’s IPv4 netblock.
The base type for the form can be found at ou:orgnet4.
Properties:
- :org / ou:orgnet4:org
The org guid which owns the netblock. It has the following property options set:
- Read Only:
True
The property type is ou:org.
- Read Only:
- :net / ou:orgnet4:net
Netblock owned by the organization. It has the following property options set:
- Read Only:
True
The property type is inet:net4.
- Read Only:
- :name / ou:orgnet4:name
The name that the organization assigns to this netblock.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
ou:orgnet6¶
An organization’s IPv6 netblock.
The base type for the form can be found at ou:orgnet6.
Properties:
- :org / ou:orgnet6:org
The org guid which owns the netblock. It has the following property options set:
- Read Only:
True
The property type is ou:org.
- Read Only:
- :net / ou:orgnet6:net
Netblock owned by the organization. It has the following property options set:
- Read Only:
True
The property type is inet:net6.
- Read Only:
- :name / ou:orgnet6:name
The name that the organization assigns to this netblock.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
ou:position¶
A position within an org. May be organized into an org chart.
The base type for the form can be found at ou:position.
Properties:
- :org / ou:position:org
The org which has the position.
The property type is ou:org.
- :contact / ou:position:contact
The contact info for the person who holds the position.
The property type is ps:contact.
- :title / ou:position:title
The title of the position.
The property type is str. Its type has the following options set:
- lower:
True - onespace:
True - strip:
True
- lower:
- :reports / ou:position:reports
An array of positions which report to this position.
The property type is array. Its type has the following options set:
- type:
ou:position
- type:
ou:suborg¶
Any parent/child relationship between two orgs. May represent ownership, organizational structure, etc.
The base type for the form can be found at ou:suborg.
Properties:
- :org / ou:suborg:org
The org which owns the sub organization. It has the following property options set:
- Read Only:
True
The property type is ou:org.
- Read Only:
- :sub / ou:suborg:sub
The sub org which owned by the org. It has the following property options set:
- Read Only:
True
The property type is ou:org.
- Read Only:
- :perc / ou:suborg:perc
The optional percentage of sub which is owned by org.
The property type is int. Its type has the following options set:
- min:
0 - max:
100
- min:
- :current / ou:suborg:current
Bool indicating if the suborg relationship still current.
The property type is bool.
ou:user¶
A user name within an organization.
The base type for the form can be found at ou:user.
Properties:
- :org / ou:user:org
The org guid which owns the netblock. It has the following property options set:
- Read Only:
True
The property type is ou:org.
- Read Only:
- :user / ou:user:user
The username associated with the organization. It has the following property options set:
- Read Only:
True
The property type is inet:user.
- Read Only:
pol:country¶
A GUID for a country.
The base type for the form can be found at pol:country.
Properties:
- :flag / pol:country:flag
The file bytes type with SHA256 based primary property.
The property type is file:bytes.
- :founded / pol:country:founded
A date/time value.
The property type is time.
- :iso2 / pol:country:iso2
The 2 digit ISO country code.
The property type is pol:iso2.
- :iso3 / pol:country:iso3
The 3 digit ISO country code.
The property type is pol:iso3.
- :isonum / pol:country:isonum
The ISO integer country code.
The property type is pol:isonum.
- :name / pol:country:name
The base string type.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :pop / pol:country:pop
The base 64 bit signed integer type.
The property type is int.
- :tld / pol:country:tld
A Fully Qualified Domain Name (FQDN).
The property type is inet:fqdn.
ps:contact¶
A GUID for a contact info record.
The base type for the form can be found at ps:contact.
Properties:
- :org / ps:contact:org
The ou:org GUID which owns this contact.
The property type is ou:org.
- :asof / ps:contact:asof
A date/time value. It has the following property options set:
- date:
The time this contact was created or modified.
The property type is time.
- date:
- :person / ps:contact:person
The ps:person GUID which owns this contact.
The property type is ps:person.
- :name / ps:contact:name
The person name listed for the contact.
The property type is ps:name.
- :title / ps:contact:title
The job/org title listed for this contact.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
- :photo / ps:contact:photo
The photo listed for this contact.
The property type is file:bytes.
- :orgname / ps:contact:orgname
The listed org/company name for this contact.
The property type is ou:name.
- :user / ps:contact:user
The username or handle for this contact.
The property type is inet:user.
- :web:acct / ps:contact:web:acct
The social media account for this contact.
The property type is inet:web:acct.
- :dob / ps:contact:dob
The Date of Birth (DOB) for this contact.
The property type is time.
- :url / ps:contact:url
The home or main site for this contact.
The property type is inet:url.
- :email / ps:contact:email
The main email address for this contact.
The property type is inet:email.
- :email:work / ps:contact:email:work
The work email address for this contact.
The property type is inet:email.
- :loc / ps:contact:loc
Best known contact geopolitical location.
The property type is loc.
- :address / ps:contact:address
The street address listed for the contact.
The property type is geo:address.
- :place / ps:contact:place
The place associated with this contact.
The property type is geo:place.
- :phone / ps:contact:phone
The main phone number for this contact.
The property type is tel:phone.
- :phone:fax / ps:contact:phone:fax
The fax number for this contact.
The property type is tel:phone.
- :phone:work / ps:contact:phone:work
The work phone number for this contact.
The property type is tel:phone.
ps:name¶
An arbitrary, lower spaced string with normalized whitespace.
The base type for the form can be found at ps:name.
An example of ps:name:
robert grey
Properties:
ps:person¶
A GUID for a person.
The base type for the form can be found at ps:person.
Properties:
- :dob / ps:person:dob
The Date of Birth (DOB) if known.
The property type is time.
- :img / ps:person:img
The primary image of a person.
The property type is file:bytes.
- :nick / ps:person:nick
A username commonly used by the person.
The property type is inet:user.
- :name / ps:person:name
The localized name for the person.
The property type is ps:name.
- :name:sur / ps:person:name:sur
The surname of the person.
The property type is ps:tokn.
- :name:middle / ps:person:name:middle
The middle name of the person.
The property type is ps:tokn.
- :name:given / ps:person:name:given
The given name of the person.
The property type is ps:tokn.
- :names / ps:person:names
Variations of the name for the person.
The property type is array. Its type has the following options set:
- type:
ps:name
- type:
- :nicks / ps:person:nicks
Usernames used by the person.
The property type is array. Its type has the following options set:
- type:
inet:user
- type:
ps:person:has¶
A person owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The base type for the form can be found at ps:person:has.
Properties:
- :person / ps:person:has:person
The person who owns or controls the object or resource. It has the following property options set:
- Read Only:
True
The property type is ps:person.
- Read Only:
- :node / ps:person:has:node
The object or resource that is owned or controlled by the person. It has the following property options set:
- Read Only:
True
The property type is ndef.
- Read Only:
- :node:form / ps:person:has:node:form
The form of the object or resource that is owned or controlled by the person. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
ps:persona¶
A GUID for a suspected person.
The base type for the form can be found at ps:persona.
Properties:
- :person / ps:persona:person
The real person behind the persona.
The property type is ps:person.
- :dob / ps:persona:dob
The Date of Birth (DOB) if known.
The property type is time.
- :img / ps:persona:img
The primary image of a suspected person.
The property type is file:bytes.
- :nick / ps:persona:nick
A username commonly used by the suspected person.
The property type is inet:user.
- :name / ps:persona:name
The localized name for the suspected person.
The property type is ps:name.
- :name:sur / ps:persona:name:sur
The surname of the suspected person.
The property type is ps:tokn.
- :name:middle / ps:persona:name:middle
The middle name of the suspected person.
The property type is ps:tokn.
- :name:given / ps:persona:name:given
The given name of the suspected person.
The property type is ps:tokn.
- :names / ps:persona:names
Variations of the name for a persona.
The property type is array. Its type has the following options set:
- type:
ps:name
- type:
- :nicks / ps:persona:nicks
Usernames used by the persona.
The property type is array. Its type has the following options set:
- type:
inet:user
- type:
ps:persona:has¶
A persona owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The base type for the form can be found at ps:persona:has.
Properties:
- :persona / ps:persona:has:persona
The persona who owns or controls the object or resource. It has the following property options set:
- Read Only:
True
The property type is ps:persona.
- Read Only:
- :node / ps:persona:has:node
The object or resource that is owned or controlled by the persona. It has the following property options set:
- Read Only:
True
The property type is ndef.
- Read Only:
- :node:form / ps:persona:has:node:form
The form of the object or resource that is owned or controlled by the persona. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
ps:tokn¶
A single name element (potentially given or sur).
The base type for the form can be found at ps:tokn.
An example of ps:tokn:
robert
Properties:
risk:attack¶
An instance of an actor attacking a target.
The base type for the form can be found at risk:attack.
Properties:
- :time / risk:attack:time
Set if the time of the attack is known.
The property type is time.
- :success / risk:attack:success
Set if the attack was known to have succeeded or not.
The property type is bool.
- :targeted / risk:attack:targeted
Set if the attack was assessed to be targeted or not.
The property type is bool.
- :campaign / risk:attack:campaign
Set if the attack was part of a larger campaign.
The property type is ou:campaign.
- :prev / risk:attack:prev
The previous/parent attack in a list or hierarchy.
The property type is risk:attack.
- :actor:org / risk:attack:actor:org
The org that carried out the attack.
The property type is ou:org.
- :actor:person / risk:attack:actor:person
The person that carried out the attack.
The property type is ps:person.
- :target:org / risk:attack:target:org
The org was the target of the attack.
The property type is ou:org.
- :target:host / risk:attack:target:host
The host was the target of the attack.
The property type is it:host.
- :target:person / risk:attack:target:person
The person was the target of the attack.
The property type is ps:person.
- :via:ipv4 / risk:attack:via:ipv4
The target host was contacted via the IPv4 address.
The property type is inet:ipv4.
- :via:ipv6 / risk:attack:via:ipv6
The target host was contacted via the IPv6 address.
The property type is inet:ipv6.
- :via:email / risk:attack:via:email
The target person/org was contacted via the email address.
The property type is inet:email.
- :via:phone / risk:attack:via:phone
The target person/org was contacted via the phone number.
The property type is tel:phone.
- :used:vuln / risk:attack:used:vuln
The actor used the vuln in the attack.
The property type is risk:vuln.
- :used:url / risk:attack:used:url
The actor used the url in the attack.
The property type is inet:url.
- :used:host / risk:attack:used:host
The actor used the host in the attack.
The property type is it:host.
- :used:email / risk:attack:used:email
The actor used the email in the attack.
The property type is inet:email.
- :used:file / risk:attack:used:file
The actor used the file in the attack.
The property type is file:bytes.
- :used:server / risk:attack:used:server
The actor used the server in the attack.
The property type is inet:server.
- :used:software / risk:attack:used:software
The actor used the software in the attack.
The property type is it:prod:softver.
risk:hasvuln¶
An instance of a vulnerability present in a target.
The base type for the form can be found at risk:hasvuln.
Properties:
- :vuln / risk:hasvuln:vuln
The vulnerability present in the target.
The property type is risk:vuln.
- :person / risk:hasvuln:person
The vulnerable person.
The property type is ps:person.
- :org / risk:hasvuln:org
The vulnerable org.
The property type is ou:org.
- :place / risk:hasvuln:place
The vulnerable place.
The property type is geo:place.
- :software / risk:hasvuln:software
The vulnerable software.
The property type is it:prod:softver.
- :spec / risk:hasvuln:spec
The vulnerable material specification.
The property type is mat:spec.
- :item / risk:hasvuln:item
The vulnerable material item.
The property type is mat:item.
risk:vuln¶
A unique vulnerability.
The base type for the form can be found at risk:vuln.
Properties:
- :name / risk:vuln:name
A user specified name for the vulnerability.
The property type is str.
- :type / risk:vuln:type
A user specified type for the vulnerability.
The property type is str.
- :desc / risk:vuln:desc
A description of the vulnerability.
The property type is str.
- :cve / risk:vuln:cve
The CVE ID of the vulnerability.
The property type is it:sec:cve.
rsa:key¶
An RSA keypair modulus and public exponent.
The base type for the form can be found at rsa:key.
Properties:
- :mod / rsa:key:mod
The RSA key modulus. It has the following property options set:
- Read Only:
1
The property type is hex.
- Read Only:
- :pub:exp / rsa:key:pub:exp
The public exponent of the key. It has the following property options set:
- Read Only:
1
The property type is int.
- Read Only:
- :bits / rsa:key:bits
The length of the modulus in bits.
The property type is int.
- :priv:exp / rsa:key:priv:exp
The private exponent of the key.
The property type is hex.
- :priv:p / rsa:key:priv:p
One of the two private primes.
The property type is hex.
- :priv:q / rsa:key:priv:q
One of the two private primes.
The property type is hex.
syn:cmd¶
A Synapse storm command.
The base type for the form can be found at syn:cmd.
Properties:
- :doc / syn:cmd:doc
Description of the command.
The property type is str. Its type has the following options set:
- strip:
True
- strip:
- :package / syn:cmd:package
Storm package which provided the command.
The property type is str. Its type has the following options set:
- strip:
True
- strip:
- :svciden / syn:cmd:svciden
Storm service iden which provided the package.
The property type is guid. Its type has the following options set:
- strip:
True
- strip:
- :input / syn:cmd:input
The list of forms accepted by the command as input. It has the following property options set:
- Read Only:
True
The property type is array. Its type has the following options set:
- type:
syn:form
- Read Only:
- :output / syn:cmd:output
The list of forms produced by the command as output. It has the following property options set:
- Read Only:
True
The property type is array. Its type has the following options set:
- type:
syn:form
- Read Only:
- :nodedata / syn:cmd:nodedata
The list of nodedata that may be added by the command. It has the following property options set:
- Read Only:
True
The property type is array. Its type has the following options set:
- type:
syn:nodedata
- Read Only:
syn:cron¶
A Cortex cron job.
The base type for the form can be found at syn:cron.
Properties:
- :doc / syn:cron:doc
A description of the cron job.
The property type is str.
- :name / syn:cron:name
A user friendly name/alias for the cron job.
The property type is str.
- :storm / syn:cron:storm
The storm query executed by the cron job. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
syn:form¶
A Synapse form used for representing nodes in the graph.
The base type for the form can be found at syn:form.
Properties:
- :doc / syn:form:doc
The docstring for the form. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- strip:
True
- Read Only:
- :type / syn:form:type
Synapse type for this form. It has the following property options set:
- Read Only:
True
The property type is syn:type.
- Read Only:
- :runt / syn:form:runt
Whether or not the form is runtime only. It has the following property options set:
- Read Only:
True
The property type is bool.
- Read Only:
syn:prop¶
A Synapse property.
The base type for the form can be found at syn:prop.
Properties:
- :doc / syn:prop:doc
Description of the property definition.
The property type is str. Its type has the following options set:
- strip:
True
- strip:
- :form / syn:prop:form
The form of the property. It has the following property options set:
- Read Only:
True
The property type is syn:form.
- Read Only:
- :type / syn:prop:type
The synapse type for this property. It has the following property options set:
- Read Only:
True
The property type is syn:type.
- Read Only:
- :relname / syn:prop:relname
Relative property name. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- strip:
True
- Read Only:
- :univ / syn:prop:univ
Specifies if a prop is universal. It has the following property options set:
- Read Only:
True
The property type is bool.
- Read Only:
- :base / syn:prop:base
Base name of the property. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- strip:
True
- Read Only:
- :ro / syn:prop:ro
If the property is read-only after being set. It has the following property options set:
- Read Only:
True
The property type is bool.
- Read Only:
- :extmodel / syn:prop:extmodel
If the property is an extended model property or not. It has the following property options set:
- Read Only:
True
The property type is bool.
- Read Only:
syn:splice¶
A splice from a layer.
The base type for the form can be found at syn:splice.
Properties:
- :type / syn:splice:type
Type of splice. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- strip:
True
- Read Only:
- :iden / syn:splice:iden
The iden of the node involved in the splice. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
- :form / syn:splice:form
The form involved in the splice. It has the following property options set:
- Read Only:
True
The property type is syn:form. Its type has the following options set:
- strip:
True
- Read Only:
- :prop / syn:splice:prop
Property modified in the splice. It has the following property options set:
- Read Only:
True
The property type is syn:prop. Its type has the following options set:
- strip:
True
- Read Only:
- :tag / syn:splice:tag
Tag modified in the splice. It has the following property options set:
- Read Only:
True
The property type is syn:tag. Its type has the following options set:
- strip:
True
- Read Only:
- :valu / syn:splice:valu
The value being set in the splice. It has the following property options set:
- Read Only:
True
The property type is data.
- Read Only:
- :oldv / syn:splice:oldv
The value before the splice. It has the following property options set:
- Read Only:
True
The property type is data.
- Read Only:
- :user / syn:splice:user
The user who caused the splice. It has the following property options set:
- Read Only:
True
The property type is guid.
- Read Only:
- :prov / syn:splice:prov
The provenance stack of the splice. It has the following property options set:
- Read Only:
True
The property type is guid.
- Read Only:
- :time / syn:splice:time
The time the splice occurred. It has the following property options set:
- Read Only:
True
The property type is time.
- Read Only:
- :splice / syn:splice:splice
The splice. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- strip:
True
- Read Only:
syn:tag¶
The base type for a synapse tag.
The base type for the form can be found at syn:tag.
Properties:
- :up / syn:tag:up
The parent tag for the tag. It has the following property options set:
- Read Only:
1
The property type is syn:tag.
- Read Only:
- :isnow / syn:tag:isnow
Set to an updated tag if the tag has been renamed.
The property type is syn:tag.
- :doc / syn:tag:doc
A short definition for the tag.
The property type is str.
- :doc:url / syn:tag:doc:url
A URL link to additional documentation about the tag.
The property type is inet:url.
- :depth / syn:tag:depth
How deep the tag is in the hierarchy. It has the following property options set:
- Read Only:
1
The property type is int.
- Read Only:
- :title / syn:tag:title
A display title for the tag.
The property type is str.
- :base / syn:tag:base
The tag base name. Eg baz for foo.bar.baz . It has the following property options set:
- Read Only:
1
The property type is str.
- Read Only:
syn:tagprop¶
A user defined tag property.
The base type for the form can be found at syn:tagprop.
Properties:
syn:trigger¶
A Cortex trigger.
The base type for the form can be found at syn:trigger.
Properties:
- :vers / syn:trigger:vers
Trigger version. It has the following property options set:
- Read Only:
True
The property type is int.
- Read Only:
- :doc / syn:trigger:doc
A documentation string describing the trigger.
The property type is str.
- :name / syn:trigger:name
A user friendly name/alias for the trigger.
The property type is str.
- :cond / syn:trigger:cond
The trigger condition. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- strip:
True - lower:
True
- Read Only:
- :user / syn:trigger:user
User who owns the trigger. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
- :storm / syn:trigger:storm
The Storm query for the trigger. It has the following property options set:
- Read Only:
True
The property type is str.
- Read Only:
- :enabled / syn:trigger:enabled
Trigger enabled status. It has the following property options set:
- Read Only:
True
The property type is bool.
- Read Only:
- :form / syn:trigger:form
Form the trigger is watching for.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
- :prop / syn:trigger:prop
Property the trigger is watching for.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
- :tag / syn:trigger:tag
Tag the trigger is watching for.
The property type is str. Its type has the following options set:
- lower:
True - strip:
True
- lower:
syn:type¶
A Synapse type used for normalizing nodes and properties.
The base type for the form can be found at syn:type.
Properties:
- :doc / syn:type:doc
The docstring for the type. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- strip:
True
- Read Only:
- :ctor / syn:type:ctor
The python ctor path for the type object. It has the following property options set:
- Read Only:
True
The property type is str. Its type has the following options set:
- strip:
True
- Read Only:
- :subof / syn:type:subof
Type which this inherits from. It has the following property options set:
- Read Only:
True
The property type is syn:type.
- Read Only:
- :opts / syn:type:opts
Arbitrary type options. It has the following property options set:
- Read Only:
True
The property type is data.
- Read Only:
tel:call¶
A guid for a telephone call record.
The base type for the form can be found at tel:call.
Properties:
- :src / tel:call:src
The source phone number for a call.
The property type is tel:phone.
- :dst / tel:call:dst
The destination phone number for a call.
The property type is tel:phone.
- :time / tel:call:time
The time the call was initiated.
The property type is time.
- :duration / tel:call:duration
The duration of the call in seconds.
The property type is int.
- :connected / tel:call:connected
Indicator of whether the call was connected.
The property type is bool.
- :text / tel:call:text
The text transcription of the call.
The property type is str.
- :file / tel:call:file
A file containing related media.
The property type is file:bytes.
tel:mob:carrier¶
The fusion of a MCC/MNC.
The base type for the form can be found at tel:mob:carrier.
Properties:
- :mcc / tel:mob:carrier:mcc
ITU Mobile Country Code. It has the following property options set:
- Read Only:
1
The property type is tel:mob:mcc.
- Read Only:
- :mnc / tel:mob:carrier:mnc
ITU Mobile Network Code. It has the following property options set:
- Read Only:
1
The property type is tel:mob:mnc.
- Read Only:
- :org / tel:mob:carrier:org
Organization operating the carrier.
The property type is ou:org.
- :loc / tel:mob:carrier:loc
Location the carrier operates from.
The property type is loc.
tel:mob:cell¶
A mobile cell site which a phone may connect to.
The base type for the form can be found at tel:mob:cell.
Properties:
- :carrier / tel:mob:cell:carrier
Mobile carrier.
The property type is tel:mob:carrier.
- :carrier:mcc / tel:mob:cell:carrier:mcc
Mobile Country Code.
The property type is tel:mob:mcc.
- :carrier:mnc / tel:mob:cell:carrier:mnc
Mobile Network Code.
The property type is tel:mob:mnc.
- :lac / tel:mob:cell:lac
Location Area Code. LTE networks may call this a TAC.
The property type is int.
- :cid / tel:mob:cell:cid
The Cell ID.
The property type is int.
- :radio / tel:mob:cell:radio
Cell radio type.
The property type is str. Its type has the following options set:
- lower:
1 - onespace:
1
- lower:
- :latlong / tel:mob:cell:latlong
Last known location of the cell site.
The property type is geo:latlong.
- :loc / tel:mob:cell:loc
Location at which the cell is operated.
The property type is loc.
- :place / tel:mob:cell:place
The place associated with the latlong property.
The property type is geo:place.
tel:mob:imei¶
An International Mobile Equipment Id.
The base type for the form can be found at tel:mob:imei.
An example of tel:mob:imei:
490154203237518
Properties:
- :tac / tel:mob:imei:tac
The Type Allocate Code within the IMEI. It has the following property options set:
- Read Only:
1
The property type is tel:mob:tac.
- Read Only:
- :serial / tel:mob:imei:serial
The serial number within the IMEI. It has the following property options set:
- Read Only:
1
The property type is int.
- Read Only:
tel:mob:imid¶
Fused knowledge of an IMEI/IMSI used together.
The base type for the form can be found at tel:mob:imid.
An example of tel:mob:imid:
(490154203237518, 310150123456789)
Properties:
- :imei / tel:mob:imid:imei
The IMEI for the phone hardware. It has the following property options set:
- Read Only:
1
The property type is tel:mob:imei.
- Read Only:
- :imsi / tel:mob:imid:imsi
The IMSI for the phone subscriber. It has the following property options set:
- Read Only:
1
The property type is tel:mob:imsi.
- Read Only:
tel:mob:imsi¶
An International Mobile Subscriber Id.
The base type for the form can be found at tel:mob:imsi.
An example of tel:mob:imsi:
310150123456789
Properties:
- :mcc / tel:mob:imsi:mcc
The Mobile Country Code. It has the following property options set:
- Read Only:
1
The property type is tel:mob:mcc.
- Read Only:
tel:mob:imsiphone¶
Fused knowledge of an IMSI assigned phone number.
The base type for the form can be found at tel:mob:imsiphone.
An example of tel:mob:imsiphone:
(310150123456789, "+7(495) 124-59-83")
Properties:
- :phone / tel:mob:imsiphone:phone
The phone number assigned to the IMSI. It has the following property options set:
- Read Only:
1
The property type is tel:phone.
- Read Only:
- :imsi / tel:mob:imsiphone:imsi
The IMSI with the assigned phone number. It has the following property options set:
- Read Only:
1
The property type is tel:mob:imsi.
- Read Only:
tel:mob:mcc¶
ITU Mobile Country Code.
The base type for the form can be found at tel:mob:mcc.
Properties:
- :loc / tel:mob:mcc:loc
Location assigned to the MCC.
The property type is loc.
tel:mob:tac¶
A mobile Type Allocation Code.
The base type for the form can be found at tel:mob:tac.
An example of tel:mob:tac:
49015420
Properties:
- :org / tel:mob:tac:org
The org guid for the manufacturer.
The property type is ou:org.
- :manu / tel:mob:tac:manu
The TAC manufacturer name.
The property type is str. Its type has the following options set:
- lower:
1
- lower:
- :model / tel:mob:tac:model
The TAC model name.
The property type is str. Its type has the following options set:
- lower:
1
- lower:
- :internal / tel:mob:tac:internal
The TAC internal model name.
The property type is str. Its type has the following options set:
- lower:
1
- lower:
tel:mob:telem¶
A single mobile telemetry measurement.
The base type for the form can be found at tel:mob:telem.
Properties:
- :time / tel:mob:telem:time
A date/time value.
The property type is time.
- :latlong / tel:mob:telem:latlong
A Lat/Long string specifying a point on Earth.
The property type is geo:latlong.
- :host / tel:mob:telem:host
The host that generated the mobile telemetry data.
The property type is it:host.
- :place / tel:mob:telem:place
The place representing the location of the mobile telemetry sample.
The property type is geo:place.
- :loc / tel:mob:telem:loc
The geo-political location of the mobile telemetry sample.
The property type is loc.
- :accuracy / tel:mob:telem:accuracy
The reported accuracy of the latlong telemetry reading.
The property type is geo:dist.
- :cell / tel:mob:telem:cell
A mobile cell site which a phone may connect to.
The property type is tel:mob:cell.
- :cell:carrier / tel:mob:telem:cell:carrier
The fusion of a MCC/MNC.
The property type is tel:mob:carrier.
- :imsi / tel:mob:telem:imsi
An International Mobile Subscriber Id.
The property type is tel:mob:imsi.
- :imei / tel:mob:telem:imei
An International Mobile Equipment Id.
The property type is tel:mob:imei.
- :phone / tel:mob:telem:phone
A phone number.
The property type is tel:phone.
- :mac / tel:mob:telem:mac
A 48-bit Media Access Control (MAC) address.
The property type is inet:mac.
- :ipv4 / tel:mob:telem:ipv4
An IPv4 address.
The property type is inet:ipv4.
- :ipv6 / tel:mob:telem:ipv6
An IPv6 address.
The property type is inet:ipv6.
- :wifi:ssid / tel:mob:telem:wifi:ssid
A WiFi service set identifier (SSID) name.
The property type is inet:wifi:ssid.
- :wifi:bssid / tel:mob:telem:wifi:bssid
A 48-bit Media Access Control (MAC) address.
The property type is inet:mac.
- :aaid / tel:mob:telem:aaid
An android advertising identification string.
The property type is it:os:android:aaid.
- :idfa / tel:mob:telem:idfa
An iOS advertising identification string.
The property type is it:os:ios:idfa.
- :name / tel:mob:telem:name
An arbitrary, lower spaced string with normalized whitespace.
The property type is ps:name.
- :email / tel:mob:telem:email
An e-mail address.
The property type is inet:email.
- :acct / tel:mob:telem:acct
An account with a given Internet-based site or service.
The property type is inet:web:acct.
- :app / tel:mob:telem:app
A specific version of a software product.
The property type is it:prod:softver.
- :data / tel:mob:telem:data
Arbitrary json compatible data.
The property type is data.
tel:phone¶
A phone number.
The base type for the form can be found at tel:phone.
An example of tel:phone:
+15558675309
Properties:
tel:txtmesg¶
A guid for an individual text message.
The base type for the form can be found at tel:txtmesg.
Properties:
- :from / tel:txtmesg:from
The phone number assigned to the sender.
The property type is tel:phone.
- :to / tel:txtmesg:to
The phone number assigned to the primary recipient.
The property type is tel:phone.
- :recipients / tel:txtmesg:recipients
An array of phone numbers for additional recipients of the message.
The property type is array. Its type has the following options set:
- type:
tel:phone
- type:
- :svctype / tel:txtmesg:svctype
The message service type (sms, mms, rcs).
The property type is str. Its type has the following options set:
- enums:
sms,mms,rcs - strip:
1 - lower:
1
- enums:
- :time / tel:txtmesg:time
The time the message was sent.
The property type is time.
- :text / tel:txtmesg:text
The text of the message.
The property type is str.
- :file / tel:txtmesg:file
A file containing related media.
The property type is file:bytes.
transport:air:craft¶
An individual aircraft.
The base type for the form can be found at transport:air:craft.
Properties:
- :tailnum / transport:air:craft:tailnum
The aircraft tail number.
The property type is transport:air:tailnum.
transport:air:flight¶
An individual instance of a flight.
The base type for the form can be found at transport:air:flight.
Properties:
- :num / transport:air:flight:num
The flight number of this flight.
The property type is transport:air:flightnum.
- :scheduled:departure / transport:air:flight:scheduled:departure
The time this flight was originally scheduled to depart.
The property type is time.
- :scheduled:arrival / transport:air:flight:scheduled:arrival
The time this flight was originally scheduled to arrive.
The property type is time.
- :departed / transport:air:flight:departed
The time this flight departed.
The property type is time.
- :arrived / transport:air:flight:arrived
The time this flight arrived.
The property type is time.
- :carrier / transport:air:flight:carrier
The org which operates the given flight number.
The property type is ou:org.
- :craft / transport:air:flight:craft
The aircraft that flew this flight.
The property type is transport:air:craft.
- :tailnum / transport:air:flight:tailnum
The tail/registration number at the time the aircraft flew this flight.
The property type is transport:air:tailnum.
- :to:port / transport:air:flight:to:port
The destination airport of this flight.
The property type is transport:air:port.
- :from:port / transport:air:flight:from:port
The origin airport of this flight.
The property type is transport:air:port.
- :stops / transport:air:flight:stops
An ordered list of aiport codes for stops which occured during this flight.
The property type is array. Its type has the following options set:
- type:
transport:air:port
- type:
- :cancelled / transport:air:flight:cancelled
Set to true for cancelled flights.
The property type is bool.
transport:air:flightnum¶
A commercial flight designator including airline and serial.
The base type for the form can be found at transport:air:flightnum.
An example of transport:air:flightnum:
ua2437
Properties:
- :carrier / transport:air:flightnum:carrier
The org which operates the given flight number.
The property type is ou:org.
- :to:port / transport:air:flightnum:to:port
The most recently registered destination for the flight number.
The property type is transport:air:port.
- :from:port / transport:air:flightnum:from:port
The most recently registered origin for the flight number.
The property type is transport:air:port.
- :stops / transport:air:flightnum:stops
An ordered list of aiport codes for the flight segments.
The property type is array. Its type has the following options set:
- type:
transport:air:port
- type:
transport:air:occupant¶
An occupant of a specific flight.
The base type for the form can be found at transport:air:occupant.
Properties:
- :type / transport:air:occupant:type
The type of occupant such as pilot, crew or passenger.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :flight / transport:air:occupant:flight
The flight that the occupant was aboard.
The property type is transport:air:flight.
- :seat / transport:air:occupant:seat
The seat assigned to the occupant.
The property type is str. Its type has the following options set:
- lower:
True
- lower:
- :contact / transport:air:occupant:contact
The contact information of the occupant.
The property type is ps:contact.
transport:air:port¶
An IATA assigned airport code.
The base type for the form can be found at transport:air:port.
Properties:
transport:air:tailnum¶
An aircraft registration number or military aircraft serial number.
The base type for the form can be found at transport:air:tailnum.
An example of transport:air:tailnum:
ff023
Properties:
transport:air:telem¶
A telemtry sample from an aircraft in transit.
The base type for the form can be found at transport:air:telem.
Properties:
- :flight / transport:air:telem:flight
The flight being measured.
The property type is transport:air:flight.
- :latlong / transport:air:telem:latlong
The lat/lon of the aircraft at the time.
The property type is geo:latlong.
- :loc / transport:air:telem:loc
The location of the aircraft at the time.
The property type is loc.
- :place / transport:air:telem:place
The place that the lat/lon geocodes to.
The property type is geo:place.
- :accuracy / transport:air:telem:accuracy
The horizontal accuracy of the latlong sample.
The property type is geo:dist.
- :altitude / transport:air:telem:altitude
The altitude of the aircraft at the time.
The property type is geo:altitude.
- :altitude:accuracy / transport:air:telem:altitude:accuracy
The vertical accuracy of the altitude measurement.
The property type is geo:dist.
- :time / transport:air:telem:time
The time the telemetry sample was taken.
The property type is time.
transport:sea:telem¶
A telemetry sample from a vessel in transit.
The base type for the form can be found at transport:sea:telem.
Properties:
- :vessel / transport:sea:telem:vessel
The vessel being measured.
The property type is transport:sea:vessel.
- :time / transport:sea:telem:time
The time the telemetry was sampled.
The property type is time.
- :latlong / transport:sea:telem:latlong
The lat/lon of the vessel at the time.
The property type is geo:latlong.
- :loc / transport:sea:telem:loc
The location of the vessel at the time.
The property type is loc.
- :place / transport:sea:telem:place
The place that the lat/lon geocodes to.
The property type is geo:place.
- :accuracy / transport:sea:telem:accuracy
The horizontal accuracy of the latlong sample.
The property type is geo:dist.
- :draft / transport:sea:telem:draft
The keel depth at the time.
The property type is geo:dist.
- :airdraft / transport:sea:telem:airdraft
The maximum height of the ship from the waterline.
The property type is geo:dist.
transport:sea:vessel¶
An individual sea vessel.
The base type for the form can be found at transport:sea:vessel.
Properties:
- :imo / transport:sea:vessel:imo
The International Maritime Organization number for the vessel.
The property type is transport:sea:imo.
- :name / transport:sea:vessel:name
The name of the vessel.
The property type is str. Its type has the following options set:
- lower:
True - onespace:
True - strip:
True
- lower:
- :length / transport:sea:vessel:length
The official overall vessel length.
The property type is geo:dist.
- :beam / transport:sea:vessel:beam
The official overall vessel beam.
The property type is geo:dist.
- :flag / transport:sea:vessel:flag
The country the vessel is flagged to.
The property type is iso:3166:cc.
- :mmsi / transport:sea:vessel:mmsi
The Maritime Mobile Service Identifier assigned to the vessel.
The property type is transport:sea:mmsi.
- :built / transport:sea:vessel:built
The year the vessel was constructed.
The property type is time.
Universal Properties¶
Universal props are system level properties which may be present on every node.
These properties are not specific to a particular form and exist outside of a particular namespace.